Written by Pramesh Prabakaran (Associate Author) | Mentored by Huiling Xie | Reviewed by Nydia Remolina
LawTech.Asia is proud to have commenced the third run of its popular Associate Author (2020) Programme. The aim of the Associate Authorship Programme is to develop the knowledge and exposure of student writers in the domains of law and technology, while providing them with mentorship from LawTech.Asia’s writers and tailored guidance from a respected industry mentor.
In partnership with the National University of Singapore’s alt+law and Singapore Management University’s Legal Innovation and Technology Club, five students were selected as Associate Authors. This piece, written by Pramesh Prabakaran and reviewed by industry reviewer Nydia Remolina (SMU School of Law), marks the fourth thought piece in this series. It examines the benefits, risks, and regulatory and legal issues that could arise in relation to the growing trend of telemedicine and AI in Singapore’s context.
Introduction
The last decade has been extremely progressive in terms of the promising technological advancements and transformations. With the expansion of connections through the internet and the growing capacity to process data, greater possibilities have emerged in the development of the global health industry. The modern era of the Fourth Industrial Revolution[1] with disruptive and enabling technologies such as artificial intelligence (“AI”), cloud computing, data analytics, internet of things (“IoT”), blockchain, and wearables are collectively seen as drivers for innovation.
Telemedicine is the latest buzzword in innovation that is shaping the provision of healthcare worldwide and it refers to the systematic provision of healthcare services over physically separate environments via information and communications technology.[2] The COVID-19 pandemic has further accelerated the growth of telemedicine as it is regarded as an effective care delivery model to monitor patients remotely, and reduce the risks of them spreading the virus.[3] In Singapore, telemedicine is set to become a key feature of the healthcare landscape, with an increasing number of public and private players emerging to offer a variety of services to patients.
On a separate front, the large amounts of data used in healthcare and the requirement of consistent accuracy in complex procedures has led innovators to look to ways to enhance telemedicine, specifically through the use of AI.[4] AI in telemedicine is disrupting the entire value chain of clinical practice and patient care delivery systems by offering new models of care and support.
The objective of this essay is four-fold. The first section will outline the key benefits of telemedicine coupled with the use of AI. The second section will briefly outline some of the risks associated with the use of telemedicine coupled with AI. The third section will aim to discuss and critically assess Singapore’s regulatory approach to the use of telemedicine and AI in healthcare. The fourth, and final section will focus on the emerging medico-legal challenges associated with the use of these technologies.
Benefits of telemedicine coupled with AI
Benefits of telemedicine
As defined by the Ministry of Health Singapore (“MOH”), telemedicine refers to the provision of healthcare services over physically separate environments via information technology. It includes the exchange of information for clinical purposes between healthcare providers and patients through text messaging, web or mobile applications.[5]
While much of the world is digital, the same cannot be said for healthcare. Healthcare is a predominantly encounter-based and physical care model. However, the COVID-19 pandemic has pushed digital health from being on the fringe, to a mainstream offering.[6] Governments around the world have been employing strategies such as social distancing and patient isolation to mitigate the spread of the virus. Telemedicine has also been a key component of this strategy. Clinical encounters are being increasingly transitioned to telemedicine appointments to reduce personal protective equipment usage, improve access to care, reduce the burden on healthcare systems and minimise the risk of direct transmission between patients as well as healthcare providers.[7] A significant number of medical specialities have also been forced to embrace virtual appointments. Telemedicine has proved helpful in evaluating the prognosis of a patient and assessing the urgency of surgical treatment. Additionally, telemedicine allows for the collection of a range of critical information and can be used for outpatient visits and preoperative assessment prior to surgical admission.[8]
In Singapore, the measures prescribed under the COVID-19 (Temporary Measures) (Control Order) Regulations 2020[9] which came into effect on 7 April 2020 had curtailed the provision of healthcare services deemed “non-essential”. These services include elective procedures in acute hospitals and dental clinics such as cataract surgeries for stable cataracts, and scaling and polishing. Consultation for stable skin and hair conditions for patients on long-term follow-up at medical clinics were also deemed “non-essential”. The MOH had also advised that where possible, services that are suitable for tele-consultation should be delivered remotely. In light of these prohibitions, telemedicine has become an important tool in delivering care to patients with healthcare needs. Consequently, Singapore is seeing a rise in a range of online consultations, from routine follow-up sessions for chronic diseases such as diabetes, to the assessment of urgent COVID-19 like symptoms.[10]
The COVID-19 pandemic has also brought about novel use cases for telemedicine in two areas. The first is to treat migrant workers and maritime workers with limited access to physical clinics. The Ministry of Manpower has facilitated the installation of telemedicine kiosks in various migrant worker dormitories around the island to facilitate access to telemedicine services.[11]As for maritime workers, the Maritime and Port Authority (“MPA”) has enabled telemedicine consultations on board the vessels for clinical assessments using real-time video, and the distribution of fit-to-fly certificates for crew disembarking their vessels in Singapore.[12] Second, to treat patients on a quarantine order or stay-home notice who are prohibited from leaving their place of residence.
