Who is liable in case of "information mishaps" of medical diagnostic devices?

One of the drivers of digitalisation is the IT industry, which wants to place its technology in health insurance companies, billing centres, hospitals and doctors' surgeries. In addition to IT giants such as IBM and SAP, this also includes the pharmaceutical giant Roche. Its business model is based on linking drug products and its diagnostics. The Swiss pharmaceutical company sees itself as the "market leader" in personalised healthcare.

SAP is no less ambitious - as early as 2013, the group boasted at an in-house event in Lucerne that it could process "100,000,000 values" "in real time" - "per patient"! In 2015, the Walldorf-based company won the Red Dot Award for its software: "Doctors, researchers, and other medical staff can access all relevant clinical data of a patient in real time via one system," praised Christof von Kalle, spokesman for the board of directors of the National Center for Tumor Diseases (NCT) in Heidelberg.

Nevertheless, the downside of the digitisation of healthcare is not as bright as some campaigns would have us believe

access issue
The hospital in Thun is particularly far advanced in digitalisation: it is the only clinic in Switzerland to have climbed to level 6 of the Healthcare Information and Management Systems Society (HIMMS).

The seven-point scale measures how far digitalisation has progressed. Bruno Guggisberg, CEO of Spital STS AG, emphasizes: "Hospital stays are getting shorter, and the importance of IT and digitalization will continue to increase." So far, so good - if only there wasn't the issue of data security:

"eHealth Suisse", the "Competence and Coordination Office of the Confederation and the Cantons", calls for "Identity and Access Management" and defines this as "managing the unique identification of persons and their assignment to electronic identities". "Unambiguous" means that for each access, it must be logged whether the administrative manager, the head physician or the nursing student has accessed. In addition, there is the European Union's General Data Protection Regulation (GDPR): according to the Federal Data Protection and Information Commissioner (FDPIC), it also applies to "companies based in Switzerland, insofar as they process this data for their offers of goods and services in the EU".

Reformulations
Martin Eckert, Legal Partner at the law firm MME Legal, Tax, Compliance believes in "extraterritorial effects" of the regulation and expects that therefore also Swiss service providers "may" fall under the regulation. This possibility is denied by the lawyer Christian Peter - but: The FDPIC Adrian Lobsiger expected the update of the Swiss Data Protection Act already for summer 2018.

According to Lobsiger, this will be based on Council of Europe Convention 108, just like the GDPR. However, experts warn that the importance of data security in federal medical practices is "underestimated" or - even worse! - is even "insufficient" in clinics.

If a medical practice falls victim to a data breach, for example due to the "unintentional" or "unauthorized" "disclosure" of personal data, the "responsible party" has 72 hours to report this to his supervisory authority. In addition, he must prepare documentation of "all facts relating to the personal data breach". Accordingly, this documentation must show whether, for example, an employee (unintentionally) misaddressed patient letters or (unlawfully) copied patient data in order to sell them to third parties "for thousands of dollars".

In order to reduce criminal risks, not only must access to the data be logged, but it must also be defined with which rights this access should be associated: The administrative employee needs the bank data, but hardly the diagnosis data. The doctor, in turn, does not need the bank data. The processing of the data must take place under the "supervision" of the respective data controller. The controller is the person who "determines the purposes and means of the processing of personal data".

A particularly important concept of the Regulation is "accountability": "The controller is responsible for and must be able to demonstrate compliance with paragraph 1 (in Article 5 of the Regulation, author's note)". In this paragraph 1, there are requirements on the "lawfulness" of the processing, the "purpose limitation" of the collected data, the "data minimisation", the "accuracy", the "storage limitation" and the "integrity and confidentiality".

Security gaps
As early as 2009, IBM's Zurich research lab, together with a hospital in Denmark, is said to have developed "innovative" software that can link electronic health data with a three-dimensional model of the human body. Last year, the group claimed to be using its AI system "Watson" "in more than 50 hospitals worldwide". While IBM has partnered with drugmaker Pfizer, Roche has allied with GNS Healthcare - a young AI company based in Cambridge in the US. However, IBM's Watson has already been accused of "unhealthy and incorrect" treatments, Roche had to officially recall a "diabetes management app" and the list of sometimes serious security vulnerabilities in SAP's Hana system is long1 . Currently, according to the EU's General Data Protection Regulation (GDPR), the controller or processor is exempted from liability "if he proves that he is not responsible in any respect for the event giving rise to the damage" (Art. 82 GDPR - Liability and right to compensation; paragraph 2).