I.T. Law Case Study

I.T. Law Case Study

According to Nyst (2018), the right to privacy is fundamental. The right to privacy is dictated in several international human rights instruments. Worldwide, more than 150 constitutions provide for issues related to privacy. The right to confidentiality dictates that every person should not be subjected to arbitrary or illegal interference with their privacy, home, correspondence and family, and from attacks on their reputation. Legislations regarding the right to privacy protects the confidentiality of letters, phone calls, emails, text messages, and internet browsing. The laws around data privacy also stipulate that people should be able to decide on their lives, including their sexual and reproductive choices. Individuals have the power to control their data.

Since technology is advancing, the right and the scope of data privacy is also evolving. Innovations and high processing power of computers make it possible not only to collect but also store enormous amounts of data. Technology has also introduced new forms of data and allowed specific data that none could have imagined before. The use of the Internet and digital means of communication gradually expands ways of sharing and accessing data. Therefore, it means that sharing and access are equally easy for actors who are not authorized or fraudulent personnel. As a result, the hospital needs to understand that the issue concerning data protection is not any more simple but a complex process. The whole process requires strict technical and stringent codes of practice guided by a legal framework. Notwithstanding, health facilities interact with some of the most sensitive types of data in human history.

The European Commission (E.U., 2018) places data processing obligations on companies and therefore health facilities alike. According to E.U. (2018), the process of processing data should be fair and transparent. The process should also be specific and for legitimate reasons. Data processing obligations for health facilities should evolve around consent of the patient or the individual who is concerned. There should be a contractual obligation between the facility and the client or patient. The purpose of the process should be of vital importance and vitally protect the critical interests of the individual. The data should also perform the task it is meant.

There are several data management and storage solutions that Maxhealth could use. There are also various data security rules. Obviously, the health facility may be deluged by data. Machine learning is the application of artificial intelligence to which gives the artificial intelligence system with the ability to automatically learn from the environment and use the knowledge to make improved decisions. Machine learning uses several algorithms to describe and improve data so that it can predict several outcomes (TCS, 2019). The algorithms use statistical methods to note patterns and then act on the patterns. Deep learning, on the other hand, is a subset of machine learning. Deep learning machines does not depend on human intervention to make independent predictions. These machines use artificial neural networks so that the machine logically analyzes data just like the human.

Since the hospital will often interact with datasets that involve high dimensions, the current learning algorithms extracts and organizes the discriminative information from the data. Representation learning is a promising answer to meaningfully and usefully represent data in a way that it becomes easy to detect important information when developing classifiers or other predictors. Similarly, deep learning enjoys a history of a state-of- the-art performance. Deep learning is responsible for providing predictive analytical solutions for large scale sets of data. It has increased processing power and the improvement of graphics processors (Qiu et al. 2016).

However, the main reason for machine learning is to represent input data and generalize learnt patterns for use in the future. The way machine learning is good at representing greatly influences greatly how machine learners perform on the data. The hospital should consider that a poor machine learner will likely reduce the performance of even an advanced complex machine learner. However, good data representation can improve the performance of a relatively simpler machine learner.

In continuation, there is rapidly increasing medical data that is produced from the hospital information system. The expansion of medical data signifies an era of big data in the hospital domain (Li et al. 2016). However, the complexity, distribution, and the highly interdisciplinary trait of medical data underscores the disadvantages of the traditional methods of analyzing, accessing, distributing and sharing medical data. Therefore, innovative and efficient technologies arise that are necessary for obtaining the wealth of information and knowledge that comprise medical big data.

Considering the challenges encountered by Maxhealth, this is a moment for the facility to leap by adopting a new information technology solution that will escalate data management within the facility to the next generation. The field of data management in medical and healthcare is growing big because of the diversity and the heterogeneity of healthcare records. The data in the field of health care are valuable for the prediction of diseases, management, and control, medical research, and the construction of medical information (Li et al. 2016).

