Privanova

AI4HealthSec Ethics Challenges

AI4HealthSec Ethics Challenges: Background

AI4HEALTHSEC is a scientific research project focused on cyber security and privacy risks in the health care domain. The main objective of the project is to propose a state-of-the-art solution that improves the detection and analysis of cyber-attacks and threats on informational infrastructure that stores/processes healthcare data. Therefore, AI4HEALTHSEC contributes independently to the body of science by increasing opportunities to handle the current cyber security and privacy risks. Also, it offers innovative solutions on how to protect information systems.

AI4HEALTHSEC builds risk awareness among relevant stakeholders and helps them to proactively handle cybersecurity threats and attacks. Moreover, it provides specific and tailored made capability to react in case of security and privacy breaches. Finally, AI4HEALTHSEC presents a forum for the exchange of relevant information and knowledge building.

AI4HealthSec Ethics Challenges and Conditional Clearance

As is the case with many cutting-edge or high-risk / high-gain scientific research projects, AI4HELATHSEC is facing certain ethical challenges. Scientific research conduct implies the application of fundamental ethical principles as well as legislation specific to scientific domains. For these reasons, all projects supported by Horizon 2020 are subject to the Ethics Appraisal Process. This process serves to assess and address the ethical dimension of project proposals and funded projects.

The main objective of the Ethics Appraisal Procedure is to ensure that all research activities are conducted in compliance with fundamental ethical principles. Ethics assessment comes as the follow-up of the scientific evaluation (that focuses on the scientific merit, project management, and the potential impacts). Once the ethics evaluation is completed the requirements are presented to the project consortium. They usually get an additional set of tasks to improve the ethical dimension of the project. These tasks are formally set up in the standard Grant Agreement which stipulates project partners to comply with ethical principles. Apart from these requirements, the EU and national ethics legislation must also be respected.

Participation of humans as an ethical challenge

The ethics evaluation has shown that one (out of two) main AI4HealthSec ethics challenges relate to the participation of humans in the project. For that reason, the ethics evaluators requested several requirements to be met by the project consortium. Firstly, the procedures and criteria that will be used to identify/recruit research participants must be submitted. The second required submission relates to the informed consent procedures that will be implemented for the participation of humans and regarding data processing. The following requirements are about the informed consent/assent forms and information sheets covering the voluntary participation (humans) and data protection issues. They have to be created (and presented) in language and terms intelligible to the participants. Finally, detailed information regarding one of the project pilots, including whether treatment will be performed during this pilot and the type of personal data that will be processed, if any, should be explained.

To satisfy all requirements, the project partners responsible for project activities involving individuals external to the project (i.e. students, experts in workshops, survey participants) should report about the recruitment process and consenting procedure. It is needed to explain who the participants are, whether the participation is voluntary, whether they can withdraw from research, do they receive remuneration, and similar. Based on the information provided by partners the relevant consenting procedures and templates for consent declaration texts (forms) should be developed. Concerning the last requirement, the project partners involved in the pilot of interest should answer whether they will provide treatment during the pilot and info about personal data that will be processed.

Protection of personal data and AI4HealthSec ethics challenges

The second set of ethical challenges refers to the protection of personal data. To satisfy data protection requirements the host institution must confirm that it has appointed a Data Protection Officer (DPO) as well to provide contact details of the DPO to the data subjects. Also, the project beneficiaries must explain how all of the data they intend to process is relevant and limited to the purposes of the research project (following the ‘data minimisation’ principle). The next requirement imposes that a description of the technical and organizational measures that will be implemented to safeguard the rights and freedoms of the data subjects/research participants must be submitted. Concerning these measures, particular focus is on the security measures that will be implemented to prevent unauthorized access to personal data, or the equipment used for processing. In addition, a description of the anonymization/pseudonymization techniques that will be implemented must be submitted. Finally,  in case of secondary use of data  (further processing of previously collected personal data), an explicit confirmation that the beneficiary has a lawful basis for the data processing and that the appropriate technical and organizational measures are in place to safeguard the rights of the data subjects must be provided.

To meet data protection requirements all partners (especially those organizing activities with external participants) should provide the contact information for their DPOs. In case they do not have it – they should provide a privacy policy specific to the AI4HELATHSEC project. Once the use of personal data is identified, a description of why it is needed should be presented. In addition, clarification on the data retention period is expected.  Concerning the implementation of technical and organizational measures to secure data, the project coordinator should get feedback from all partners involved in data processing activities on the relevant privacy safeguards implemented within the project. These may include encryption, access controls such as passwords, description of physical security where the files are kept, etc. In addition, plans for using anonymization techniques during our research should be explained. Finally, clarifications about the secondary use of data should be provided by all project partners as well as a valid legal basis for the use.

Conclusion

Taking into account that ethics compliance is significantly important for the proper realization of the project, all project partners must consider ethics requirements with particular caution. Ethics has transversal nature and hence it prevails in all project phases, working packages, and tasks. Therefore, additional measures that would contribute to the ethical perspective of the project are welcomed. Having an Ethics Advisory Board (an external body that supervises the ethics compliance) is a recommendable option to empower the ethical dimension of the project. For this reason, Privanova has implemented an independent Ethics Advisory Board in AI4HEALTHSEC.