The current statutory regulatory regime in Israel does not contain specific provisions concerning digital healthcare or digital medicine. Moreover, the current legislation is yet to be adapted to address the various aspects of the fourth industrial revolution of digital transformation in general.
But technological advancement does not wait for the government or the legislature. Digital transformation affects many fields, including all facets of the healthcare industry, from the application of big data, artificial intelligence and machine learning to aspects such as precision/personalised medicine, the shift from treatment to predictive and preventative medicine, improved drug discovery procedures and clinical trials performance, the development of sophisticated diagnostic procedures (including those based on wearables), as well as improvements in the day-to-day management of logistical aspects of the provision of healthcare services by health maintenance organisations (HMOs) and hospitals. In addition, as the provision of healthcare uses more and more digital channels, the opportunity for researching the resulting data increases even further.
As noted above, there are no regulatory definitions of digital health and digital medicine. There are several circulars of the Ministry of Health (MoH) addressing certain aspects of these activities. The main body of regulation that is not health specific but that applies to digital healthcare is the privacy protection framework.
Some of the key technologies enabling new capabilities in digital healthcare and digital medicine are:
The emerging key legal issues in digital health are explored in more detail below. Briefly put, they include privacy and data security issues, healthcare regulatory concerns such as anonymisation and preservation of confidentiality of health data, regulatory limitations on data sharing, and the application of contract and commercial law to the evolving industry of data access and licensing.
The impetus behind developing and adopting digital healthcare technologies was strong even before the COVID-19 pandemic. Nevertheless, the pandemic did bring about a certain acceleration because of the increased motivation, both for the public sector and the private sector, to invest financial resources into more efficient provision of healthcare services. This included telemedicine solutions, AI-based monitoring solutions (for example, a monitoring system that enables advance prediction of respiratory complications of patients hospitalised in intensive care units or another hospital unit) and automation of digital processes. Home diagnostics devices connected to the internet enabled patients who are limited in their ability to make it to the physician at the clinic to transmit medical data on an ongoing basis to their physician.
Lastly, the highly developed infrastructure for big data studies enabled data studies of the results of the national vaccination programme that resulted in millions of people being vaccinated in a very short period of time. The results reported in prestigious magazines have enabled the global medical community to benefit from Israel’s experience within a very short period of time.
Climate change is foreseen to increase the already heavy burden on the healthcare system. Advanced digital healthcare solutions, discussed in other parts of this chapter, will alleviate the load on health institutions and improve the method of coping with increased demand for limited resources. For example, decision support systems will allow the same number of physicians to serve more patients. Improvements in diagnostics may be particularly helpful for diagnosing skin cancer and pulmonary diseases that may be caused by air pollution. Wearables and home diagnostic medical devices will similarly be useful in combating adverse health consequences of the climate change crisis.
The key regulatory agency is the Ministry of Health. The MoH is responsible for most aspects of the healthcare and pharmaceutical industries. It issues marketing authorisations for pharmaceuticals and for medical devices, including regulation of the requisite clinical trials. It also regulates the activities of the HMOs. Finally, the MoH regulates the practice of medicine by physicians. There is no separate agency that is entrusted with the regulation of digital medicine, digital health and/or medical devices.
The digital transformation of the healthcare industry is highly active, but the development of a comprehensive and detailed digital healthcare regulatory scheme is lagging and lacking. The government published a national digital transformation plan and the MoH followed suit with its own digital health programme. However, primary legislation was not amended. Draft regulations (secondary legislation) relating to health data anonymisation and health data used in sharing have been published for public comments but have not been published yet.
Thus, the main regulatory documents that have been published today are circulars of the general manager of the MoH that concern certain aspects of secondary use and sharing of health data, the use of digital means in the process of obtaining informed consent, the use of cloud computing in the Israeli healthcare system, the criteria for operating telehealth medicine, providing patients accessibility to personal health data (“healthcare in the palm of your hand”), the protection of information in computerised systems in the healthcare system, etc. The circulars are aimed to be enforceable on the HMOs and hospitals, although this is partially disputed by certain HMOs. Their enforceability on the private sector is dubious (but since the private sector relies on access to data held by healthcare institutions, actual control over actual conduct is substantially achieved).