Currently, there are two directions that Maxhealth can adopt for designing a reliable and efficient big data processing system (Sutharahan and S, 2014). Centralized computation which relies on mainframes is relatively expensive to implement. However, distributed computation is reliable in terms of implementation since it depends groups of cheap commercial computers. The ability of distributed computers to process data is also scalable. Currently, available distributed big data processing platforms include Hadoop, Spark, and Storm. Interestingly, these methods are for open access and free of cost.

However, of interest is Hadoop, which is the core project of apache foundation. It has evolved through several versions (Manogaran et al. 2017). Since it is for open source, Hadoop has been embraced as the de facto international measure for distributed computing system. The technicality of its system has progressively becomes broader and perfect. Hadoop incorporates all aspects of data processing. Google provides three fundamental platforms for Hadoop. The MapReduce distributed computing framework, the distributed file system (Hadoop distributed file system, HDFS) that is based on Google File System, and HBase data storage system that is based on Big Table (Li et al. 2016).

On the cyber-attack, of importance is the discovery of the breach (NIST, 2019). Early detection would have been helpful. However, to remain safe at this point, the first appropriate action for the hospital would be isolation of all the affected endpoints and servers. The MaxHealth Information technology team should work rapidly to prevent further spread of the malware. The machines should not be shut down until the completion of examination by information security experts (Martin et al. 2017). Since this was a major attack, the hospital outsources cybersecurity expertise. The hospital should not attempt to remedy the security breach since it may be inefficient, and potentially lead to more losses.

The next and important step would be for the hospital to notify the security. Concerning the cyberattack, the facility can notify several agencies (Martin et al. 2017). The local police should be informed so that the attack can be made official. Apart from contacting the Federal Bureau of Investigation (FBI) and The U.S. Computer Readiness Team (US-CERT), the hospital should file a with the Federal Trade Commission. Since confidential and personally identifiable information was compromised during the breach, the hospital should liaise its affected clients and ensure they visit the Federal Trade Commission’s Identity Theft Site (Mattei and T.A., 2017).

Informing the clients is the most difficult step in a cyber-breach but inevitable. The hospital cannot evade explaining the situation to the clients. Next, the I.T. security professionals should identify and mitigate the vulnerabilities (NIST, 2019). They will also come up with several other vulnerabilities that must be patched. At this point, the inefficiency of the information of security solutions are evident. Therefore, the hospital should source for available security protocols, software, hardware and training. The hospital then should come up with an after action report (Mattei and T.A., 2017). Lastly, the firm should refresh the cyber awareness of the employees regardless of the cause and source of the breach.

The most obvious benefit of using big data in healthcare is the prospective improvement in the efficiency of service delivery (H.M. et al. 2014). The hospital can now analyze large volumes of data. The personnel within the facility can now manage data efficiently. However, concerns arise when it comes to sharing and reusing data in formats that include high practices. There are several barriers when it comes to privacy and security regulations that include legal concerns that the hospital should be aware.

To briefly bring into context the nature of the data that the hospital intends to reuse requires a brief consideration of big data. Big data is large volume of data that can be generated and stored (Pamela, 2019). Big data also involve the velocity through which data can be produced to propagate appropriate decisions at the right time. Moreover, Big data comprise variety of formats through which data can be adopted. There are other aspects revolving around big data management like the confidentiality that is associated various kinds of data. The hospital, in the process of extracting and sharing data of this nature, should be able to identify only what is valuable and then modify it and extract the data for analysis. The process runs across volume, velocity, variety, veracity, and value.

Since the innovation of big data, there is the risk of handing several personal data to organizations and governments. Therefore, there can be some level of misuse of confidential information from individuals. The hospital should also note that organizations or several owners of data may be interested in dissemination of data as an investment. So that ensuring that the hospital maintains intellectual property rights require guidelines for legislations and oversight. Otherwise, the facility may be battling legal issues in courtrooms in the near future.

