In reaction to the Coronavirus Disease 2019 (“COVID-19”) pandemic and continued development of big health data and computational capabilities, increasingly digitized global healthcare systems face a growing tension between efficiency and privacy vulnerabilities. Internet-enabled and cloud-based technology promise to make healthcare more accurate and cost effective but require access to protected health information (“PHI”), which is vulnerable to cyberattacks.[1] Japan, among other countries, has embraced an innovation-forward mindset, making the technological powerhouse an ideal nation to examine the effect of integrating cloud-based technology into health privacy legislation.[2]
The Internet of Things (“IoT”) connects devices to a “comprehensive network of interrelated computing intelligence” without human intervention and allows medical facilitators to monitor patient care in real-time.[3] The National Institute of Standards and Technology (“NIST”) defines cloud computing as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources… that can be rapidly provisioned and released with minimal management effort or service provider interaction.”[4] Applications of a cloud-based electronic-health system have transformed the healthcare industry by expanding access, remote care, and decentralized information storage.[5] Japan’s well-developed cloud infrastructure has addressed the nation’s goal of “bringing people to the data,” and research suggests that the combination of Japan’s existing infrastructure and overall culture contribute to its fluid transition.[6]
While Japan’s residents enjoy universal health coverage, the nation’s demographic is made up of an increasingly aging population, which has resulted in fragmented funding and service delivery at prefectural levels.[7] The nature of this healthcare system led Japan to quickly invest in emerging technology and pursue aggressive merger and acquisition strategies.[8] Likely a result of its expertise in the cyber arena, Japan has continued to promulgate cohesive and preventative privacy legislation in stark contrast to the United States’ patchwork strategy developed in reaction to cyberattacks. Japan’s government formulated E-Japan Strategy I and II to integrate information technology (“IT”) into healthcare in 2001.[9] In 2009, Japan developed the National Database of Health Insurance Claims and Specific Health Check-Ups of Japan (“NDB”), which covers almost all health insurance schemes and is one of the most comprehensive national-level medical databases in the world.[10]
In 2015, the Japense government launched a “working group on information and communication technology usage in the area of health care,” which proposed a Person-centered Open Platform for Wellbeing (“PeOPLe”) that connected and integrated health data generated throughout a person’s lifetime for both health professionals and patients.[11] In 2017, the government introduced the Medical Big Data Law, which legalized the use of big data and cloud applications in healthcare, and the Personal Information Protection Act, which established strict standards to handle electronic health records (“EHR”).[12] The synergy of advanced technology fortified by affirmative legislative support has proven successful.[13]
There has been ongoing pressure for legislators to develop uniform international standards governing the trans-border dissemination of sensitive personal information. Despite the international onslaught of cyberattacks on healthcare infrastructure during the pandemic, countries continue to fail to protect the data privacy of their constituents.[14] The average total cost of a breach in the healthcare industry amounts to $10.10 million, making healthcare the highest average breach cost of any industry for the twelfth year in a row.[15] Despite the clear advantages of cloud-based technology in healthcare, observations of Japan demonstrate clear barriers to drafting universal guidelines, such as cultural differences, the inherent nature of certain health infrastructures, and the specific needs of any particular nation’s demographic.
[1] See Marieke Bak et al., You Can’t Have AI Both Ways: Balancing Health Data Privacy and Access Fairly, Frontiers in Genetics (June 13, 2022), https://www.frontiersin.org/articles/10.3389/fgene.2022.929453/full (explaining how artificial intelligence developments in the health industry are beneficial to patients and medical personnel); see also Stacy Weiner, How the War in Ukraine Threatens Hospital Cybersecurity – and What to Do about it, AAMC (May 24, 2022), https://www.aamc.org/news-insights/how-war-ukraine-threatens-hospital-cybersecurity-and-what-do-about-it (explaining that teaching hospitals hold high-value digital assets such as personal health information and credit card numbers); see also SC&H Group, Data Privacy and Security – A Major Risk within the Healthcare Industry, https://www.schgroup.com/resource/blog-post/data-privacy-and-security-a-major-risk-within-the-healthcare-industry/ (Dec. 21, 2020) (using names, birth dates, social security numbers, addresses, insurance information, medical history, and credit card history as examples of PII).
[2] See Fujitsu Limited, Fugitsu Launches New Cloud-Based Platform for Healthcare Sector in Japan, Promoting Personalized Healthcare and Drug Development, Fujitsu (Mar. 28, 2023), https://www.fujitsu.com/global/about/resources/news/press-releases/2023/0328-01.html (introducing a cloud-based platform allowing its users to “collect and leverage health-related data to promote digital transformation in the medical field,” with an intent to further develop a data portability service); see also Osamu Ogasawara, Building Cloud Computing Environments for Genome Analysis in Japan, Human Genome Variation (Dec. 14, 2022), https://doi.org/10.1038/s41439-022-00223-8 (demonstrating that Japan has established a high-performance computing infrastructure using supercomputers for genomic medicine).
