Hospitals rely on data to get patients from test to treatment. Each test result or image contains data that can tell a nurse or doctor whether a patient is at serious risk. Analysing that data, and getting it to the right clinician as quickly as possible, is essential to making sure that each patient gets the treatment they need in time.
Hospitals use IT providers like Scientie, Cerner, Phillips, MV Sistemas and many others to help analyse, store and process this data, under strict rules and regulations. In data terms, the hospital is the “data controller”, meaning that they are in charge at all times of what happens with patient information. The "data processor" - such as Scientie - must only process this data in strict accordance with the instructions of the data controller and the law.
Health data is hugely important and sensitive, and keeping it secure is our top priority.
We commit to:
Different hospitals ask us to process different types of data, depending on what they need.
Hospitals use our secure clinical apps, to process personally identifiable patient data. This is because hospitals use the app to help nurses and doctors deliver urgent care, and these clinicians need to know which specific patient needs their help. You can read more about how personally identifiable patient data is processed and protected here.
In contrast, our AI research projects currently process de-personalised data. This is because the researchers are exploring whether AI tools can be used effectively and safely to support nurses and doctors. To carry out this research they don't need to know the details of any specific patient. You can read more about how de-personalised data is processed and protected here.
The team at Patient Data Science, an independent task force, has published more information about how different types of data are used in the Healthcare. You can read more on their website, here.Patient consent and opt-outs
Hospitals are the "data controllers" with a direct relationship with their patients, and they are in charge of decisions about patient consent and opt-outs. Scientie, as a "data processor", strictly adheres to the instructions we're given by the hospital.
In general, hospitals don't ask for explicit consent from patients before using a "data processor", because the their remains in control of the patient information throughout.
However, the precise policy may vary depending on the hospital.World-leading security
We hold patient data at the very highest levels of security, and ensure that all data is encrypted, logged and strictly governed. Our security systems and processes have undergone and passed multiple audits.
When we process data from our partner hospitals, we first copy it from the Trust’s systems to our data centre located in the Brazil. This is done over an end-to-end encrypted link.
Once in our data centre, the data is stored in an encrypted database and only decrypted when it is needed for processing. The decrypted data, and data derived from it, is never stored on disk without first being re-encrypted. Data transmitted between machines is also end-to-end encrypted, and all equipment is physically secured within a locked cage. All backups within our systems are also conducted over secure, encrypted links.
All data access is logged and available for audit, and once data is no longer required, we permanently delete it from our systems. Where applicable, we also destroy any encryption keys associated with that data. Any storage device that is retired from service in our data centre is physically destroyed to ensure there is no possibility of data leakage or recovery.World-leading security
In early 2019 we announced a ground-breaking project called Verifiable Data Audit, with the express objective of increasing transparency and trust in how we process data.
Right now, any time our systems receive or touch that data, we create a log of that interaction that can be audited later if needed. With Verifiable Data Audit, we’ll build on this further.
Each time there’s any interaction with data, our systems will add an entry to a special digital ledger, which is cryptographically secure and cannot be tampered with. Our plan is to build a dedicated online interface that authorised staff at our partner hospitals can use to examine the audit trail of Scientie's data use in real-time.
This will allow continuous verification that our systems are working as they should, and enable our partners to easily query the ledger to check data usage is consistent with the policies they have put in place. We’d also like to enable our partners to run automated queries, effectively setting alarms that would be triggered if anything unusual took place. And, in time, we could even give our partners the option of allowing others to check our data processing, such as individual patients or patient groups.
You can read more about our plans for Verifiable Data Audit here.DISCOVER MORE FROM SCIENTIE