Therefore, the hospital should make sure that all professional, legal, and ethical obligations to the sources of data are considered (Cornell University). Some researchers only wish to share a portion of their database with others. As a result, the hospital can only extensively of even fully use data from external sources if the terms of use are available. The facility also need to be in agreement with the terns of use.

Often, legal data management experts do not attempt to separate the system that holds the data from the content. However, the phenomena are relatively vital when considering intellectual property rights and regulations. For instance, anything in data sources could be protected by copyright. In the U.S. legislations, data is considered factual and has no copyright protection. The argument is that it is not possible to copyright facts. Nevertheless, caution is necessary. Practically, not every data can be available in the public domain for extraction and sharing. In any case, a website may use photographs that are copy righted.

Similarly, a database may be slightly copyright protected. Owners of databases need to decide on the appropriate content for the database. They also have the responsibility of organizing data. All those are burdens that may prompt them to source for copyright protection. Therefore, it is inevitable for any Maxhealth to understand the terms of use for every database they are about to extract information and the data content.

According to Carroll and M.W. (2015), several scientific researchers have trade secrets in their data for some duration even if they are unawares. International Standards stipulates that national laws handles information as a trade secret if it provides economic value during when it is unknown as long as there are reasonable precautions to keep the information secret. Just like trade secrets are acquired easily, so are they also lost easily. Any leak of the data in the public domain cancels any trade secret protection.

Research data in E.U., certain countries in Eastern Europe, and South Korea research data are usually protected by certain database rights. For instance, Mexico ensures protection of databases that do not qualify for copyright protection. However, the rights may only be applicable to extraction of a substantial or enormous amounts of data occurring on computers through the Internet in Europe or South Korea but not elsewhere (Carroll and M.W., 2015). The Courts of Justice of the European Union states that the protection is only provided to sources that invest in the process acquiring the data.

The hospital should also be informed of patent rights. However, patent rights tend to be overemphasized by database owners who are strict about obtaining data protection. Pursuers of patent rights are not willing to share their data. Patent rights are legal covers for inventions. Inventions are usually protected by certain rights. One can only acquire patent rights only if all the qualifications are met. However, they are patent rights are difficult to acquire since they can only public authorities provides them.

Finally, we answer the question of the owner of the rights. It is an obligation for Maxhealth to understand who is protected for what kind of data. A trade secret may be owned by an employer to an employee. However, when there is no guideline or policy, the trade secret belongs to the researcher. Likely, the author of a copyrighted work will own the copyright. For Europe and Korea, the individual that invests substantially is protected by Sui Generis Database rights.

To continue, should improve medical practice when it comes to data management. However, MaxHealth should be warned that the facility shall be using opaque computational models to decide on issues that pertain to the health of an individual. The models are usually opaque due to the large amount and the complexity of data they process (Reed et al. 2016). It is also important for the facility to note that machine learning take time to adopt the human way of reasoning. Often, the nature of data produced by machine learning are probable data.

For example, there may be output of wrong data due to errors during the process of data management. It this case it is likely that the physician attends the patient that the data concerns may come up with a wrong diagnosis. Patients are likely to sue the clinician or the employer of the clinician when harm occur due to wrong diagnosis. However, the error may have been from the software even during manufacturing (Vladeck and D.C., 2014). Furthermore, the law stipulates that software’s are only liable to support diagnosis and not decide on the right diagnosis.

A practical example may occur when, for instance, a physician intends to confirm the contraindications of a drug. However, in this instance, the software displays wrong information. Also, the software may fail to detect any interaction. When injury occur to the patient, the clinician remains responsible regardless of the faulty software (Phg, 2018). This is considering the fact that diagnosis and prescription are the responsibilities of the clinician.

Concerning product liability, the law states that the when someone claims product liability the claim cannot be compensated until there is proof that there was a mistake. However, certain laws provide that a defendant may compensate a complainant even if they did not make a mistake. Of significance is that product liability is not directed towards making a defendant guilty but detecting that some unreasonable action caused the problem. Moreover, the consumer protection Act of 1987 (CPA), states that those who circulate defective products may be guilty for any damage that the product causes.