Apart from the benefits brought about by telemedicine during the COVID-19 pandemic, there are also benefits to telemedicine outside of the pandemic, specifically in the area of geriatric care. As one of the fastest ageing populations in Asia, telemedicine in Singapore is especially helpful in allowing seniors to who are less mobile, and who face difficulties making regular trips to the hospitals and medical clinics to receive medical attention. Additionally, seniors who require long term follow-up for chronic diseases can rely on tele-consultations with healthcare specialists, thereby eliminating the need to make a trip to the hospital or clinic unless necessary.
Use of AI in telemedicine
The term AI refers to the study and use of intelligent machines to mimic human action and thought.[13] However, there is still no standard definition of AI.[14] With the availability of big data, advances in computing, and invention of new algorithms, AI has risen as a disruptive technology in recent years.
Unsurprisingly, there appears to be a significant increase in the quantum of health-related digital data that is generated by healthcare providers and citizens themselves. Such large data sets, when combined with the rapid advancement of computational data science (including AI-based machine learning methods) offer excellent opportunities for extracting new inferences and insights that can potentially improve health outcomes. This in turn enables better clinical decision-making through support by automated means, encouraging shifts towards intelligent assistance and diagnosis.[15]
AI has played a highly supportive role to doctors when analysing evidence in medical diagnoses. In medical disciplines like oncology, it is important to consider the progress of diseases that could lead to the formation of cancers. Different disease diagnosis patterns may result in different models or analytics for disease and cancer prediction. Modelling disease progression and variants in disease trajectories can assist in the prediction of certain diseases. By applying machine learning methods to large datasets of disease populations, AI is able to significantly improve the way doctors diagnose a potential disease.[16]
Tele-dermatology is also a branch of telemedicine that is a well-known existing area for tele-diagnosis through AI. Presently, the diagnostic accuracy for melanoma is on the skills and expertise of the treating doctor. However, a recent study has demonstrated that a computer algorithm using convolutional neural networks (“CNN”) had outperformed the majority of 58 dermatologists tested in accurately diagnosing melanoma. The CNN is trained end-to-end from images directly, using only pixels and disease labels as inputs and is a form of AI. The results from this study demonstrate how AI and tele-dermatology, when combined together, can identify skin cancers with a level of competence similar, or more superior to a dermatologist.[17]
Risks associated with telemedicine coupled with AI
The heavy reliance on technology in the practice of telemedicine coupled with AI introduces additional risks compared to those faced by the more-traditional healthcare providers. Some common cybersecurity issues include diagnostic errors arising from flawed data or a technology failure. This may give rise to uncertainty regarding liability for decisions made by the AI. There may also be a loss of sensitive patient data particularly if a third-party provider is engaged, and the risk of employees accessing recordings or screenshots of a medical consultation without authorisation.
Additionally, a failure to disclose certain commonly overlooked-information may also arise. This could include a lack of thorough checking of a patient’s surrounding hazards during tele-physiotherapy and the delayed dispatching of medication. On the issue of medication, there may be a risk that telemedicine is used certain patients to obtain prescription medication dishonestly. More fundamentally, the lack of face-to-face interactions could pose limitations to identity verification on the patient as well as the doctor’s end.
Singapore’s regulatory approach to the use of telemedicine and AI in healthcare
There is no omnibus legislation currently in force to govern the provision of telemedicine in Singapore. However, the regulatory environment does include several guidelines and regulations which will be discussed below.
