A Case Study on Data Protection for a Cloud- and AI-Based Homecare Medical Device.

To improve the treatment of many diseases, continuous monitoring of the patient at home with the ability of doctors to interact with individual cases demands an increasing number of medical devices connected to the cloud. To support the doctor’s duties, such devices may benefit from AI-based diagnosis routines. In order for such devices to be approved and placed on the market, they need to comply with various legal, regulatory, economic, and social requirements. An integral part of these requirements is the protection of the patients’ data. In this paper, based on a current use case, we describe a workflow on how to identify risks and address their mitigations. To this end, we recall the relevant legal, regulatory, economic, and social data protection requirements. We pursue our findings on a Homecare OCT device that is intended to be used by elderly patients on a daily basis, by taking images of their eyes and sending them for further analysis to a cloud- and AI-based system. The patient’s ophthalmologist gets notified for further dedicated treatment depending on the result. We then compare the Homecare OCT device with a clinical OCT System in regard to various risks to patient data which arise when a medical system is used outside of a secure hospital environment. To perform the risk management, we describe (i) the architecture of both systems, (ii) analyze their data flow, (iii) discuss several vectors of attack, (iv) propose ways to mitigate the risks, and (v) discuss the handling of potential data breaches.