Digital diagnostics, therapeutics and healthcare infrastructure

Introduction

In our first Tech Horizons report, we described how innovation was expanding the capabilities of consumer health-tech products and the potential implications for data protection and privacy.  These advances in consumer health tech are mirrored by progress in regulated digital health products. 

Some of these products are known collectively as digital therapeutics, which usually refers to medical interventions that are “driven by software to prevent, manage, or treat a medical disorder or disease” ³⁶. Alongside the rise in usage of digital therapeutics, healthcare providers have increasingly sought to digitalise other elements of health provision such as diagnosis and infrastructure. 

This growth in digital health provision has been driven by several trends including resource constraints, technical advances and the impact of Covid-19. It is likely to continue as medical providers face increasing demographic pressures and are incentivised to use technology to improve efficiency ³⁷. The digital transformation of health is a top business priority for leaders in the healthcare industry ³⁸ and for the Department for Health and Social Care ³⁹. It has also sparked regulatory interest, with the Medicines and Healthcare products Regulatory Agency (MRHA) announcing its intention for AI-powered medical devices to be available to patients “as quickly and safely as possible” ⁴⁰.  

In the next 3-7 years, the capabilities of digital health products could expand, further transforming medical practice. Examples include smart pills, digital twins, AI-assisted diagnosis and other digital technologies. These technologies offer significant benefits to patients, such as reduced wait times and more personalised care. The increased data they generate could augment the benefits of sharing patient data across health services ⁴¹. However, their increased deployment and new abilities are likely to have implications for data protection and privacy.

Smart pills

Smart pills, equipped with sensors, provide medical professionals with real-time insights into patients’ health (such as chemical states in the stomach) to support treatment and monitoring ⁴².  They can be used to monitor whether people are taking their medication, supporting those who struggle to follow their prescribed regimes ⁴³.  The information the pills transmit is typically sent to a monitoring device or smartphone ^{44, 45}. Recent innovations could mean the pills become smaller and digestible ⁴⁶.  

Many smart-pill variations are now being developed and used to help with conditions such as HIV/AIDS, sleep apnoea and gut disorders ⁴⁷.  Other uses could see the pills analyse a patient’s risk of an overdose ⁴⁸.  Smart pills have been trialled in the NHS ⁴⁹ and related products have been used to undertake endoscopy procedures ⁵⁰. They could be used to help with remote patient monitoring alongside other innovations such as smart wards.

Digital twins

Digital twins are virtual counterparts of physical entities ⁵¹ that try to “faithfully mirror” this counterpart in real time and predict outcomes ⁵².  They have a wide range of applications in industry and across the wider economy, such as digital twins that replicate supply chains to help businesses respond to the risk of disruption ⁵³.

Digital twins are already part of healthcare infrastructure ⁵⁴.  In the medium term, digital twins could aid patient care by creating real-time virtual models of organs, such as the heart, and updating them with real-time data to support patient monitoring ^{55, 56}. Other projects have investigated the possibility of using digital twins to test patient responses to treatment, to assess therapeutic efficacy before use with patients, and to treat Alzheimer’s disease and epilepsy ⁵⁷.  Use as part of a patient’s direct treatment could help improve outcomes by employing machine learning to achieve “a quicker diagnosis and improved treatment” ⁵⁸. 

Big data and advances in AI could expand the capabilities of digital twins ⁵⁹,  with long-term hopes of creating replicas of whole patients ⁶⁰. 

AI-assisted diagnosis

AI integration into medical diagnostics is expected to expand significantly over the next 3-7 years. Medical leaders hope this will help ensure patients are treated more quickly and assist in detecting a wider range of conditions ⁶¹.  

The UK government has announced funding to help accelerate the implementation of AI diagnosis in areas such as stroke and lung-cancer detection ⁶².  Several AI-based health technologies are already supported by the NHS as part of its Accelerator initiative. Trials are in place to examine the potential for AI stethoscopes to diagnose heart failure ⁶³. 