Healthcare Services Act
Telemedicine will come under the ambit of a “licensable healthcare service” under the new Healthcare Services Act (“HCSA”).[18] The HCSA was passed in parliament on 6 January 2020 and is set to replace the current Private Hospital and Medical Clinics Act (“PHMCA”).[19] The existing regulatory framework under the PHMCA is premises-based and there are no specific licensing requirements for the provision of telemedicine services which are web-based, and not tagged to any particular physical brick and mortar premises. To give service providers time to meet new regulatory requirements, the HCSA is intended to be enacted in three phases, from late 2021 to early 2023. The new provisions will first apply to current PHMCA laboratory licensees (Phase 1), followed by current PHMCA clinic licensees and ambulance services (Phase 2), and lastly current PHMCA hospital licensees and other newly regulated services (Phase 3). Telemedicine will be actively regulated by the HCSA in Phase 2 which is set to be enacted in June 2022.[20]
The scope of the telemedicine services that will be regulated under the HCSA is unclear and this is likely because the authorities are still finalising the subsidiary legislation that will accompany the HCSA. Presently, it is not known whether the HCSA would be able to regulate telemedicine services that leverage on AI. Separately, during the parliamentary debates on the HCSA, then-Senior Minister of State Edwin Tong SC had clarified that the HCSA does not have extra-territorial powers. As such, it would not be possible to sanction an errant foreign doctor or telemedicine provider who is based overseas and offers telemedicine services to patients in Singapore.[21]
National Telemedicine Guidelines
The National Telemedicine Guidelines (“NTG”) [22] were issued by the MOH in 2015 and sets out best practices in areas such as clinical standards and outcomes, human resources, organisation, technology and equipment. Notably, the guidelines state that healthcare professionals intending to provide telemedicine services from or within Singapore must be registered and licensed with the respective regulatory and licensing body. The guidelines also state that telemedicine services must be provided as part of a structured system and the overall standard of care must not be less than what is provided in conventional services. The physician must also be satisfied that the patient is suitable for a telemedicine interaction, and that the standard of care delivered via telemedicine is reasonable considering the specific context.
While the NTG is useful in setting out best practices for healthcare providers to assist them in implementing telemedicine solutions, it is only intended to be a guide and has no force of law. At the time of this writing, no healthcare provider has been sanctioned for non-compliance with the NTG. With the recent exponential growth of telemedicine, it remains to be seen whether the MOH would sanction errant providers who fail to comply with the NTG.
Singapore Medical Council Ethical Code and Ethical Guidelines
Registered physicians providing telemedicine services must comply with the Singapore Medical Council’s (“SMC”) Ethical Code and Ethical Guidelines (“ECEG”).[23] Failure to meet the standards required under the ECEG may lead to disciplinary proceedings by the SMC and sanctions under the Section 53(2) of the Medical Registration Act.[24] Specific guidelines on the use of telemedicine are set out in Section A6 of the ECEG. Notably, the ECEG requires doctors performing remotely-guided medical procedures to possess the necessary expertise to provide the remote guidance. On the data privacy front, the ECEG stipulates that doctors must take reasonable care to ensure that the confidentiality of medical information shared through technology and ensure compliance with all relevant laws on personal data.
It is noted that Section A6 of the ECEG was drafted in 2015 when the provision of telemedicine was still in its infancy. Today, the scope and complexity of telemedicine services have evolved to include telemedicine mobile phone applications and diagnoses based on AI. As such, Section A6 of the ECEG should be updated with the medico-legal standards that are relevant to the latest trends and developments in the field of telemedicine.
Licensing Experimentation and Adaptation Programme
In 2018, the MOH launched the Licensing Experimentation and Adaptation Programme (“LEAP”). LEAP is a regulatory sandbox initiative to develop and refine innovative medical services in a safe and controlled environment. Healthcare providers participating in the regulatory sandbox will be allowed to introduce new healthcare models in Singapore, with early visibility over the eventual regulatory environment. By working alongside providers participating in the sandbox and collecting relevant data and feedback from these providers, the MOH can develop more timely, appropriate and effective regulations that support new services. Telemedicine is the first service to be trialled under LEAP and the MOH has been working with providers to ensure a safe and effective telemedicine environment before the service is regulated under the HCSA.[25]
LEAP is a commendable and timely strategy to regulate new and innovative medical services in Singapore. Providers are able to enter the market with their innovations while consumers can rest assured that there is some form of regulatory oversight on these new innovations. The sandbox will allow the authorities to better understand these new innovations as they are trialled in Singapore, and develop effective regulations without stifling innovation.