Currently, there is the confusion as to whether this software really are products (Surden and H., 2014). There are several issues when managing healthcare data using machine learning. If machine learning is not going to be considered as a product, then one can hardly claim negligence. Also, when the software is used to operate or authenticate a product but not viewed as a product, then there may only be liability because of damage by the involved product. Lastly, injuries due to errors in software are always adverse, detrimental and relatively expensive.

However, currently, nurses, doctors, pharmacists and clinicians who use machine learning are currently liable for the errors of the machines (Phg, 2018). There is call for vigilance since there are also input errors like typos. Since the healthcare is adopting machine learning, healthcare facilities have the responsibility of ensuring that the manufacturers become responsible for the laws that govern product liability.

Another major concern regarding the use of machine learning in healthcare is the potential for discrimination. Machine learning is used in the analysis of Big Data which may be used to predict the likeliness of something occurring in the future. In the healthcare setting, these are data specifically from the health records and health insurance claim (phg, 2018). However, the capability of machine leaning to predict is doubtful. Moreover, machine learning is already being used for various diagnosis. Therefore, anything has to be in the records. Some information machine learning predicts may lead to anxiety and discrimination as some health records are important during job applications or application of medical insurance. So that any individual holding the health records from another individual instantly access confidential and sensitive information.

Mostly, several healthcare providers like MaxHealth may fail to establish necessary precautions for I.T. outages. Studies elaborate that several I.T. experts in healthcare claim unpreparedness for I.T. outages, loss of dater or other disaster that may pertain the I.T. department. Since companies, and the healthcare not excepted, can be sued for I.T. outages due to power failures, it is only appropriate if necessary precautions and appropriate guidelines are in place.

Therefore, of importance is that the I.T. consultant for MaxHealth should create awareness on the risks associated with any I.T. project. Power failure is an obvious risk that cannot be overlooked. This kind of reactiveness evades if not reduce significantly the possibility of lawsuits. However, in this case, there is the possibility that the I.T. consultants took all the necessary measures. So that the firm only remains with the challenge of proving that necessary measures were taken and that the loss was unavoidable.

As a result, the technicians will need to pride backup or mirror data. They will also need to prove that they built redundancy in their network. However, even with these measures, outages can still cause data loss. Therefore, the facility will be liable for the losses that the client claims. The hospital may be blamed for failing to equip with programs like SaaS, cloud services, or lack of some other important software. If the hospital can also be accountable if a cloud service, they suggest to client’s crashes or stops working.

To continue, such liabilities can be covered by the omissions and errors insurances. The Errors and omissions insurances should be able to pay all the damages. The errors and omissions should also fund the defenses for the hospital. However, in the agreement act, it is stipulated that the recipient accessing the database is without warranty or liability. This means that recipients subscribing to the MaxHealth database does so at their own risks. This implies that the institution can be in no way liable for the losses of the recipient.

Additionally, it is in no doubt that the hospital had been providing satisfactory services to the recipient until the power outage. Therefore, loss of earnings was not due to inaccuracy but because of the power outage. Lawsuits due to power outages are generally difficult to win. However, if the recipient is dissatisfied by the direction things have taken, MaxHealth data manager can advise them to terminate their membership. Termination of membership to be strictly done according to the agreement.

When handling issues of non-disclosure agreements it is vital to note that they may be the only from liabilities or damages. In the agreement by MaxHealth, there is a clause that state that the recipient is to ensure the methodologies through which access to data are securely maintained. Exception is only through a special written permission which can only the MaxHealth data bank manager can provide. Furthermore, the agreement states that the recipient will appropriately safeguard the data from MaxHealth data bank. This means that the recipient cannot disclose, without permission, the data from MaxHealth.

