Preserving Patient Trust: Data Security in Healthcare AI

The world is facing an unprecedented shortfall of healthcare workers, with the WHO predicting a shortage of 10 million by 2030. Part of this is due to COVID-19, with healthcare workers making up 14% of all new cases at the start of the pandemic. Fatalities in medical professionals alone reached an estimated 115,500 by May 2021—and they haven’t stopped in the years since. 

Amidst the tragedy of lost lives, this begs a simple question: “What are we going to do?” Healthcare workers are among the most crucial and vulnerable members of our society. Their job is to face disease and prevent its spread every day, often at their own expense. 

As the rate of unfilled healthcare job openings grows to 80,000 in the next six years, we need a solution. Enter the AI revolution.

Artificial intelligence is already in our medical services, from diagnostics to wearables and everything in between. It’s a driving force in the future of personalized medicine and automation in healthcare. As we move into a routine of integrating artificial intelligence into HealthTech and beyond, trends emerge. Can AI really help bridge the gap caused by medical labor shortage? 

We won’t keep you waiting. The answer is a resounding yes. AI has the potential to reduce human error, automate repetitive tasks, contribute to early diagnosis, and make treatment suggestions. But how? Where’s it getting its data? The answer, of course, is from patients themselves: their histories, details, and diagnoses. 

This raises concerns. The fact is that patient privacy is a cornerstone of the United States medical system. How secure is our medical data in the metaphorical hands of AI? If a software company’s developing a health system using AI, what do they need to do to keep data secure?

To understand (and hopefully gain reassurance), let’s talk about data protection in AI applications. What’s really happening with patient information when it’s entered into that hospital computer? What do our medical records look like and what can AI do with that data? What role do software development companies play in keeping our data safe?

First things first: there’s a difference between Electronic Medical Records (EMRs) and Electronic Health Records (EHRs). While the terms are often used interchangeably, they’re not the same. 

EMRs are basically identical to paper records from one provider, put into that provider’s digital system for better organization. They include the patient’s personal information (like their contact details), their diagnosis, and treatment at that practice. Only that single organization can access those records—no one else. 

By contrast, EHRs are designed for use between multiple care providers and healthcare systems. They’re broader as different organizations have access to them and can add to patients’ records at will. EHRs provide a much more complete overview of a patient’s health status. 

This holistic view of a patient’s history is one of the key benefits to an EHR. While an EMR gives a slice of information, the EHR gives the whole pie,so to speak. This enhanced level of information and communication is why around 90% of healthcare providers in the U.S. use EHRs. 

It also means that EHRs are the most useful way for AI to analyze patient data. If your data’s only in an EMR, it’s much less likely to contribute to AI learning and processes. Artificial Intelligence is data processing at its finest, and the more the better. EHRs give AI-driven tools more to work with than single-office EMRs. 

As software companies develop better, faster, stronger EHRs, with more capabilities than ever, this access to additional data is vital. But is it a good thing? How is this data being handled?

When we’re talking about AI data collection, we need to understand what types of data AI’s using and why. 

AI uses lab work, medical records, imaging results, and genomic data. But even more than that, it uses the context of this data. Patient information such as age, address, and medical billing offers hints of socio-economic evidence that could influence health results. This healthcare AI is unprecedented: a machine being able to take environmental risk factors into account when analyzing data. 

The future of AI in healthcare presents enormous opportunities for software developers creating EHRs. Natural language processing (NLP) techniques allow AI algorithms to mine relevant details from lab reports and clinical notes. Machine learning algorithms identify patterns in patient records, flag possible drug interactions, and recommend treatments. 

As companies develop better forms of AI, trained on EHR data, recommendations become more precise and relevant. Designs become more streamlined and user-accessible. New capabilities arise, such as interpreting scans to detect early signs of disease. This is invaluable in our fight against cancers and other maladies. 

To grow and expand its capabilities, AI needs patient data from EHRs: it’s as simple as that. Only high-quality, wide-range data from multiple sources over a generous timespan results in algorithmic improvement.

In the U.S., patient data is protected by key regulations, most notably the Health Insurance Portability and Accountability Act (HIPAA). 

The parts of HIPAA most relevant to AI’s ability to access patient data are the Privacy Rule and the Security Rule. The Privacy Rule provides for the confidentiality of Protected Health Information (PHI). The Security Rule dictates how the Privacy Rule is applied, particularly in the case of electronic PHI (ePHI). HIPAA applies to all healthcare providers and covered entities (businesses with access to PHI).

