The IBA’s response to the war in Ukraine
5G in healthcare: maximising digital value in patient care or increasing legal risks?
De Gaulle Fleurance & Associés, Paris
De Gaulle Fleurance & Associés, Paris
Director of Law & Technology Studies, Télécom Paris – Institut Polytechnique de Paris, Paris
5G wireless technology, the new mobile telecommunication network, is already almost all around us. With its multi-layer/multi-player structure able to absorb and carry enormous amounts of data, it is said to be the critical new generation network technology that will support the digital transformation and drive innovation.
5G has been designed to deliver multiple advantages compared to existing 2G, 3G or 4G networks, bringing cloud computing (and centralised data centers), edge computing (and its local data center storage reducing latency) and the consumer, closer to each other like never before. Healthcare is one of the main areas for 5G deployment covering all of the patient’s pathway: in the pre-hospital phase (eg, connected ambulance), while in hospital (eg, remote robotic surgery), during post-hospitalisation (eg, hospitalisation at home with home monitoring sensors) or more generally all digitalised segments of healthcare (eg, telemedicine cabins, remote patient monitoring mobile applications), for instance for Patient Report Outcomes (PRO) purposes.
5G networks could transform and improve all of the critical components of connected healthcare and this has become even more meaningful with the unprecedented stress that the Covid-19 health crisis caused to healthcare organisations around the world.
5G promises to support highly demanding connectivity needs to enable a new health ecosystem. However, the legal and ethical stakes involved in the use of 5G in healthcare are considerable, since they require the convergence of (i) the legal constraints of the healthcare world to preserve patients' rights, including health data protection rights, and (ii) those of a complex technology that is still under construction.
Indeed, 5G is a disruptive telecommunication technology, which will lead to a new organisation in terms of key players, authorities, allocation of responsibilities and control.
By itself, it will generate its own legal and ethical issues (eg, 5G architecture), most of which have not yet been subject to specific regulations, especially when applied to the healthcare sector.
Alongside these radically new subjects, already known legal and ethical issues will apply, sometimes on unprecedented scales, with the emergence of 5G (eg, regulation of medical devices, impact on health, regulation of the medical practice, massive data processing and cyber security, emerging AI regulation and liabilities allocation in a context of reduced latencies).
Finally, 5G deployment in the healthcare sector will involve additional legal analysis to reflect the relevant regulations: for example, medical transport or telemedicine.
1. A framework to be built for telecommunications
Compared to 4G, 5G will provide better performance on three levels:
- enhanced mobile broadband, permitting much higher bandwidth than is available over 4G;
- massive machine type communications, permitting the connection of up to one million devices per square kilometre, 1,000 times more than is possible with 4G; and
- ultra-reliable and low latency communications, with latency of only one millisecond compared to 50 millisecond latency for 4G.
Not all of these characteristics will be available at once. 5G development will be incremental, with the beginning of 5G looking a lot like enhanced 4G, relying on legacy 4G infrastructure. The emergence of standalone 5G networks capable of all the performance characteristics mentioned above will take a number of years, and massive investments by operators.
The third characteristic of 5G, ultra-reliable and low latency communications, holds particular promise for connected health, permitting, for example, remote surgery and augmented reality health applications. The second characteristic, massive machine type communications, will come into play as health/wellness sensors are increasingly incorporated into our clothing, medicines, medical devices or even our bodies, in the form of ‘body area networks’. The ability to create network slices with different quality of service (QoS) characteristics will permit critical health applications to be separated from other traffic, such as a video game that might otherwise slow down the network.
But the idea of creating separate virtual network slices raises a number of issues under telecommunications regulation, such as who is the ‘operator’ of, and therefore responsible for, the separate virtual network. Will specialised health communication service providers emerge to fill this space, or will the role remain with traditional mobile operators? Guaranteed QoS also raises questions under net neutrality rules. EU Regulation 2015/2120 prohibits operators from granting preferential QoS to certain users, but that restriction only applies to internet access services. While it is tempting to think that 5G health services will be completely separated from internet access services, experience has shown that the separation is never clear-cut. Many 5G health services will also make use of internet access for certain aspects of the service, and net neutrality regulations could interfere with QoS guaranties, as well as tariff practices such as zero rating of health applications.
If, as in France, the operation of 5G frequencies is entrusted to operators selected by the regulatory authorities, they will still have to determine the conditions under which these mobile operators shall comply with requests from sectoral operators. This includes health operators, in order to promote the emergence of new uses requiring specific coverage and/or performance. To that effect, the operators may either (i) provide a catalog or customised offer; (ii) make part of the frequencies they have been allocated available locally for the deployment of a local network specific to the sector; or (iii) use a service provider for the sector. The latter would then operate the frequencies of the incumbent operator in a defined geographical area in order to satisfy the sectoral demand.