Also, according to the agreement, the recipient using MaxHealth data bank will appropriately develop, implement, use appropriate administrative measures to safeguard and preserve the integrity and confidentiality. The recipient should by all means prevent non-permitted or disclosure that violate the use of data from MaxHealth data bank. The above phrases and regulations sound standard. However, these clauses may be detrimental concerning non-disclosure agreements. In this case, this agreement may impose severe consequences not only on the recipient but also the owner of the data bank.

Courts were forced to distinguish between general damages and special damages in the Lavery and Company limited versus Jungheinrich case in 1931 (Law Business Research, 2016). From the case, general damages are damages that are come by naturally or generally due to breach in the regulation governing a contract or an agreement. In the context of general damages, the law assumes that the party will violate the contract. Therefore, special damages are damages that result from violation of the agreement but are considered in law that the breach is extensive to recover from. However, the party can be liable to special damages only if during the signing of the agreement they foresaw that such damages would result from violation of the contract and in the case the violating party would be liable.

Indirect damages or consequential damages results from a breach in an agreement whereby there are no general or special damages. For instance, a recipient of confidential information may violate a non-disclosure agreement to lure or cohere an investor. An entrant may share information about the business to attract a business investor or partner. Afterward, the sign a non-disclosure agreement with the investor but maintain that none will be liable in case of violation. If the investor breaches the agreement, it is likely for courts to conclude that the only liability is loss of profits. Therefore, it is only possible to claim special damages if the agreement provides for special damages if the non-disclosure agreement is breached.

When contracts are violated, damages will come in to oversee if the agreement was poorly done or only apply to one party. The case is similar to the MaxHealth recipient’s violation. There are several legal gaps in the agreement that leaves the recipient with the leeway to violate the agreement. For instance, what is confidential information in the context of the agreement? What is the duration of the agreement? These kind of flaws during the formulation of the agreement may stop MaxHealth from claiming the liabilities. Otherwise, the recipient is liable for the above illustrated claims as stipulated by the agreement.

The E.U. and the Agreement on Trade Related Aspects on Intellectual Property Rights (TRIPS), define trade secrets. That a trade secret must not generally known among or be readily available for access to the public. Especially, information regarded as a trade secret must always be confidential from personnel who handle similar information. Also, a trade secret must be commercially valuable since it is secret. Moreover, trade secrets must fulfill all the necessary requirements to be kept secret.

For MaxHealth, identification of what the facility considers as a trade secret would be the starting point. Trade secrets are way different from other intellectual property rights like copyright protection. Mark Hallingan and Richard wayward (2006) defined trade secrets as intangible cloud of information stored on paper, computer drives and in the minds of the employees. Therefore, during a lawsuit, a court will obviously necessitate that infringers understands exactly what they cannot use. Storing or uploading evidence to a secure storage gives the opportunity for secure storage.

There is an obvious flaw regarding the models developed by the recipient. The information is already leaked, especially to interested counterparts and may no longer be considered as a secret. As a result, the recipient has failed in his efforts to keep the trade secrets confidential. However, this is not completely true. In spite of severe efforts of the owner of a trade secret, infringers with determination to disclose the secrets may eventually find their way.

Therefore, an enforcement policy is not enough. Successfully using a policy is the baseline. If MaxHealth is confident that according to its understanding, it owns the rights to the secrets, then it needs to pursue the infringer to ensure it preserves its secrets. However, since there was no laid policy regulating the rightful owner of the secrets, the recipient has rights to own the secrets. MaxHealth has the obligation of protecting every information that it does not want accessible in the public domain.

To continue, MaxHealth should have in provision an agreement that illustrates that its employees should protect the essential trade secrets as an important requirement. For instance, in the United Kingdom (U.K.), there are provisions that restrict ex-employers from working in a similar field of business or geographical are or for specific competitors, for a certain duration. Such a policy keeps the ex-employer, from misusing information acquired during his or her employment in the company.

