How cloud technologies can improve healthcare by enabling cross-border data flows

• Cross-border data flows are important for the economy, crucial for healthcare research, and critical for patient access to lifesaving therapies and diagnostics
• Concerns about data privacy, national sovereignty, and cybersecurity are driving national policies that restrict access to health data
• The fragmentation of data policies is impacting the ability of cloud computing to address various operational and infrastructural challenges in healthcare

In our globalized world, people are moving all the time between countries or jurisdictions for economic reasons, leisure, or educational purposes. For this reason, it is becoming more and more necessary for health data to move effortlessly between multiple countries and jurisdictions. The COVID-19 pandemic exemplified the need for cross-border data flows (CBDF) as this data was pivotal to vaccine development.¹ However, policies restricting health data sharing across borders keep cropping up, increasing policy fragmentation worldwide.²

Permissive CBDF, that is CBDF which allows for the freer flow of data across borders,  is a crucial lever to improving healthcare systems, and cloud technology is a viable pathway for addressing healthcare infrastructure and operational shortcomings. This article captures the main arguments laid out in a recently published HIMSS report – Empowered by the cloud: How cross-border health data flows can create value for patients and boost health system efficiency.³

In February 2024, the Biden White House issued an Executive Order aimed at restricting the bulk sensitive personal data of Americans (e.g. genomic data, electronic health records, etc.), and US government-related data from “countries of concern”.⁴ In fact, there is a trend toward such policies worldwide. According to the OECD, there was an  800% increase in the number of legislations aiming to restrict CBDF worldwide between 1995 and 2015 alone.²

Legitimate underlying concerns about data privacy, data governance, cybersecurity, and perceived threats to national sovereignty are driving such restrictive policies.⁵ Unfortunately, the report highlights evidence to suggest that restricting CBDF has a negative impact on healthcare research, disrupts timely patient access to diagnostics and therapies, and can even lead to a loss in economic output.

Advances in data analytics now facilitate our ability to leverage large datasets for, among others, decisions relating to treatment, diagnostics, precision medicine, and population health.⁶ To realize the full potential of health data, however, comprehensive datasets are needed in order to deduce subtle patterns and trends.⁷ This is especially true for rare disease research where small patient numbers make it necessary to combine different datasets, often from different jurisdictions.

The recently passed European Health Data Space (EHDS) legislation is an example of a policy step in the right direction in terms of encouraging CBDF within the EU. The EHDS stipulates rules, common standards, infrastructure, and a governance framework for health data in the European Union (EU).⁸ With an emphasis on both primary health data (derived through care delivery) and secondary health data (further reuses of health data), it is commendable for its ability to encourage holistic datasets for research. Nonetheless, the EHDS negotiation process featured lengthy debates on data localization and international data transfer underlining the importance of CBDF.⁹

Cross-border data flows (CBDF) of health data become crucial when people are living or working in multiple jurisdictions.  Should an emergency situation occur, or to ensure continuity of care, healthcare providers across the world must gain access to their patients’ health records.  Restrictions on this health data can lead to poor health outcomes and even death. The HL7 International Patient Summary project, which proposes a basic set of clinical data and standards on global health, demonstrates an opportunity to improve patient access when permissive CBDF policies are in place.¹⁰

The free flow of health data is also instrumental in ensuring access to adequate care, especially when patients seek a second opinion for health decisions. Quicker decision-making can lead to better care when the electronic transfer of health records goes smoothly and is not restricted.