The 5G architecture will then imply the combination of subsystems and services (trusted third party, virtual operators aggregating distributed compute services, security services, ‘physical’ operators of data and communication infrastructures), which will need to be legally structured.
2. Impact of 5G on healthcare sector regulations
The health sector is subject to a dense regulatory framework in all jurisdictions: regulation of healthcare actors (health or medico-social establishments, health professionals, etc), activities (clinical trials, telemedicine, material vigilance, medical transport, etc) and products (including connected medical devices).
5G will therefore have to fit into this regulatory framework. In a number of cases, the use of 5G will not require any adaptation of the texts in relation to the provisions already in force, for example in connected health. On the other hand, adaptations may be necessary in other areas, particularly in terms of medical ethics to support new uses such as telesurgery.
As such, the use of 5G in healthcare will involve the use of new equipment (medical hardware, IT, software, sensors, IoT) some of which will be legally qualified as medical devices (including as accessories). However, medical devices are subject to a binding legal regime both nationally and in Europe, resulting in particular from the mandatory application as of 26 May 2021 of Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, designed in particular to ensure their enhanced safety as well as greater centralisation and transparency of activities. Many connected medical devices (CMDs) are already in place but their number should be significantly increased with 5G.
Regarding AI-embedded CMDs, the European Commission has identified in its draft regulation and AI communication dated 21 April 2021, the existence of high-risk AI systems (such as AI technologies used in product safety components: eg, application in robot-assisted surgery), which will need to comply with strict obligations.
According to the latter, it will be necessary to introduce risk assessment and mitigation processes as well as high-level standards in terms of robustness, safety and accuracy. It will also be necessary to provide detailed documentation to public authorities for the proper assessment of the compliance of AI technologies and to users to clearly inform them of the risks. Subject to the EU parliamentary debates that are still to come to finalise the future AI Act, High sanctions (higher than in the GDPR for some of them), will assumingly be at stake.
All of these future regulations will therefore lead to a European conformity certification (EC conformity) for some of the new technologies resulting from 5G and will have to be linked to the one related to medical devices.
Finally, the 5G architecture will also mean the identification of the legal framework for accessing terminals in the form of medical devices in the health slice, as well as the legal constraints applicable to ensure the safety of this health slice under these conditions.
3. Data availability, quality and protection analysis / Cybersecurity / Impact of 5G
Application areas of 5G in healthcare will involve the processing of massive volumes of data (personal or not). The free flow of data will therefore have to be adapted to secure the various players and promote data transparency, access to quality and accurate data and its interoperability. These data flows, particularly personal data, some of which are subject to the health data regime, also raise major cybersecurity issues in this sector, where security plays an eminent role.
Some of this data may be qualified as health or genetic data and is therefore sensitive data. The processing of which is, for example, prohibited under European law except for exceptions strictly regulated at the European level by the GDPR. This will lead to specific requirements on data qualification and protection according to the different processing purposes and flows between actors.
For example, the various sensors that may be used in and outside the patient's home raise the question of how to process the information collected. By enabling the reconstruction of a patient's history, this information could be used for many purposes beyond medical monitoring (for instance, to improve a product or its targeting, to fight against fraud or to better calculate risks in the insurance field). Here again, the security of data processing must be investigated.
In addition, healthcare professionals and organisations may, for example, act as health data hosts, implying compliance with certification requirements, including in terms of interoperability and security or specific approvals (in accordance with French Public Healthcare Code as well as the French Digital Health Agency’s – the ANS – guidelines). However, the standards applicable to the certification of hosting providers will have to be adapted to the new processes linked to 5G, such as edge computing.
In addition, 5G use cases in healthcare will involve the potential use of geolocation. This subject will have to be dealt with in a specific way, given the legal issues involved, particularly with regard to personal data protection law.
Last, healthcare is qualified as both a vital activity and an essential service. As such, it is generally subject to specific cybersecurity requirements (incident notifications, security controls, etc). The roles of each type of actors involved will need to be examined so as to ascertain whether they are likely to be subject to specific cybersecurity requirements, for example as a Vital Importance Operator (within the meaning and under the status laid down by the French Code of Defense) or as an Essential Service Operator (as provided by the European NIS Directive of 2016 transposed by French Act no.2018-133 of 26 February 2018). European law is currently evolving on this subject in the context of the Cyber Pack, as shown by Ursula von der Leyen in her annual State of Union speech on 15 September 2021 with the announcement of an upcoming Cyber Resilience Act aimed at setting common cybersecurity standards for connected devices.
The same will apply to the requirements that could result from the future security certification system that the European Commission has asked the European Cyber Security Agency (ENISA) to develop. 5G is especially sensitive because the main supplier of network equipment is Chinese, leading some authorities in Europe to express concerns that 5G network equipment may have hidden cybersecurity vulnerabilities.