At the data protection and privacy level, the Privacy Protection Authority has published statutory regulations covering the various aspects of data protection. The regulations were inspired by, and are generally consistent with, the European General Data Protection Regulation (GDPR).
The main regulatory enforcement activity currently conducted concerns privacy protection enforced by the Privacy Protection Authority. The extreme sensitivity of health information on the one hand and the high pace of adoption of digital health solutions against the background of a lack of a detailed and systematic regulatory healthcare scheme are obvious drivers to the special attention paid by the Privacy Protection Authority.
The enforcement activities of a regulatory authority can be conducted on the administrative or criminal level. Administrative measures may be, for example, the imposition of fines, calls to remove officers from office and the like. Before imposing an administrative sanction, the regulatory authority must collect evidence sufficient to justify its decision and, in general, must allow the institution to be heard before a final decision is made. Criminal enforcement is conducted by filing suit to a court having jurisdiction and may result in imprisonment, a fine or both.
The Privacy Protection Authority is a non-healthcare regulatory agency responsible for enforcing the privacy and data protection legislative scheme in Israel. All other health-related issues (including wellness, fitness and self-care) are regulated by the MoH.
The Privacy Protection Authority is primarily concerned with issues such as the manner of collecting of data; the manner of sharing data; and the preservation of the confidentiality of private data, including health data, including protection against data breaches, cyber-attacks and the like. The MoH is concerned with probably all aspects of the healthcare and medical industries. These include the health of the patients (safety and efficacy of treatments), proper management and financial stability of the health institutions, the national health budget, and the rights of patients. Thus, the issue of health data use and sharing is subject to overlapping jurisdiction. As regards data anonymisation, the MoH takes the lead. Discussions between the two authorities are generally not transparent.
Unfortunately, there is no statutory definition of software as a medical device. The registration of medical devices is entrusted to the medical accessories and devices (MAD) unit of the MoH. It must be noted that there is no legal requirement to obtain marketing approval for medical devices. The MAD unit nonetheless operates because HMOs and hospitals will not purchase non-approved devices. The MAD unit recognised US (510K) and EU (CE) approvals, meaning that holders of such approvals can easily obtain authorisations in Israel as well.
To date, telehealth has been more widely used in Israel in some fields. Patient-physician consultations through video calls have become popular but primarily after hours (through central service centres). Remote monitoring by means of handheld medical devices carried by the patients in their home has also become popular. This device not only monitors certain indices but also allows the physician to (partially) inspect the patient as if the patient were in the clinic. Surgeries have been conducted in hospitals with the participation of foreign experts through video calls. Virtual hospitals have not yet been established.
One of the concerns raised in the context of telemedicine is the digital divide and the concern that certain populations will be discriminated against and not be able to benefit from these new services.
As yet, there are no special regulations for cross-border provision of services and the general rules apply (meaning that non-licensed practitioners cannot provide health services from abroad).
During the COVID-19 pandemic, certain relaxations of the regulatory scheme were made. For example, the guidelines regarding clinical trials were modified and relaxed in several aspects with a view to achieving social distancing during the informed consent process, meetings to discuss and approve the conduct of clinical trials, etc. Notably, studies on health data were exempted from certain approvals if the data was anonymised. All such relaxations were cancelled after the pandemic subsided.
Almost all healthcare services are provided by the four major HMOs. The HMOs are funded by the government based on the number of patients they treat. The HMOs are generally not required to provide drugs and medical services not funded by the government. Each year, a special committee approves the introduction of new drugs and new technologies to the "healthcare basket", thereby requiring the HMOs to provide such solutions.
