By Rahul Kapoor, Dennis C. Gucciardo, W. Reece Hirsch and A. Benjamin Klaber, of Morgan, Lewis & Bockius LLP
As we all try to keep up with the Metaverse and as the healthcare system wilts under a data deluge, the convergence of realities in a shared online space is not merely a chance for practitioners and patients to find each other and interact in new ways, it’s also a rare opportunity to help a new paradigm sprout. The answers to detangling some sticky wickets of Health 2.0, like ensuring efficient, secure communications and exchanges between participants, may share a common thread: clear out (not just debug) the cobwebs and flip the crypt.
Far-reaching, seamless interoperability of health information, devices, and systems is critical for timely, appropriate, patient-centered care and for value-based initiatives. Interoperability efforts and regulations have already begun, so the industry is currently moving toward a secure, standards-based application programming interface (API) framework, but a legacy of inconsistent processes and information remains.
As noted in a prior LawFlash, blockchain has emerged as a potential gamechanger for healthcare data sharing. Its decentralized approach enables data accuracy, parity, and authenticity. Using blockchain technology, a metaverse (or, perhaps, a network that bridges worlds) could provide patients with greater control and customization of the flow of their medical information. For metaverses, interoperability across services, technologies, and environments is fundamental. Ultimately, siloed and disparate electronic health systems could be migrated into a unified, blockchain-based ecosystem.
As telehealth has exploded (surging particularly in response to the COVID-19 pandemic), patients are demanding convenience, choice, and privacy. The metaverse could enable patient care that feels like an in-person visit while simultaneously minimizing the amount of personal information that is shared and processed. For patients where privacy is top of mind, an anonymous avatar could be the “patient” and the healthcare provider could rely on information and images that are truly relevant to the consultation, diagnosis, and treatment (where access and processing of personal information are largely controlled by the individual receiving care).
However, a fully or partially anonymized patient encounter must be reconciled with medical professional and ethical obligations governing patient care. It should also be noted that blockchain’s relatively inflexible structure is not easily reconciled with medical privacy laws, like the Health Insurance Portability Accountability Act (HIPAA). For blockchain-based metaverse health to take off, the technology and/or regulatory schemes may need to adapt.
The metaverse could also boost another trend in the healthcare industry: gamification, particularly in group settings. Patients may feel more comfortable and engaged participating in group activities in the metaverse, through their anonymous other-world personality, than in real-world settings. Capturing real-world, real-time data through smart watches and other devices, and harmonizing that data with information collected via metaverse and game participation could lead to a holistic, longitudinal view of a patient’s progress and health, resulting in improved outcomes and research. However, as with other digital health products, it is necessary to distinguish between the Federal Trade Commission privacy principles applicable to direct-to-consumer products and services, which differ significantly from the HIPAA privacy rules governing HIPAA covered entities like healthcare providers.
Connected devices and associated interdependent systems face an existential threat. Medical devices are no different. The healthcare industry has been a target for cybercriminals due to the robust data sets maintained by healthcare organizations, which include sensitive financial and medical information, and those threats will also be present in the metaverse.
Recently in April of this year, the US Food and Drug Administration (FDA) released an extensive draft guidance (which, if finalized, will supersede previous guidance) outlining how device manufacturers are to consider cybersecurity threats in the design of medical devices under current law. The draft guidance strongly suggests the implementation of a Secure Product Development Framework (SPDF) utilizing risk management principles for identifying and designing devices to account for cybersecurity threats, testing the device to evaluate the effectiveness of the design, and providing users with information concerning cybersecurity threats.
The FDA has suggested that current laws may not grant the agency enough authority to address cybersecurity threats in medical devices, and legislators are sounding the alarm. Indeed, as US Representative Michael C. Burgess aptly noted, in connection with companion legislation introduced in the House of Representatives, “[i]t is time to examine how to modernize and protect our health care infrastructure.” One key step would be minimum common standards and guidelines across industry participants that address issues such as consents, technical measures (e.g., encryption), authentication, updates, reporting, coordination, and accountability.
It is also important to remember that the security and integrity of devices, applications, and systems change over time and are highly interdependent. Just as cloud services became ubiquitous for information technology departments (at first for cost reasons, but eventually due to better offerings and security), blockchain-powered metaverses and networks may soon treat healthcare providers like patients by alleviating many of their chronic headaches (for a fee).