December 2, 2020

Protecting Your Medical Data with Elizabeth Fairley and Ellie Halliday

DIGIT spoke with Elizabeth Fairley and Ellie Halliday of Talking Medicines about keeping your medical data safe in a Covid world.

Medical data is among the most sensitive information a company can gather, store or track, and the coronavirus pandemic has heightened worries over the misuse or exposure of such data.

Since the emergence of Covid-19 and a sharp increase in the use of digital systems in all walks of life, the safekeeping of medical data has become an important topic.

Not only have our healthcare systems been overwhelmed with an influx of patients due to the virus, but the additional medical data being collected is private and highly sensitive, making it a ripe target for hackers and cybercriminals.

According to the Journal of mHealth, healthcare systems have seen a huge increase in the number of critical patients over the last year.

Most healthcare practitioners have been forced to pivot their working models. Patients being seen through a virtual environment rather than face to face and new, temporary government requirements have been a massive upheaval.

“These changes present challenges to protect patient data that security and privacy professionals have never seen before – at least not to this vast extent and with this amount of urgency,” the report stated.

Increasingly, people, businesses and governments are beginning to Increasingly acknowledge that they must adapt and keep pace with fast-moving technology trends.

Additionally, as Covid-19 spread across the world, the need to switch to digital models across a multitude of different sectors has been essential.

As COO and founder at Talking Medicines, Elizabeth Fairley knows this all too well Using artificial intelligence, machine learning and NLP, the company captures and analyses the conversations and behaviours of patients at home, mapping this voice to regulated medicine information.

The company works closely with pharmaceutical companies – connecting the true voice of the patient through data intelligence. Talking Medicines uses AI to provide a systemic way of measuring patient sentiment towards medicines, helping pharmaceutical companies deliver a greater return on investment for marketing and better outcomes for patients.

Much like in any other modern business, these practices involve collecting personal data on patients from all walks of life, and with a variety of medical needs. Fairley agrees that, for her organisation, the inherent sensitivity of medical data makes it of utmost importance.

“We focus on individuals and medication that those individuals are taking, so we are very diverse across therapy areas,” Fairley says.

“People are taking medication for acute infection, chronic disease or rare diseases, so as you can imagine, it is really important that an individual is not identified through being able to link up data that is collected.”

When a patient uses their Talking Medicines data collection tools, one being the Medsmart® App, they grant permission for Talking Medicines to use their data – effectively ‘handing over the keys’ to their medical information. As such, patients would expect that this data will be handled responsibly and kept safe.

Ellie Halliday, who works in Compliance and Legal at Talking Medicines, says that it is important to take the vulnerability of patients who need medical help into account when collecting data.

“It is so important to individuals because when you are ill, you are feeling vulnerable,” Halliday says.

“By protecting your medical data, it doesn’t worsen that vulnerability. It is such sensitive information, and people need to have that sense of security around it, so we do everything we can to enforce that security,” she says.

A government survey carried out earlier this year revealed that cyber-attacks had evolved and become more frequent as the move towards digital systems increased during Covid-19.

Data showed that, in March 2020, almost half of businesses (46%) and more than one-quarter (26%) of charities reported cybersecurity breaches or attacks over the previous 12 months.

While these statistics may be concerning, they are understandable. Modern businesses work with increasingly large volumes of data, which means that a hacker or cybercriminal has ever-greater opportunities to target and steal sensitive information.

In recent years, one of the most infamous attacks on healthcare services was the 2017 WannaCry ransomware attack, which saw the NHS targeted and crippled. Carried out by state sponsored North Korean hackers, the attack lasted several days, infecting 300,000 NHS systems and affecting nearly a quarter of a million patients.

Subsequent investigations found that the NHS was running its computer systems on outdated software, giving cybercriminals easy access to some of the most critical private information in the country.

One year later, the EU announced new rules designed to “harmonise” data privacy laws across all its member countries as well as providing greater protection and rights to individuals.

General Data Protection Regulations (GDPR) was introduced across Europe in 2018 and sought to address the transfer of personal data outside the EU and EEA.

At Talking Medicines, Fairley says that GDPR was “definitely needed from a patient perspective”.

The data protection regulations, Fairley adds, have helped raise public awareness of how data is being used or misused. This, she says, has been a positive outcome of GDPR thus far.

“I think that there are still some ways to go on just making sure that people are aware of how their data is being captured and used,” she comments.

Both Fairley and Halliday agree that GDPR is an important legal framework, and Fairley explains that making sure that they are doing right for the patient has always been very important: “I think GDPR has provided structure to that,” she says.

“For the size of our organisation, we were also very keen to have a Data Protection Officer (DPO) in place from the very beginning, and I think as we have grown we have been fortunate enough that we have had that support from day one, and that support is continuing to grow, which is fantastic for us because it is really important,” Fairley comments.

DPO’s are increasingly common hires as the world moves towards digital working. The role of a DPO within an organisation is to ensure that the personal data of staff, customers, providers, or any other individuals are processed correctly and within the applicable data protection rules.

“Significant responsibility lies with those data protection officers,” Fairley says. “We take great care in figuring out what steps we take regarding partnerships or data access, and we also have internal processes that are checking data.”

She continues: “We evaluate and constantly check to ensure that data is as accurate as we can, and then in displaying that data back to customers it is really important that we have those checks in place so that we are doing it to the best of our ability, but there are challenges around that, for sure.”

As well as putting GDPR practices into place and using a DPO to manage data, more importantly, people holding medical data must be transparent with patients to maintain trust.

“From our and our customer’s perspective, how we process data is so important,” Fairley says. “We are working with global pharmaceutical companies and the bar that we have to go through for procurement is very high.”

And it is not just for patients. With the advent of Covid-19 and the move to home working, the rules on data protection have had to shift considerably. No longer solely the responsibility of the DPO, something all staff now must be more aware of is ensuring the protection of the data that they are now working with at home.

Halliday says: “One of our established core values in the company is transparency, both internally and externally.

“Internally as a company we seek measures which ensure that all of the employees are on company-issued devices, that they are aware of what information they have on their laptops when they are taking them home, and we do regular team presentations on data protection.

“We want to ensure that our employees know how important the data that they have on these devices is so that they know that if anything bad happened, how serious that would be.”


  1. David Paul at DIGIT.