4. Ethical issues around 5G, in particular related to AI
The use of 5G in healthcare will involve the use of AI-based technologies: legal and ethical issues such as the place of humans in the development of AI and the level of control over algorithms therefore arise in the use of 5G in the relevant application areas.
Permitting the connection of millions of sensors, 5G is sometimes considered as the future ‘eyes and ears’ of AI. The increased availability of data will permit machine learning algorithms to learn to recognise patterns important in health diagnosis and treatment, and in the management of epidemics. But using AI raises fundamental ethical questions, some of which came to light during the Covid-19 crisis. To what extent can protection of public health justify data collection and analysis that may interfere with individual privacy?
Thanks to the new bioethics legislation, which has just been enacted through the Act no. 2021-1017 of 2 August 2021, the French Parliament has integrated into French law the principle of a human guarantee in the use of connected medical devices using AI. According to this principle, all algorithmic treatments must be subject to upstream and downstream human supervision points (with information being owed both to the patient and the healthcare professional while the manufacturer should ensure explicability of his medical device). This principle could thus make it possible to keep a certain control over AI, and to have certain guarantees and explanations on the decisions taken by AI.
On 20 October 2020, the European Parliament adopted a resolution that addresses ethical concerns and called on the European Commission to propose a legal framework governing the development, deployment and use of AI and its related technologies. In particular, the European Parliament recommends that trustworthy European AI standards be put in place and states that it should be possible to explain, in a precise manner, the decisions made by AI.
On 20 January 2021, the European Parliament adopted a resolution on the use of AI in civil and military domains and on 21 April 2021, the European Commission officially published its draft regulation on a European approach to artificial intelligence. This draft defines a new legal framework for AI designed to address many of the challenges associated with this technology (creation of a European Committee on Artificial Intelligence, fines of up to 4 per cent of annual global turnover and extraterritorial application). Article 14 of the draft specifically sets up a human oversight mechanism for AI with a high-level risk, which among other actions, shall enable to control the design and use of AI and stop its operation when the context so requires. The EU Commissioner Thierry Breton stated that ‘The proposals […] aim to consolidate Europe's position as a global pole of excellence in the field of AI, from the laboratory to the market, to ensure that, in Europe, AI respects our values and our rules and exploits its potential for industrial purposes’.
Other ethical issues may arise with the development of 5G, such as the ease with which a massive number of new low-cost sensors can be connected to the network, making the prospect of connected home devices, t-shirts, bicycles, refrigerators, pillows, toothbrushes and even toilets highly likely. The ubiquitous presence of health and well-being sensors will raise data protection, cyber-security and ethical concerns that go far beyond anything we have seen so far. The line between recreational health/well-being apps and serious 5G health applications is likely to become blurred.
The deployment of new 5G-based health care will also lead to concerns about coverage in rural areas. The economics of 5G networks will push operators to first deploy innovative health services in urban areas, whereas people living in rural areas may be the ones that most need remote 5G access to healthcare. A combination of regulation and targeted subsidies may be needed to address this ‘digital divide’ problem.
5. The importance of anticipating responsibilities of the various players in the 5G ecosystem as well as liability insurance coverage
A final major issue for 5G in healthcare is the management of the chain of responsibilities and related potential liabilities of the various actors involved in the event of a failure in the deployment or operation of 5G in the healthcare sector: telecommunication operators, private networks, research centers, service providers, producers of data or algorithms, AI platforms, data hosts, producers and operators of connected medical devices, healthcare establishments, medical staff, patients, notified bodies and regulatory authorities.
Indeed, in case of failure of the communication network, or of the connected objects alone, the civil, administrative and/or criminal liability or the inadmissibility of action of the various protagonists could be engaged or constituted jointly or independently, as the case may be.
In case of damage caused to the patient due to a technical failure, the chains of liabilities could therefore be particularly complex (and consequently long and costly) and could lead to an update of the compensation scales for personal injury due to digitalisation. The question of insurance is intimately linked to these liability issues.
These legal and insurance issues are likely to have major consequences on the development of new solutions (economic models with shortened product life cycles and a supply chain becoming more and more software-based, conditions of use and contraindications, insurance policies, etc). In this context and in view of the number or structuration of slices and players in the 5G network, the issue of liability sharing between new players is essential and is already the subject of debate, for example, among incumbent mobile operators.
In addition, damage that can be caused will be significantly increased in the application areas investigated, such as telemedicine and emergency mobility.
The use of 5G in healthcare will require an in-depth examination of the ways in which liability is distributed among the various players within the framework of the economic models induced. An analysis must also be conducted of potential insurance mechanisms, for example in the form of universal insurance (following the example of the reflections already underway concerning the role of the French ONIAM – the French Body in charge of indemnifying victims of medical acts – in the field of AI), with the option of recourse proceedings.