There are several providers partnering MOH for the sandbox initiative. As of January 2021, the active providers include WhiteCoat, MyDoc, Doctor Anywhere, Speedoc, MaNaDr, SATA CommHealth, Doctor World, Parkway Shenton, BetterHealth, HiDoc, and Rescu.[26] The sandbox will remain in place until telemedicine has been licensed under the HCSA.
It is submitted that the current telemedicine regime under LEAP should be expanded to include AI in telemedicine as this appears to be one area in healthcare that is fast evolving.
Regulatory Guideline for Telehealth Products
The Health Sciences Authority’s (“HSA”) Regulatory Guidelines for Telehealth Products[27] have sought to clarify when a telehealth product would be classified as a medical device, intended for a medical purpose. A “medical purpose” includes the investigation, detection, diagnosis, monitoring, treatment or management of any medical condition, disease, anatomy or physiological process. Such telehealth medical devices fall under the ambit of Health Products Act (“HPA”)[28] and are regulated by the HSA. Telehealth products that are not intended for medical purposes need not be registered as a medical device. Controls in relation to product registration, dealer’s licence requirements and post-market obligations which apply to medical devices in general will apply similarly to telehealth medical devices.
Separately, devices meant for general well-being (e.g. wearables such as the Apple Watch and Fitbit) are not considered as medical devices. However, where a telehealth product is not intended for medical purposes, but can nevertheless perform functions associated with medical purposes, the onus is on the product owner to include a clarification statement that the product is not intended for medical purposes.
In practice, the classification of the telehealth product may not be clear-cut. For example, it is unclear how the HSA would categorise a device intended for both “medical” and “general well-being” purposes. Such devices may well be classified as a medical device by its medical purpose notwithstanding its other collateral purposes. Further, while the clarification statement appears reassuring to the product owner in discharging any unintended liability, it is unclear how the clarification statement will indeed protect the product owner should the HSA determine the telehealth product is in fact intended for medical purposes.
Regulatory Guidelines for Software Medical Devices – A Life Cycle Approach
In April 2020, the HSA issued the Regulatory Guidelines for Software Medical Devices (“RGSMD”)[29] to provide clarity on the regulatory requirements for software medical devices in its entire life cycle. The requirements in the Regulatory Guidelines for Software Medical Devices (“RGSMD”) are presented starting from product development, all the way to post-market duties following product introduction in Singapore. Additionally, the RGSMD addresses key software-related regulatory requirements such as cybersecurity and requirements for AI medical devices.
The RGSMD applies to software with intended use that falls under the definition of a medical device as stipulated in the HPA. As such, telehealth products classified as medical devices would come within the scope of these RGSMD.
AI regulation in the healthcare sector
Turning to AI, at the time of this writing, there are no known regulations on the use of AI in the healthcare sector. However, the Infocomm Media Development Authority of Singapore (“IMDA”) and the Personal Data Protection Commission (“PDPC”) have launched three key initiatives as part of a balanced approach to promote innovation while ensuring the safe and ethical use of AI.[30] First, a Model AI Governance Framework was developed to translate ethical AI principles into practical steps to guide organisations in the responsible adoption of AI.[31] Second, an Advisory Council on the Ethical Use of AI and Data was established to provide guidance on managing legal, ethical and sustainability risks.[32] Third, a Research Programme on the Governance of AI and Data Use was set up to examine ethical and legal issues arising from the development and use of AI. As these initiatives are intended to be sector-agnostic, however, they do not specifically address the ethical use of AI within the healthcare context.[33]
During the parliamentary debates on the HCSA, then-SMS Edwin Tong SC stated that the MOH is aware of the increasing role and importance of the use of AI in healthcare[34]. As this is an evolving area, the MOH is closely monitoring the AI scene. The MOH has also engaged the expertise of key stakeholders such as AI developers and AI users to design and promulgate the best possible guidelines for AI in the healthcare sector.
Health Products (Licensing of Retail Pharmacies) Regulations and Telepharmacy Guidelines
Retail pharmacies in Singapore are licensed under the Health Products (Licensing of Retail Pharmacies) Regulations (“HPR”) and are also subject to the telepharmacy guidelines issued by the Pharmaceutical Society of Singapore. These retail pharmacies must obtain the requisite approval from the HSA if they wish to provide tele-pharmacy services.
Emerging medico-legal issues
While regulations for telemedicine and AI are still in their infancy, it is submitted that legislators should consider several medico-legal implications on the use of such technology in healthcare.