[3] L. Minh Dang, A Survey on Internet of Things and Cloud Computing for Healthcare, Sejong Univ. Dep’t of Comput. Sci. and Eng’g (July 9, 2019), https://www.mdpi.com/2079-9292/8/7/768.
[4] NIST Cloud Computing Program, Nat’l Inst. of Standards and Tech. (Jan. 28, 2014), http://csrc.nist.gov/groups/SNS/cloud-computing/; see also Peter Mell & Timothy Grance, The NIST Definition of Cloud Computing, Nat’l Inst. of Standards and Technology (Sept. 2011), http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (explaining that SaaS providers install and run software on remotely-provided servers; IaaS providers furnish customers with access to virtual servers where the customer installs their own software; and PaaS servers allow customers to use an entire platform hosted on the provider’s server).
[5] Remya Sivan & Zuriati Ahmad Zukarnaini, Security and Privacy in Cloud-Based E-Health System, Symmetry (Apr. 23, 2021), https://www.mdpi.com/2073-8994/13/5/742.
[6] Aarthi Raghavan et al., Public Health Innovation through Cloud Adoption: A Comparative Analysis of Drivers and Barriers in Japan, South Korea, and Singapore, Int’l J. of Env’t Rsch and Pub. Health 1, 7(Jan. 5, 2021), https://www.mdpi.com/1660-4601/18/1/334.
[7] Makoto Kaneko & Masato Matsushima, Current Trends in Japanese Health Care: Establishing a System for Board-Certified GPs, British J. of General Practice (Jan. 29, 2017), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5198608/; Raghavan et al., supra note 9, at 4.
[8] Paul Mori, Is Digital Health Finally Taking off in Japan?, Intralink (Apr. 3, 2019), https://www.intralinkgroup.com/en-GB/News/Blog/April-2019/Is-digital-health-finally-taking-off-in-Japan.
[9] Id. (requiring hospitals in both urban and rural areas to adopt level 3 for hospital-wide IT-based information exchange at a minimum, which attempted to force electronic information exchanges on a sector-wide basis).
[10] Ministry of Health, Labour and Welfare, Anonymous Receipt Information and Anonymous Information on Specific Health Check-Ups, https://www.mhlw.go.jp/stf/seisakunitsuite/bunya/kenkou_iryou/iryouhoken/reseputo/index.html.
[11] Id. at 4-5.
[12] Mori, supra note 12; Kohei Kajiyama et al., De-identifying Free Text of Japanese Electronic Health Records, J. of Biomedical Semantics (Sept. 21, 2020), https://jbiomedsem.biomedcentral.com/articles/10.1186/s13326-020-00227-9.
[13] Raghavan et al., supra note 7, at 5-6 (explaining that the 2035 Japan Vision for Healthcare intends to use a national health database to support telemedicine applications and develop robust healthcare policies).
[14] Menaka Muthuppalaniappan & Kerrie Stevenson, Healthcare Cyber-Attacks and the COVID-19 Pandemic: An Urgent Threat to Global Health, Int’l J. for Quality in Health care (Sept. 27, 2022) https://academic.oup.com/intqhc/article/33/1/mzaa117/5912483 (reporting an increase in cyberattacks a result of the pandemic); Catalin Cimpanu, Czech Hospital Hit by Cyberattack while in the Midst of a COVID-19 Outbreak, ZD Net (Mar. 13, 2020) https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/ (hospital forced to shut down its IT network and postpone medical surgeries); Bill Goodwin, Cyber Gangsters Hit UK Medical Firm Poised for Work on Coronavirus with Maze Ransomware Attack, Comput. Weekly (Mar. 22, 2022) https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus (ransomware attack); Helene Fouquet, Paris Hospitals Target of Failed Cyber-Attack, Authority Says, Bloomberg (Mar. 23, 2020) https://www.bloomberg.com/news/articles/2020-03-23/paris-hospitals-target-of-failed-cyber-attack-authority-says#xj4y7vzkg (unspecified attack on server); Dan Sabbagh & Andrew Roth, Russian State-Sponsored Hackers Target COVID-19 Vaccine Researchers, The Guardian (July. 16, 2020), https://www.theguardian.com/world/2020/jul/16/russian-state-sponsored-hackers-target-covid-19-vaccine-researchers (attacks on COVID-19 vaccine research groups).
[15] IBM Corp., Cost of a Data Breach 2022, IBM Corp. (July 2022) https://www.ibm.com/reports/data-breach.