As the saying goes: “health is wealth” but in reality, it is a complicated process to quantify the monetary value of well-being to the economy.¹¹ This is why proxies are a good way to capture such estimates. As an example, the IMF estimated that approximately $9 trillion was gained from vaccinating individuals during the COVID-19 pandemic.¹² Meanwhile, in the case of the EHDS, the EU estimates €5.4 billion in healthcare cost savings from utilizing health data for research, innovation, and policy-making.¹³

The HIMSS report highlights three considerations that countries make to inform their CBDF policies: data residency (the physical or geographical location of the data), data sovereignty (privacy regulations governing data) as well as data localization (restricting data storing or processing within a country’s borders). Although data localization is the strictest of the three, the report notes that up to 75% of countries have implemented some form of it.¹⁴ Interestingly, the report also identified that the more restrictive a country’s data policies, the less valuable its productivity and overall trade output.¹⁵

According to the report, there is no uniform approach to CBDF policies globally as their restrictiveness varies from place to place.  Some prominent examples include: the EU’s General Data Protection Regulation (GDPR), and the US’ Health Insurance Portability and Accountability Act (HIPAA), both rated partially restrictive in the report. Meanwhile, China’s Personal Information Protection Law (PIPL) is rated restrictive due to its strict data localization requirements.³ These data localization trends pose various legal, cybersecurity, interoperability (technical and semantic), quality, and funding restrictions to CBDF.  Moreover, the report also highlights how variations in regulations, data privacy, security, and ownership continue to restrict health data sharing and limit its utility in healthcare and research.

Additionally, countries must consider the costs involved in meeting CBDF requirements. For instance, Standard Contractual clauses (SCCs) dictate the cost of moving data outside of the EU. According to an analysis from the University College of London, a data-sharing agreement between the UK and the US costs somewhere between $68,00-$136,000. This money could be allocated to research if it were not required to access data.¹⁶

Cloud technologies provide a solution for addressing many of the infrastructure and operational shortcomings facing health systems. Cloud computing, which refers to data stored on multiple servers that can be accessed through the internet, can serve as a technological basis to securely store, process, and access a wide variety of health data. Meanwhile, the software, servers, and databases accompanying cloud-based systems can also support the infrastructure required to operate clinical on-demand services and even manage patients’ electronic health records.^17,18 The ability to lease access to storage and processing capabilities means that health systems can save money without having to make large-scale investments. Yet, many direct and indirect legislations impact the capacity to utilize the cloud.

Perhaps most importantly, cloud computing also addresses many of the security concerns around information sharing driving the influx of CBDF policies. As highlighted before, a bulk of the stringent CBDF policies result from cybersecurity concerns. Within the HIMSS report, an in-depth analysis of the current state of cloud technology rules and regulations relating to the cloud was examined for Singapore, UK, US, China, South Korea, France, Germany, Japan, Australia, Austria, Brazil, Spain, Sweden, Switzerland, and Taiwan. Only Singapore and the UK were identified as progressive countries promoting the use of cloud technology domestically.

Several bilateral and sub-regional data-sharing partnerships are being pursued to address some of the restrictive health data exchange policies described above. For example, the EU-US Trans-Atlantic Data Privacy framework seeks to develop a mutual data transfer framework between the US and the EU.¹⁹ Within Asia, the APEC Cross-Border Privacy Rules (CBPR) System is a data privacy certification scheme for APEC countries.²⁰ Another scheme is the Observational Health Data Sciences and Informatics (OHDSI) initiative which demonstrates the value of seamless data sharing across borders. Comprising more than 2000 researchers from 74 countries, they utilize federated large-scale analytics to extrapolate insights from over 800 million patient records.²¹

The value of CBDF in healthcare is significant across healthcare delivery, research, and patient access to life-saving therapies and diagnostics. As discussed earlier, sharing data across borders is crucial to support care for many individuals today. Yet, the number of policies restricting data sharing continues to rise steadily across the globe. Although concerns relating to data privacy, cybersecurity, and national sovereignty continue to increase the likelihood of such policies, there is a need to harmonize frameworks to ensure that health data can continue to move across borders. With healthcare costs on the ascent globally, permissive CBDF rules can encourage the use of cloud computing, which is beneficial to addressing several of the infrastructural and operational challenges facing health systems today.

The full HIMSS report can be accessed here. The report makes the case for permissive cross-border data flow regulations and policies as they facilitate healthcare research, and patient access and boost economic gains for countries. The report also examines the national laws and regulations of 15 countries and provides an in-depth analysis of their openness to sharing health data as well as utilizing the cloud.