AI diagnostic tools could personalise treatment plans for conditions like lung cancer, identifying the most effective drugs for individual patients ⁶⁴.  Beyond physical health, AI diagnostic tools could accelerate the assessment and diagnosis of mental health conditions ⁶⁵. 

Digital infrastructure

Beyond diagnostics and therapeutics, other technologies processing personal information are increasingly deployed in healthcare to improve efficiency and patient outcomes. These include digital physiotherapists ⁶⁶, virtual wards ⁶⁷ and new ways of managing patients’ health records ⁶⁸. 

One example is the use of ambient technology, which helps doctors to take medical notes when they are with patients. An app listens to the interactions between doctor and patient, then generates a set of clinical notes to be stored on the patient’s healthcare record ⁶⁹. This technology has been used initially in the UK and US, and in the next 3-7 years could be widely used across the healthcare sector ⁷⁰. Its increased use could work alongside technology that automates clinicians’ dictation of medical letters and other paperwork ⁷¹ and helps with translation ⁷². 

Fictional future scenario

Niamh is in hospital after an operation. When she awakes, she can see a representation of her physiological state on a screen. This is a digital twin that represents physiological processes and is being used to monitor her recovery. The twin is continuously updated by data that comes from wearable sensors. It can be used by medical staff when assessing her condition and making decisions about her care. 

As part of her recovery, Niamh is prescribed a smart pill. It contains sensors that send health metrics such as her stomach’s chemical state to the doctors taking care of her recovery and to a health app on her phone. Niamh has read media articles about the privacy practices of certain health apps and hopes her data is being processed securely. The smart medication can also form part of the remote monitoring Niamh will undergo when she goes home.

AI-enabled technologies allow medical staff to make decisions about Niamh’s healthcare quickly, including her initial admission to hospital. They can recommend certain treatments and predict complications, potentially improving care. Niamh hopes she will be able to receive a full explanation of the decisions about her care and that the data used to train the systems is of sufficient quality. 

Data protection and privacy implications

Cybersecurity 

Healthcare data is a prime target for cyber-attacks, given the increasing digitalisation of services, the large amounts of critical digital information processed and the sometimes inadequate security measures ⁷³.  

As healthcare providers increasingly adopt digital diagnostics and therapeutics, they are likely to face growing cyber risks. Health data may be further put at risk because providers rely on legacy technology that could be vulnerable to attack from hackers even as they innovate in other areas ⁷⁴. Remote monitoring could also present a cyber security risk because of its potential for unauthorised access and data interception ⁷⁵.  

Healthcare providers have obligations under UK GDPR and DPA 2018, and the Network and Information Systems Regulations (NIS) may apply in some cases ⁷⁶. Obligations under UK GDPR include: 

• ensuring the confidentiality, security and integrity of the personal information they process; and 
• taking appropriate technical and organisational measures to protect this information.

Under the UK GDPR’s data minimisation obligation, providers should only process personal data that is adequate, relevant and limited to what is necessary for the purposes of processing ⁷⁷.  Compliance will also reduce the risk and impact of any cyber attacks. The use of privacy-enhancing technologies (PETs) could also help providers comply with their data protection obligations, including ensuring that relevant data gets an appropriate level of security ⁷⁸.  

Use of health apps

In a previous report, we identified some of the data protection issues of health products targeted at consumers, such as therapy apps ⁷⁹. Similar apps may be used to support some of the innovations described above. For example, personal data that may be generated by using a smart pill or a digital twin could be transferred to a mobile phone app to be accessed by a patient or medical professional. Such an app may be provided by a third party. 

The report identified issues with consumer-facing health apps regarding transparency and the sharing of data with app developers and other third parties. Healthcare providers that make use of apps to support some of the innovations set out above should therefore ensure they are aware of, understand and address the relevant issues affecting user privacy. These include ensuring that health apps process patients’ data transparently, fairly and lawfully. Providers should also make appropriate use of internal procedures (such as the NHS’s digital technology assessment criteria ⁸⁰) to ensure that app companies have in place appropriate safeguards for personal data. 