However, first, in the case of MaxHealth, the doctor is already recognized as the custodian of the models. Despite, obtaining extensive amount of data from MaxHealth, the facility only expects recognition and citing. The facility does not stipulate in the agreement that they own models that are developed using their data. Furthermore, the doctor used information from MaxHealth database only as a recipient and not as an employee of MaxHealth.

In conclusion, MaxHealth is on linked to the models because information from its database was used. Therefore, MaxHealth has no direct claim to the models. In any case, only the recipient of MaxHealth can claim the rights to own the secrets.

Bibliography

Suthaharan, S., 2014. Big data classification: Problems and challenges in network intrusion prediction with machine learning. ACM SIGMETRICS Performance Evaluation Review, 41(4), pp.70-73.

Manogaran, G. and Lopez, D., 2017. A survey of big data architectures and machine learning algorithms in healthcare. International Journal of Biomedical Engineering and Technology, 25(2-4), pp.182-211.

Krumholz, H.M., 2014. Big data and new knowledge in medicine: the thinking, training, and tools needed for a learning health system. Health Affairs, 33(7), pp.1163-1170.

Ross, M.K., Wei, W. and Ohno-Machado, L., 2014. “Big data” and the electronic health record. Yearbook of medical informatics, 23(01), pp.97-104.

Introduction to Intellectual Property Rights in Data Management. Retrieved from: https://data.research.cornell.edu/content/intellectual-property

Du, H. and Yang, S.J., 2011, March. Discovering collaborative cyber attack patterns using social network analysis. In International Conference on Social Computing, Behavioral-Cultural Modeling, and Prediction (pp. 129-136). Springer, Berlin, Heidelberg.

Loukaka, A. and Rahman, S., 2017. Discovering new cyber protection approaches from a security professional prospective. International Journal of Computer Networks & Communications (IJCNC) Vol, 9.

Keeping Up with Data Protection Regulations. Retrieved from: https://cloudian.com/guides/secure-data-storage/data-protection-regulations/

Data Privacy Today and What It Means for Your Organization. Retrieved from : https://www.csoonline.com/article/3336272/data-privacy-today-and-what-it-means-for-your-organization.html (January 28, 2019).

Qiu, J., Wu, Q., Ding, G., Xu, Y. and Feng, S., 2016. A survey of machine learning for big data processing. EURASIP Journal on Advances in Signal Processing, 2016(1), p.67.

Making the Foundation Strong: The Importance of Data Processing In Machine Learning /Artificial Intelligence. Retrieved from: https://www.tcs.com/blogs/making-the-foundation-strong-importance-of-data-processing-in-machine-learning (August 13, 2019).

Li, J.S., Zhang, Y.F. and Tian, Y., 2016. Medical big data analysis in hospital information system. Big Data on Real-World Applications, p.65.

How to Detect a Cyber Attack Against Your Company? Retrieved from: https://www.nist.gov/blogs/manufacturing-innovation-blog/how-detect-cyber-attack-against-your-company (August 08, 2019).

Carroll, M.W., 2015. Sharing research data and intellectual property law: A primer. PLoS biology, 13(8), p.e1002235.

Vladeck, D.C., 2014. Machines without principals: liability rules and artificial intelligence. Wash. L. Rev., 89, p.117.

Surden, H., 2014. Machine learning and law. Wash. L. Rev., 89, p.87.

Reed, C., Kennedy, E. and Silva, S., 2016. Responsibility, Autonomy and Accountability: legal liability for machine learning. Queen Mary School of Law Legal Studies Research Paper, (243).

Legal Liability of Machine Learning in Healthcare. Retrieved from: https://www.phgfoundation.org/briefing/legal-liability-machine-learning-in-healthcare (August 2018).

Martin, G., Martin, P., Hankin, C., Darzi, A. and Kinross, J., 2017. Cybersecurity and healthcare: how safe are we?. Bmj, 358, p.j3179.

Mattei, T.A., 2017. Privacy, confidentiality, and security of health care information: Lessons from the recent Wannacry Cyberattack. World neurosurgery, 104, pp.972-974.

”2”’*