Together, the Privacy Rule and the Security Rule mean that the following information is always protected by law from being sold or disclosed: 

• Identifying information, such as full name, date of birth, SSN
• Future or past provision of healthcare
• Billing information and records
• Prescription records
• Referrals
• Discharge and admittance profiles

So, basically—all of the information in an EHR. How, then, is AI allowed to access and learn from our protected patient data? The answer lies in the definition of "covered entity."

A covered entity under HIPAA is any business, organization, or group entrusted with PHI. This includes medical providers, healthcare information technology companies, researchers, clearinghouses, business associates, and, notably, digital healthcare providers. 

A software company approved to use EHRs to train AI is a covered entity, responsible for protection of PHI and allowed to use patient data. The key point here is that the patient data itself is not being sold. It’s being used to train the AI that will contribute to better health outcomes. 

Meanwhile, the software developed from using this AI is allowed to be sold, as the PHI itself is not part of the package.

Any company looking to train AI with PHI must keep data security at the forefront of development and final product. From initial data transmission through the full use cycle, software developers must employ a variety of solutions for PHI protection.

One such tool is data encryption. This provides effective protection against interception by a third party at the time of transmission. Once the data’s sent, the receiver should employ encrypted storage to ensure that it remains protected while at the facility. This also applies to discussion about the PHI. All emails and other electronic communications should be encrypted as well. Data encryption is best used alongside other security measures.

Another option is federated learning. Federated learning is a machine learning approach that allows computer models to use data from different devices. It’s a decentralized alternative to sharing raw data. Instead of sending PHI to a centralized server for training, the training process occurs locally on each device. Only the model updates are transmitted to a central server, where they’re aggregated to enhance the global model.

Another process that uses decentralization is, of course, blockchain technology. The decentralized network minimizes vulnerabilities associated with centralized storage. Decentralization also makes it resistant to single points of failure. Immutability ensures the integrity of PHI records, preventing unauthorized alterations, and providing a tamper-resistant environment. 

The inherent transparency of blockchain, with its auditable history, allows for tracking any unauthorized access or modifications to PHI. Cryptographic security, including secure data encryption and the use of consensus mechanisms, also adds layers of protection. It ensures that only authorized entities can access and modify information. 

Of course, the best tool of all is policy. Company insistence on robust authentication practices (including multi-factor authentication) ensure that only those who should have access to PHI, can. Employee training and awareness, especially about phishing and data handling procedures, are invaluable in preventing breaches.

But it’s not enough to secure patient data during the development phases. Software development companies must protect PHI in the product they release. Naturally, the original PHI used to train the AI isn’t sold with the product. However, as the product will come into contact with future PHI, security measures are crucial.

When developing healthcare software, developers must set up a secure environment to train AI and process patient data. Luckily, there are software developers on your side: professionals specializing in data protection. While by no means a comprehensive list, these top five engineers need to be a part of any digital health team:

1. Security Engineer: A dedicated security engineer specializes in identifying and mitigating potential security risks. They’re responsible for implementing encryption, access controls, and other security measures. These measures protect PHI from unauthorized access, data breaches, and other cybersecurity threats.
2. Software Engineer (with Security Expertise): A software engineer with a focus on security is essential for designing and developing secure software architecture. They ensure that the software follows best practices for secure coding, data transmission, and storage of PHI. This includes addressing vulnerabilities and implementing security patches.
   
3. Network Engineer: Network engineers design and maintain a secure network infrastructure. They implement measures such as firewalls, intrusion detection systems, and secure communication protocols. These are necessary to safeguard the transmission of PHI between different components of the software.
   
4. Systems Engineer: Systems engineers work on the overall design and integration of the software. They confirm the secure configuration of servers, databases, and other infrastructure components. Systems engineers create a resilient and fault-tolerant system that can withstand security threats.
   
5. Compliance Engineer (HIPAA Compliance): Compliance engineers, particularly those well-versed in healthcare regulations like HIPAA, verify that the software meets legal and regulatory requirements. They implement policies and practices that align with standards for PHI protection.
   

When bringing health and medical software to market alongside industry competition and stringent government guidelines, you need the right team. You’re looking for reliable professionals who can do the job right, the first time. 

That’s Where Jobsity Comes In.

Jobsity offers direct staffing solutions that aim to provide you with top talent to develop your healthcare system, app, or other custom solution. 

Our long-haul developers have years of proven experience in the languages you need to build a secure system. They’re versed in Node.js, Python, Golang, Ruby, and more. They also have the soft skills necessary to fit right in with your company.

With an average retention rate of three years, Jobsity developers are the hires you can trust to stay as long as you need. We’re just as committed to your success as you are.

There’s never been a better time to grow your team and build your business. Book a call to get started today!