Licensing regime for overseas doctors
Section 2.3 of the NTG states that doctors delivering telemedicine services from or within Singapore should meet the licensing requirements imposed by the country where the patient is residing.[35] As such, a doctor based overseas and who intends to offer telemedicine services remotely in Singapore will need to register with the SMC before he or she is able to provide virtual medical consultations in Singapore. However, such a requirement is unduly onerous and could deter overseas doctors from practicing telemedicine in Singapore, consequently impeding the adoption of telemedicine locally.
Singapore could take guidance from foreign jurisdictions who have attempted to ease licensure requirements for telemedicine. One example is the United States, where different licensing requirements in each state initially posed difficulties to doctors looking to practice medicine across states given inconsistent license requirements. To mitigate this, the Interstate Medical Licensure Compact (“IMLC”) was formed to create a voluntary, expedited pathway to license qualified doctors to practice in multiple IMLC states so as to relieve the US’ growing shortage of doctors, and to provide patients with better access to specialist care. By expediting the licensing process, doctors who are already licensed in an IMLC state can quickly receive a license in another state. These licenses are still issued by the individual states – just as they would be using the standard licensing process – but because the application for licensure in these states is routed through the IMLC, the overall process of gaining a license is significantly streamlined. This alleviates the need to manage multiple applications and the time and expense of communicating with more than one state medical board. Under the IMLC, doctors seeking to obtain a licence must meet certain requirements including a full and unrestricted medical licence, no history of disciplinary actions arising out of medical malpractice or any criminal record.[36]
The IMLC is not part of any federal government program, but as an agreement among US states, it offers a solution with national impact yet implemented and controlled by states. As of January 1st, 2021, the IMLC includes 29 states, the District of Columbia, and the Territory of Guam, with other states expected to join in the near future.[37]
Taking inspiration from the IMLC, it is submitted that Singapore could consider entering into partnership agreements with the medical boards of different countries to provide an expedited pathway to licence overseas doctors to practice telemedicine in Singapore and vice versa. However, care should be taken to ensure that the fees charged by the foreign doctors whose countries are members of this partnership agreement remain fair, consistent and affordable to patients. This would ensure that these foreign doctors do not have unfettered discretion in billing their patients, consequently removing any unintended consequences of overpriced telemedicine consultations.
Legal liability issues in telemedicine negligence
At the time of this writing, there have been no reported decisions concerning telemedicine malpractice or negligence in Singapore. However, as the practice of telemedicine gains traction locally, such cases are likely to come before the Singapore courts. Three situations in which legal liability issues in telemedicine negligence might arise will be discussed. The first concerns freelance registered doctors, the second involves claims against foreign telemedicine providers, and the third relates to the use of AI in telemedicine.
(1) Freelance registered doctors
In situations where telemedicine providers engage the services of freelance registered doctors, it is unclear whether the provider or the freelance registered doctor ought to bear the responsibility for the malpractice or negligence. In determining legal responsibility, the court would likely consider whether the freelance registered doctor was an employee or contractor of the telemedicine provider. To mitigate such risks, telemedicine providers could consider limiting employment to their own registered doctors who maintain the requisite malpractice or negligence insurance. In the alternative, the providers could maintain such insurance on behalf of these registered doctors.
(2) Claims against foreign telemedicine providers
As telemedicine advances and patients in Singapore receive treatment from doctors located overseas, cross-jurisdictional legal challenges will inevitably arise. In situations where claims are made against foreign telemedicine providers, the Singapore courts may be required to assess whether they have the jurisdiction to hear the claim on Singapore’s connection to the dispute, and whether there would be a denial of justice should the claim be heard in Singapore. However, as there are varied approaches to dealing with medical negligence across different jurisdictions, there may be some uncertainty in determining the proper jurisdiction to hear medical negligence. This is especially so if a freelance registered doctors is in one country while the patient is in Singapore. To create certainty, it is submitted that doctors may wish to enter into legally binding agreements with their patients regarding jurisdiction prior to the provision of the telemedicine services. The MOH may also consider enacting legislation with extra-territorial impact, such that doctors outside of Singapore who practice telemedicine here could still be subject to sanctions. The Malaysian Telemedicine Act is one example of legislation where liabilities are imposed on doctors who breach the Telemedicine Act,[38] notwithstanding that they are located outside of Malaysia. To reinforce Singapore’s jurisdiction, legislators may also consider, as part of the licensure regime for overseas doctors, to require all applicants to consent to Singapore’s jurisdiction.