AI and automated decision-making 

AI and automated decision-making (ADM) ⁸¹ are increasingly used in medical decision-making ⁸², a trend that could accelerate in the next 3–7 years. Examples include the increased use of automated triaging and AI diagnostics that predict the efficacy of drugs ⁸³ and analyse chest x-rays ⁸⁴.  

This use of AI and ADM could improve productivity and patient outcomes. However, there is a risk that using them to make decisions based on personal data, for example with triaging in high-risk contexts, could adversely affect some patients ⁸⁵. 

Bias and unlawful discrimination in AI systems can occur in many ways ⁸⁶. An important one is that imbalances in AI training data may statistically undervalue certain characteristics or reflect past discrimination, so an AI system could produce biased or discriminatory outcomes for patients ⁸⁷. For example, racial bias is thought to have affected the level of healthcare black patients have received in the US ⁸⁸. 

To prevent AI-driven discrimination, organisations should use suitable technical and organisational measures and ensure any systems used are sufficiently statistically accurate and fair ⁸⁹.  The ICO has provided technical advice that can help mitigate the risk of discrimination. This could be achieved by a pre-processing technique such as adding or removing under- or over-represented population subsets. Providers will need to ensure that the processing of patients’ data and use of AI do not lead to unduly harmful outcomes for patients ⁹⁰. 

Another risk is the potential lack of transparency in how AI tools process patient data. Transparency is a core principle of the UK GDPR, which means organisations should be clear, open and honest regarding personal information ⁹¹. Lack of transparency in a medical setting could result in patient harm. Healthcare providers must therefore provide clear, open and concise information about how they use a patient’s personal data. Using AI does not reduce a provider’s responsibility to be clear about what it does with a patient’s personal data and decisions based on it. This means that if an individual would usually be given an explanation for a decision by a human, they should instead expect an explanation from those accountable for any AI-assisted decision about their healthcare ⁹². 

There are also AI tools that use automated decision-making (ie, without any human involvement) and their increased use in the UK could at some point be feasible. Examples could include autonomous surgical robots and increasingly personalised insulin-delivery systems ⁹³.  

The UK GDPR restricts healthcare providers from making solely automated decisions that have a legal or similarly significant effect on individuals, except in certain limited circumstances. If providers fall within those circumstances, they will need to put in place extra safeguards ⁹⁴. Data about health is also considered by the UK GDPR to be special category data, which means it is more sensitive and requires extra protection ⁹⁵. If an organisation is using this data, it will need to obtain the individual’s explicit consent or ensure that the processing is necessary for reasons of substantial public interest ⁹⁶. The safeguards include a requirement: 

• to give individuals specific information about the processing, such as the logic used in the decision-making process;
• to take steps to avoid unlawful discrimination;
• to give individuals the right to challenge the decision.

Recommendations and next steps

As the digitalization of healthcare proceeds, we recommend that providers adopt digital solutions that implement privacy by design. To do this, they should follow our guidance on data minimisation and consider the use of PETs, where appropriate. Providers should also ensure that third party providers of health tech have in place appropriate privacy safeguards to ensure patient data is processed transparently. Additionally, as AI is increasingly integrated into health provision, providers will also need to follow guidance about fairness, bias and unlawful discrimination. Ensuring that personal information is processed fairly, transparently and lawfully will allow patients to reap the full benefits of the changing healthcare industry. 

Innovators can receive support in embedding privacy by design through our range of innovation services. As the digital healthcare landscape continues to develop rapidly, we will monitor new use cases as part of our wider work.

