Governments in the region have already put in place measures to facilitate data aggregation while ensuring patients’ anonymity. For example, South Korea enables access to personal health data via My HealthWay, a national platform that consolidates health records from more than 850 healthcare facilities. In the UAE, the Abu Dhabi Investment office partnered with Innovacer, a health cloud company that aggregates and normalizes healthcare data to create a unified patient record.
Data regulations
It is important to understand the regulations governing how healthcare data can be shared with third parties. Following are common options when applied an individual’s data can then be used:
- With patient consent. Data can be shared without the need for anonymization, leaving all patient data intact. Consent can often be gained from patients with complex diseases where sharing information might lead to better future treatment outcomes. However, consent for legacy healthcare data can be more difficult to obtain. In our survey, c. 25%-35% of data was used with patient consent.
- Anonymized. Data can be altered to make it impossible to trace back to any individual patient. This process reduces data value in certain use cases since there is information missing in the dataset, but it is often still valid enough for certain types of research. In our survey, c. 50%-75% of data was anonymized. This data typically also requires patient consent for processing and anonymization.
- Through federated or swarm access. This approach allows data to be used without being transferred to the third party. Data does not leave the healthcare providers’ premises (or their cloud environment, where applicable). The research algorithm or the analytics are deployed on the premises and “learn” from the data there. When the algorithm/analytics are extracted, they have been trained on the full data available from the healthcare provider, but the results cannot be traced back to any individual patient. In our survey, c. 5%-15% of data was already being accessed via federated/swarm technologies.
- As synthetic data. This is artificially generated information designed to replicate the characteristics of real-world data. It is created using algorithms that learn the patterns, correlations and statistical properties of original datasets. Synthetic data maintains the statistical integrity of the original data without holding any personal information.
- From deceased patients. Many privacy regulations are more lenient for clinical data of deceased patients, and depending on how comprehensive the dataset is, this information can often be as valuable as data from living patients (depending on the use case).
Our survey results show varying levels of data anonymization to accommodate regulatory constraints and customer requirements. Data obtained with patient consent still retains higher utility, as it can be reused multiple times and analyzed in different ways by the acquiring party.
We believe there is likely to be a shift toward federated and swarm access given the higher perceived privacy safeguards and data security. We expect this transition to be slow, however, since it requires significant investment in technology and in human capital, and because there is high variance in the development of data regulation policies in Asia and the Middle East. For example:
- In Singapore, the Personal Data Protection Act (2012) comprises various requirements governing the collection, use, disclosure and care of personal data. The conducting of regular checks is obligatory, to ensure personal data is accessed only by authorized individuals.
- Malaysia’s Personal Data Protection Act was passed in 2010 to preserve individuals’ data security. The government is currently working on amending the provisions on data breaches, which have been a concern in the past (e.g., there is no requirement to notify authorities regarding data breaches).
- Despite comprehensive cybersecurity laws, Indonesia lacked a personal data protection regulation until October 2022, when the Personal Data Protection Law was enacted. A Data Protection Authority is being formed to supervise the implementation of the law.
- China’s Personal Information Protection Law (2021) mandates strict controls on the cross-border transfer of healthcare and patient data. Transfers abroad require security assessments or government approval, with data localization required for large-scale data handlers and strict penalties for noncompliance.
- The UAE issued in 2019 the Health Data Law, which regulates the use of information technology and communications (ITC) in the healthcare sector and applies to all entities operating in the country, including healthcare providers, insurers, healthcare IT companies and others engaged in services or activities that involve handling of electronic health data.
A data-as-a-service offering can be built through different routes to market depending on regional market dynamics and healthcare providers’ capabilities
Ultimate success is highly dependent on the route-to-market strategy. Providers have several options for this, including the direct-to-end-user approach, the data intermediary approach or a mixed approach.
Depending on the route to market selected, the practicalities vary:
- The direct-to-end-user approach typically achieves a higher price per record but requires significant investment in building a sizable in-house data and sales team
- The data intermediary approach typically renders a lower price per patient record but requires a much smaller dataset and sales team and can usually be launched much faster
Selecting the optimal approach requires a detailed assessment of the expected pricing power, share capture and opportunity for value-added services in the region of interest, as well as the required investment to build the necessary capabilities. Asia and the Middle East are heterogeneous regions that require deep knowledge and study of national systems to successfully navigate regulatory and market landscape. Regardless of the approach taken, providers must develop or hire in-house data expertise, build or commission a data technology platform, and set up specialist teams for business development and commercialization of the dataset.
Call to action: By selecting the appropriate route to market and maintaining compliance, healthcare providers can position themselves to benefit from medical data
The implication for healthcare providers is clear: launching a data-led offering has the potential to be a profitable new business area. For impact investors in the healthcare sector, these offerings can also lead to faster new drug, medtech and/or AI development and to better patient outcomes in the medium to long term.
However, there are crucial issues to consider:
- The dataset itself must be fit for the purpose. The best possible scenario involves a dataset that is compliant with privacy and security regulations; complete (ideally, longitudinal) and highly detailed; and standardized to a format that is transferable across data originators and geographies, and with broad geographic coverage.
- The appropriate route-to-market strategy must be carefully selected through analysis of implementation costs and commercialization profiles. Implementation costs are driven not only by the business development team but also by the need to develop a suitable data architecture, select a technology platform/provider, and manage day-to-day business operations.
- Compliance must be carefully managed, especially around anonymization and consent. For example, Australia’s largest provider of medical imaging services recently found themselves in the news for an investigation alleging that the company had “used private medical data to train artificial intelligence (AI) without patient consent.”
With knowledge and care, healthcare providers can position themselves to launch a successful new business with data-led offerings that can grow in value as new patient data is continually added to the existing base.
Adjacent companies such as healthcare IT organizations providing EMRs, practice management systems, or imaging software vendors and pathology companies have opportunities too. They should begin developing their strategies and consider investing in and developing corresponding data platforms, so their clients are also enabled to launch these new data-driven business models and/or can better leverage data and benchmarks to enhance their own operations.
For more information, please contact us.
L.E.K. Consulting is a registered trademark of L.E.K. Consulting LLC. All other products and brands mentioned in this document are properties of their respective owners. © 2024 L.E.K. Consulting LLC
Endnotes
1RBC Capital Markets.
2Improving diversity in medical research, Ashwarya Sharma and Latha Palaniappan (2021).
3“What Do You MENA? The Arab World and its opportunities for clinical research,” Hadi Danawi, Ph.D. (2023). Arab Countries and Oncology Clinical Trials: A Bibliometric Analysis, Humaid O. Al-Shamsi, Ibrahim Abu-Gheida, et al. (2023); Inclusion & Diversity in Clinical Trials, Oyiza Momoh, Susan W. Burriss, Anya Harry, Kay Warner (2020).
4Adoption of Electronic Health Records (EHRs) in China During the Past 10 Years: Consecutive Survey Data Analysis and Comparison of Sino-American Challenges and Experiences, Jun Liang, Ying Li, et al. (2021).