(3) AI in telemedicine negligence
The use of AI in telemedicine poses several legal and corporate challenges in cases of disputes arising from the autonomous nature of AI. This begs the question of who should be held liable for wrongful or negligent diagnoses in a situation where there are several players involved – the treating physicians, telemedicine provider and the manufacturers of the AI technology. The apportionment of liability amongst the different players would also likely be an area of contention.
The standard applicable to medical treatment and diagnosis in Singapore is that of the reasonable body of medical men skilled in that particular art, and the body of opinion relied upon satisfies a threshold test of logic, i.e. the Bolam test (as set out in Bolam v Friern Hospital Management Committee)[39] modified by the Bolitho addendum (Bolitho v City and Hackney Health Authority) (the “Bolam-Bolitho test”).[40] The application of the Bolam-Bolitho test has been accepted in the Singapore Court of Appeal decision of Dr Khoo James & Anor v Gunapathy d/o Muniandy.[41] The use of AI in telemedicine complicates the Bolam-Bolitho test by introducing another opinion beyond the doctor’s professional one. However, it is submitted that the AI merely provides information to the doctor and is not solely responsible for wrongful or negligent diagnosis or treatment. Doctors retain the autonomy to decide whether or not to follow the AI’s decisions.[42] As such, it is crucial that doctors exercise their clinical judgment in every case instead of wholly relying on the AI technology for make clinical decisions. Should a negligence law suit concerning AI and telemedicine arise, patients should also be aware that there is presently no concrete framework on the apportionment of liability to all parties involved. Much would depend on the facts of the individual case.[43]
(4) Data privacy issues in telemedicine
The Personal Data Protection Act (“PDPA”)[44] is the key legislation in Singapore governing the protection of personal data. In addition, the PDPC has issued guidelines specific to the healthcare sector. Telemedicine providers who collect medical or personal data are obliged to make reasonable security arrangements to prevent the unauthorised access, collection, use, modification, and disposal of personal data.
On the issue of what ought to be a “reasonable security arrangement”, the PDPC’s decision in Singapore Health Services Pte. Ltd. & Ors[45] provides a welcomed clarification. This case concerned what was described as “the worst breach of personal data in Singapore’s history”, where the personal data of some 1.5 million patients were accessed and copied from the Singapore Health Services Pte Ltd.’s electronic medical record database and exfiltrated to servers overseas. In this case, the Commissioner for Personal Data Protection (“Commissioner”) highlighted three factors that PDPC would take into account in assessing the reasonableness of security arrangements. First, the nature of the personal data. Second, the form in which the personal data has been collected (physical or electronic), and third, the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data. What ought to be reasonable would be objectively determined, having regard to what a reasonable person would consider appropriate in the circumstances.
In assessing the reasonableness of the security arrangements adopted by organisations, the Commissioner took into consideration the fact that medical personal data, unlike other forms of personal data, is data of a sensitive nature which should be accorded a higher standard of protection. The Commissioner added that the health sector handles some of the most sensitive personal data and patients have the right to expect that the data will be looked after. In light of this, telemedicine providers have an obligation to ensure that there are ample and robust security measures when storing patient data, regardless of whether the data is stored physically or on online cloud servers.
These security obligations extend to teleconsultation platforms used by providers when attending to their patients. Third party applications like Zoom are prime targets for hackers and have been flagged for security and privacy vulnerabilities in recent times. As such, providers ought to exercise caution when choosing third party applications for teleconsultations.
Data transfer issues in telemedicine
Section 26(1) of the PDPA[46] prohibits the transfer of personal data to a recipient in a country or territory outside of Singapore, unless the recipient country or territory is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection that is comparable to the protection under the PDPA. Examples of legally enforceable obligations include any law, contract or binding corporate rules.
Telemedicine providers based overseas who intend to offer their services here must comply with Section 26(1) of the PDPA if their platforms are able to collect personal data in Singapore and export it out to its servers overseas. As such, providers intending to transfer data outside of Singapore to jurisdictions with a lower standard of protection than that under the PDPA should consider imposing legally enforceable obligations on the recipient. Such obligations should provide that the personal data transferred to the recipient is minimally of a standard of protection comparable to the PDPA.