Further reading

• Our guidance on fairness, bias and discrimination in AI
• Our guidance on automated decision making
• Our guidance on lawfulness, fairness and transparency 
• Our guidance on data minimisation
• Our guidance on transparency in health and social care

³⁶ European Data Protection Supervisor report on Digital Therapeutics

³⁷ House of Commons Library article on capacity pressures in health and social care in England

³⁸ Deloitte article about 2025 health care outlook

³⁹  Health and Social Care Committee report on Digital transformation in the NHS

⁴⁰ MHRA trials five innovative AI technologies as part of pilot scheme to change regulatory approach - GOV.UK

⁴¹ UK Government article on using NHS data to improve healthcare

⁴² CNN article on smart pills and their risks

⁴³ Ibid.

⁴⁴ MIT News article on smart pill tracking key biological markers in real-time

⁴⁵ Soracom article about smart pills sharing patient data

⁴⁶ Ibid

⁴⁷ Medscape article on how smart pills will transform personalized care

⁴⁸ Ibid

⁴⁹ NHS 2018 trial of smart pills

⁵⁰ NHS use of capsule cameras to test for cancer

⁵¹ University of Nottingham article about ‘Digital twin’ heart modelling project

⁵² NPJ digital article on Digital Twins for health

⁵³ McKinsey article on digital-twin technology

⁵⁴ Glasgow City of Science & Innovation article on use of digital twins

⁵⁵ Imperial College London article on ‘Digital twin’ heart modelling project

⁵⁶ The Guardian article on how digital twins enables personalised health treatment

⁵⁷  U.S. GAO article on Virtual Models of People and Objects

⁵⁸ U.S. GAO article on Virtual Models of People and Objects

⁵⁹ NPJ digital article on Digital Twins for Health

⁶⁰ Ibid

⁶¹ Axios article on AI disease diagnosis

⁶² Gov UK- AI to speed up lung cancer diagnosis deployed in NHS hospitals

⁶³ Imperial College London article on AI stethoscope being rolled out to 100 GP clinics to help diagnose heart failure

⁶⁴ National Institute for Health and Care research article on AI in healthcare

⁶⁵ Universitat Oberta de Catalunya article on artificial intelligence and the future of healthcare

⁶⁶ The Guardian article on the First NHS physiotherapy clinic run by AI

⁶⁷ NHS England - Virtual wards

⁶⁸ NHS England - NHS Federated Data Platform (FDP)

⁶⁹ Digital Health article on automated AI-powered clinical documentation

⁷⁰ Daily Mail article on automated notetaking for GPs

⁷¹ NHS Transformation Directorate - Using an AI-driven dictation platform to free up clinicians’ time

⁷² Stanford Medical article on the promise and pitfalls of AI in medicine

⁷³ Action Santé Mondiale article about application of AI to healthcare [also: Cyber-attacks on critical health infrastructure]

⁷⁴ Article in HT World about legacy tech

⁷⁵ Journal of mHealth article about the cyber security risks of remote monitoring

⁷⁶ The Network and Information Systems Regulations 2018: guide for the health sector in England - GOV.UK

⁷⁷ Principle (c): Data minimisation | ICO

⁷⁸ How can PETs help with data protection compliance? | ICO

⁷⁹ ICO Tech Horizons Report 2022

⁸⁰ Digital Technology Assessment Criteria (DTAC) - NHS England

⁸¹ What is automated individual decision-making and profiling? | ICO

⁸² Medical Law Review about Automated Decision Making

⁸³ National Institute for Health and Care about how artificial intelligence is making it easier to diagnose disease

⁸⁴ NICE article on the use of AI to analyse chest x-rays

⁸⁵ What about fairness, bias and discrimination? | ICO

⁸⁶ Ibid.

⁸⁷ Ibid.

⁸⁸ Article in Science about dissecting algorithms to manage the health of populations

⁸⁹ What about fairness, bias and discrimination? | ICO

⁹⁰ How do we ensure fairness in AI? | ICO

⁹¹ Principle (a): Lawfulness, fairness and transparency | ICO

⁹² Definitions | ICODefinitions | ICO

⁹³ Medical Law Review about Automated Decision Making

⁹⁴ Rights related to automated decision-making including profiling | ICO

⁹⁵ What is special category data? | ICO

⁹⁶ Rights related to automated decision-making including profiling | ICO