A host of technological developments have enabled the internet of medical things (IoMT) to develop to its current stage. One could begin with continuous improvements in authentic communications infrastructure (culminating in the recently introduced 5G network technology) that facilitates connectivity and bridges geographical gaps, improvements in computer vision, as well as various imaging techniques, coupled with the miniaturisation of chips and other hardware components, the increased computational power of computers, the development of highly sophisticated sensors (in particular, non-invasive wearable ones), the improvement in energy storage and battery life, and the maturity of machine learning and artificial intelligence as applied to health data, to name just a few of the driving technologies.
The development of IoMT facilitates a wide scope of functionalities, such as remote monitoring; remote measurements of patients’ indices, such as pacemaker monitoring, infusion pumps, insulin pumps and implant condition monitoring; as well as control and management of available resources and assets, building control and monitoring the environment of patients.
However, the growing use of these components and technologies results in increased exposure to cyberthreats, privacy risks through the exploitation of existing vulnerabilities, hostile takeovers and the like.
In order to assist health organisations in addressing these risks, the National Cyber Authority published in late 2020 a guide entitled “IoMT-Based Medical Device Protection Recommendations”, which concerns performing actions and controls to strengthen IoMT devices, while making recommendations for dedicated controls. The guide builds on classifications published by the Cloud Security Alliance (Managing the Risk for Medical Devices Connected to the Cloud). As it states, it should be remembered that there is no single technology applicable for all types of systems. Therefore, cyber protection for IoMT components has necessitated requirements for the protection of such components as well as protection from them. Also, a variety of components are provided by a variety of vendors and not every one comes with the same security settings. These facts make it difficult to create standardisation and uniform component management. This results in a need to protect IoMT components and their environments while combining different controls (policies, technologies, physical).
The introduction of 5G networks is expected to have major beneficial effects on the healthcare industry. Owing to its high bandwidth, high speed and improved latency and error rate, the 5G technology is expected to better facilitate remote monitoring and telemedicine, including sophisticated surgeries conducted from remote locations and improved machine learning capabilities, particularly with respect to large image files; enable high computing power to mobile devices dependent on communications; obviate the need for close proximity between machine learning servers and data sets; facilitate global immediately available medical consultation; and other similar improvements. Unfortunately, the deployment of the 5G network infrastructure in Israel has been considerably delayed and it is not yet clear when this technology will be fully operable in Israel.
The key legal issues in using and sharing personal health in research and clinical settings are as follows.
There are no different regulatory frameworks for data use or for data sharing. The distinction made is between primary use, which is use of a person’s health data (including identifiable data) substantially for the purpose of treatment of that particular individual, and secondary use, which is defined as any other use. Primary use does not require the patient's consent. Secondary use requires either the patient's informed consent (opt in) or the use of anonymised data (which, if properly done, exempts from the need to obtain the patient's consent).
There are cases when the comparison of anonymised data with other data sources can result in re-identification. When access to the other data source requires informed consent (such as genetic data), the patient will typically be requested to provide consent to access their other phenotypic data. Alternatively, the database holder (eg, the HMO) will provide the researcher with unique keys that enable only the HMO but not the external researcher to connect and then analyse data with the identified data of the patient.
Informed consent may be obtained either by traditional means or by digital means. When digital means are used, this must be done in a procedure published by the MoH in October 2020. The general rule is that there must be a face-to-face meeting between the participant in the trial and the researchers. However, such a meeting can be conducted virtually and not necessarily in person. When choosing whether to make use of digital means in the process of obtaining informed consent, one must examine, among other things, the balance between the benefit of using such means and the associated risks, the severity of the medical intervention in the clinical trial, the characteristics of the target population and their accessibility to the proposed digital means, the number of participants and the degree of their accessibility to the place where the trial is conducted.
One declared goal of the procedure is to prevent the exclusion of various populations, having regard to the digital divide. Lastly, when asking a patient to opt in to participate in studies and activities that do not have direct benefits for such person, it is preferable that the request to opt in by way of an informed consent be done by a special recruiter rather than by the caring physician.