Cybersecurity issues with telehealth products
The issue of telehealth products and cybersecurity is an emerging one and it is crucial that telehealth product manufacturers consider effective and competent cybersecurity strategies. Telehealth products, just like all other interconnected technology, are vulnerable to cyberattacks and this can severely impact patient safety. In 2017, Abbot Laboratories voluntarily recalled over 400,000 radio frequency-enabled pacemakers in the United States due to cybersecurity vulnerabilities. These vulnerabilities could have allowed hackers to alter the pacing commands of the pacemakers or prematurely deplete the batteries.[47]
In the United States, the Food and Drug Administration (“FDA”) has taken some steps to set out guidance on cybersecurity measures for medical devices. In 2016, the FDA issued a guidance document entitled “Postmarket Management of Cybersecurity in Medical Devices” (“2016 Guidance”).[48]The 2016 Guidance targets medical devices that use software, including programmable logic and medical mobile apps that are considered as medical devices. The 2016 Guidance recommends manufacturers to monitor, identify and address cybersecurity vulnerabilities as part of their post-market management of the device. Specifically, manufacturers are advised to develop cybersecurity risk management programmes throughout the lifecycle of the medical device.
Similarly in Singapore, Section 7 of the RGSMD[49] contains guidance on cybersecurity for software medical devices (e.g. telehealth products classified as a medical device under the HPA). Specifically, Section 7.2, the RGSMD[50] states that a cybersecurity plan should be devised when developing a software medical device, and that such plans should include the following considerations: (i) a secure device design, (ii) proper customer security documentation, (iii) cyber risk management, (iv) verification and validation testing and, (v) an on-going plan for surveillance and timely detection of emerging threats. While these guidelines are useful in helping telehealth product manufacturers design and monitor their products, they are not mandatory unlike legislation. As such, telehealth product manufacturers may depart from the RGSMD.
The Cybersecurity Act[51] is one such legislation enacted in Singapore to counter cybersecurity threats. However, this legislation is unlikely to have a direct impact on telehealth products. The powers of the Act are vested in a Commissioner of Cybersecurity who will determine which computer system is a “critical information infrastructure”. However, it appears that telehealth products are not considered to be part of a “critical information infrastructure”. In light of this, it is submitted that legislators should aim to design regulation that stipulate the relevant cybersecurity measures that ought to be put in place before a telehealth product is placed in the hands of a user, as well as the actions that need to be taken in the event of a cybersecurity attack. In the event of a default by the telehealth product manufacturer, regulatory sanctions may be imposed.
Conclusion
As with any new transformative technology, the authorities often face a tension between a laissez-faire regulatory approach and a stringent regulatory regime. Telemedicine and AI are no exceptions. While a less stringent regulatory approach is less likely to stifle innovation, growth and the successful adoption of these technologies in the healthcare sector, such an approach may not necessarily provide sufficient reassurance to the end user (i.e., doctors and patients) that these technologies are safe to use.
Thus far, Singapore has adopted a light-touch approach and introduced regulations incrementally to address specific aspects of telemedicine and AI. However, unregulated aspects of telemedicine could negatively impact its value. As such, proactive regulatory measures that are able to keep pace with the advances in digital health will help enhance the potential of telemedicine, its safety, consequently boosting user confidence in telemedicine services.
[1] The Fourth Industrial Revolution (or Industry 4.0) is the ongoing automation of traditional manufacturing and industrial practices, using modern smart technology. Large-scale machine-to-machine communication (M2M) and the internet of things (IoT) are integrated for increased automation, improved communication and self-monitoring, and production of smart machines that can analyze and diagnose issues without the need for human intervention.
[2] Ministry of Health, National Telemedicine Guidelines (January 2015).
[3] Chris-Stokel-Walker, “Why Telemedicine is Here to Stay” British Medical Journal 2020; 371:m3603.
[4] Danica Mitch M.Pacis et al, “Trends in Telemedicine Utilizing Artificial Intelligence” AIP Conference Proceedings 2018; 040009 (2018).
[5] Supra n 2.
[6] Kitty Lee, Matt Zafra & Justin Bay, “COVID-19 Makes Singapore’s Digital Health ‘On-Demand’” [2020] (6 August 2020) <https://health.oliverwyman.com/2020/08/covid-19-makes-singapore-s-digital-health–on-demand-.html> (accessed 15 September 2020).
[7] Mark Burroughs, “Benefits and shortcomings of utilizing telemedicine during the COVID-19 pandemic” Baylor University Medical Center Proceedings 2020; 33(4): 699-700.
[8] Ibid.
[9] COVID-19 (Temporary Measures) (Control Order) Regulations (Act 14 of 2020).
[10] Pamela Ariel On, “Telehealth gets a boost from COVID-19 pandemic”, CNA (23 July 2020) < https://www.channelnewsasia.com/news/business/telehealth-gets-a-boost-from-covid-19-pandemic-12945990> (accessed 15 September 2020).
[11] Ministry of Manpower website < https://www.mom.gov.sg/covid-19/advisory-to-dorm-operators-on-medical-support-for-migrant-workers> (accessed 15 September 2020).
[12] Staff Reporter, “Singapore carefully facilitates shipping crew changes during pandemic”, SBR (26 June 2020) < https://sbr.com.sg/shipping-marine/news/singapore-carefully-facilitates-shipping-crew-changes-during-pandemic> (accessed 15 September 2020).
[13] Infocomm Media Development Authority website < https://www.imda.gov.sg/infocomm-media-landscape/SGDigital/tech-pillars/Artificial-Intelligence> (accessed 15 September 2020).
[14] Shane Legg & Marcus Hutter, “A Collection of Definitions of Intelligence” Technical Report 2007; IDSIA-07-07 <https://arxiv.org/pdf/0706.3639.pdf%20a%20collection%20of%20definitions%20of%20intelligence> (accessed 10 January 2021).
[15] Craig Kuziemsky et al, “Role of Artificial Intelligence within the Telehealth Domain” Yearbook of Medical Informatics 2019; 28(1): 35 – 40.
[16] Ibid.
[17] Ibid.
[18] Healthcare Services Bill 2019 (Bill 37 of 2019).
[19] Private Hospitals and Medical Clinics Act (Cap 248, 1999 Rev Ed) (“PHMCA”).
[20] Ministry of Health website < https://www.moh.gov.sg/hcsa/home> (accessed 27 September 2020).
[21] Singapore Parliamentary Debates, Official Report (6 January 2020) [vol 94] < https://sprs.parl.gov.sg/search/sprs3topic?reportid=bill-418>(accessed 10 January 2021) [Edwin Tong Chun Fai, Senior Minister of State at the Ministry of Law and Ministry of Health].
[22] Supra n 2.
[23] Singapore Medical Council, Ethical Code and Ethical Guidelines (2016 Edition).
[24] Medical Registration Act (Cap 174).
[25] Ministry of Health website < https://www.moh.gov.sg/home/our-healthcare-system/licensing-experimentation-and-adaptation-programme-(leap)—a-moh-regulatory-sandbox> (accessed 20 January 2021).
[26] Ibid.
[27] The Health Sciences Authority, Telehealth Products Guidelines (August 2017).
[28] Health Products Act (Cap 122D, 2008 Rev Ed) (“HPA”).
[29] The Health Sciences Authority, Regulatory Guidelines for Software Medical Devices – A Life Cycle Approach (April 2020).
[30] Ministry of Communications and Information website < https://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2020/3/mci-response-to-pq-on-the-regulation-of-artificial-intelligence> (accessed 1 October 2020).
[31] Ibid.
[32] Ibid.
[33] Ibid.
[34] Supra n 21.
[35] Supra n 2, at p 17.
[36] The Interstate Medical Licensure Compact website <http://www.imlcc.org/> (accessed 1 January 2021).
[37] Ibid.
[38] Telemedicine Act 1997 (Act 564).
[39] [1957] 1 WLR 582.
[40] [1998] 1 AC 232.
[41] [2002] 2 SLR 414.
[42] Pratap Kishan, “ Who is Responsible if an AI Diagnoses Your Disease Wrongly” [2019] (18 April 2019) Asia Law Network <https://learn.asialawnetwork.com/2019/04/18/responsible-ai-diagnoses-disease-wrongly/> (accessed 10 January 2021).
[43] Ibid.
[44] Personal Data Protection Act 2012 (No. 26 of 2012).
[45] [2019] SGPDPC 3.
[46] Supra n 45.
[47] Michael Erman, “Abbot releases new round of cyber updates for St. Jude pacemakers”, Reuters (30 August 2017) < https://www.reuters.com/article/us-abbott-cyber/abbottreleases- new-round-of-cyber-updates-for-st-jude pacemakers-idUSKCN1B921V> (accessed 9 October 2020).
[48] The U.S. Food & Drug Administration, Postmarket Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff (28 December 2016).
[49] Supra n 29, at p 25.
[50] Ibid.
[51] Cybersecurity Act (Act 9 of 2018).