The regulatory scheme mainly addresses the issues of data security, data sharing, and anonymisation. It does not yet regulate the utilisation of AI and machine learning in general or the digital healthcare industry in particular.
Machine learning is particularly useful in the healthcare industry in research fields such as computer vision (the analysis of images for the purpose of diagnostics); associations between phenomena that are useful, for example, for drug repurposing and identifying novel indicators useful to predict illness; and gleaning the wisdom of the masses, namely, creating algorithms for decision support systems that produce a result that is equivalent to (if not better than) consultation with masses of peers.
One of the challenges for training machine learning algorithms is the need for access to sufficiently large and representative data sets and the need for removing bias underlying past decisions studied by the algorithm. Luckily, the data sets of the two large HMOs in Israel are relatively large. Nevertheless, when a particular research topic requires the pulling of data from different sources, the process is still cumbersome. Another limiting factor is the need to have geographical proximity between the machine learning server and data set.
Natural language processing (NLP) is particularly useful in big data analysis of interactions between a physician or a therapist and their patient. NLP may also be useful in the digitisation of handwritten records.
It seems that research on genetic data presents one of the higher risks of misuse of sensitive information. This is because in other use cases, such as studying medical conditions, the risk lies in the possibility of the perpetrator connecting between the data and the person. When it comes to genetic data, the data is the person.
The IT infrastructure of the HMOs giving care to the majority of the patient population in Israel is well developed to support digital healthcare. The same is true for the main large hospitals. Some of the challenges lying ahead are commonly accepted standardisation of classification of clinical data, digitisation of old records, data curation, establishing infrastructure and promoting participation in platforms for the pulling of clinical information, and securing the resources necessary to recruit patients when opt-in is required (such as genetic and bio-sample studies).
The Israeli government actively encourages healthcare institutions to use cloud services in healthcare. To that end, the MoH published in February 2021 guidelines specifically permitting healthcare institutions to upload health data to the cloud and setting procedural guidelines for such process. Healthcare institutions are required to establish an organisational cloud committee that must set up an organisational cloud policy (which will address specified considerations) and oversee and approve cloud computing projects.
High-risk projects will require the approval of a governmental cloud computing committee. One of the nation’s leading hospitals, Sheba, has already commenced such a pilot programme. In parallel, the government commenced a multi-year governmental cloud computing project called Nimbus. The project will create national data centres of cloud infrastructure for use by the government, including infrastructure available for the country’s innovation industries. Google and Amazon won the project. Microsoft, which lost the tender, announced that it will build and launch a hyperscale data centre in Israel in 2022 and Oracle, which also lost the tender, also intends to build a data centre in Israel. IBM and other small local companies have already established and operate smaller data centres. It is therefore expected that the coming years will witness a giant leap into the era of cloud computing.
As stated in the MoH circular, cloud technology is an important feature of the introduction of innovation into an organisation. It enables the organisation flexibility of operation and the ability to use the available computing resources effectively and optimally, alongside cost reduction. In addition, cloud computing can assist health organisations in developing advanced operation and research capabilities, and in embedding innovative solutions, many of which operate only in the cloud.
The operation of cloud computing activities requires strict compliance with the highly developed and generally applicable privacy regulation scheme, both in terms of protection of privacy as well as of data security.
Patents are generally available for any invention that is a product or a process in any technological field that is novel, non-obvious, useful and capable of industrial application. A noteworthy exception to patentability is the prohibition of patents for a process of medical treatment of humans. This exception, coupled with case law trends concerning patentable subject matter, sometimes creates hurdles in pursuit of patent protection for inventions relating to personalised medicine. The territorial limitation of patents (patents being enforceable only within the territory of the country where they were registered) requires careful drafting of claims of patents relating to ex vivo diagnostics of medical conditions.
Copyright protects software as a literary work, but such protection generally extends only to the way of expression rather than the functionality and technological ideas underlying the code. The latter should be protected by patents where possible. Data sets are generally not protected by copyright and there is no sui generis database protection in Israel.
Trade secret protection is available in Israel and may protect confidential information, including non-patentable inventions and non-copyrightable data sets. However, in order to benefit from such protection, the information must be kept confidential, and the owner of the confidential information must show that they took reasonable efforts to protect the confidentiality of the trade secrets. Reverse engineering, as such, is permissible.
There is no case law, as yet, regarding inventions and works of authorship created by AI technologies without direct human contributions. The author would submit that any person who was involved in the process of creation and has provided inventive contribution to the inventive concept of the invention (under the classic inventorship criteria) should be deemed an inventor.
Employers, including universities and healthcare institutions, will generally be the owners of IP rights generated by their employees in connection with their employment. This is both in terms of the default rule under the Patents Law and the Copyright Law, as well as the standard practices of such organisations, which often expand beyond the statutory provisions by means of employment contracts and intellectual property by-laws. All academic institutions share the revenues collected by the commercialisation of such intellectual property with the researchers. HMOs differ in their approaches and practices. The allocation of IP rights when private sector technology companies are involved in developing the device or medical innovation is typically governed by contract. Special provisions apply to governmental hospitals, which are more limited in their ability to contract with the private sector.
The default rule is that any person who made an inventive contribution to the inventive concept of the invention is an inventor and is the owner of the invention. When there are several co-inventors, they will be co-owners (unless they are in the employ of a third party, in which case the employer will own a share of the invention). All of these default rules may be superseded by contract.
It is standard practice to distinguish between background IP and foreground IP, with ownership of the background IP remaining with the original owner, who may grant limited licences to use the background IP in order to exploit the foreground IP, and the foreground IP being owned as agreed by the parties. Because of regulatory constraints and other considerations, many HMOs will waive co-ownership in exchange for various monetary rights, such as royalties, milestone payments, exit phase, cross-licence or the right to use the resulting foreground IP.
The first theory of liability arising from decisions based on digital health technologies such as data analytics, AI, machine learning and software as a medical device is, of course, the tort of negligence. In general, the three main elements of this tort are the existence of a duty of care, deviation from a reasonable standard of practice, and a causal connection between the defendant's act or omission and the damage suffered by the plaintiff. The manufacturer of a medical device will generally be held to owe a duty of care towards users of the device. Adherence to acceptable standards should mitigate the risk of liability. Otherwise, the manufacturer will have to show that it took reasonable efforts to prevent the damage, with the foreseeability of the damage and the level of efforts required being directly related, namely, the more foreseeable the damage is, the higher the level of efforts required.
It is hard to see how a decision to use an approved medical device can be deemed negligent. However, a decision to use a medical device in development could theoretically attract liability and the putative defendant would have to show that they took reasonable measures to verify that the device’s algorithm will not cause harm or produce misleading results. As is the case with other industries, the courts will have to acquaint themselves with the developing best practices that aim to deal with the problem of lack of transparency of machine learning algorithms.
If a medical device inflicted physical damage on a patient, the manufacturer of the device may be held liable under the Defective Product Liability Law, which imposes a strict liability (no fault) on the manufacturer.
Theories of liability when third-party vendors’ products or services cause harm to healthcare institutions are generally the same as those discussed in 13.1 Patient Care. The main difference, however, is the ability of the healthcare institution to protect itself through contract by obtaining proper warranties and indemnification obligations. In addition, health institutions may forfeit at least part of the right for compensation if they are shown to have breached their obligation to mitigate damage. Thus, some institutions already proactively monitor their internet-connected equipment to detect vulnerabilities and prevent cyber-attacks.
One issue, briefly touched upon above, that is worth noting further is the question of the role that intellectual property rights – in particular, patents – will play in the fast-growing and developing digital healthcare industry. Given the limitations on patentable subject matter, the limitation on patenting methods of treatment of humans, it is interesting to see how the government will proceed in encouraging innovation in this field.