Digital Healthcare 2022 Comparisons

Difference Between Digital Healthcare and Digital Medicine

Unlike other jurisdictions which may distinguish between digital healthcare and digital medicine, whether from the perspective of the healthcare-provider, the patient or consumer, the regulatory framework or the technology, in Malaysia, the difference between digital healthcare and digital medicine is not clearly defined in any existing legislation.

Whether it is digital healthcare or digital medicine, the players in the digital healthcare industry will still have to navigate through the current Malaysian legislative and regulatory framework in undertaking such endeavours in Malaysia.

Technology Platforms That Collect and Store Data and Clinical Evidence Used in Patient Care

Jumping specifically into the interplay between technology platforms in healthcare and digital health systems that collect and store data for possible use as clinical evidence for the purposes of other future patient care, it should be borne in mind that consent of the individual patient will have to be obtained for any such data to be processed for this purpose, as there is no exception provided under the Personal Data Protection Act, 2010 and related regulations (see 1.2 Regulatory Definition for more details).

There is currently no specific legislative or regulatory framework in Malaysia that defines the terms “digital health” and “digital medicine”. In fact, Malaysia does not have specific legislation for digital healthcare [including for telemedicine and artificial intelligence (AI)]. The Telemedicine Act 1997, which was promulgated in 1997, never came into force. The lack of specific legislation should not, however, lead to the conclusion that digital healthcare products or solutions can be rolled out in Malaysia without the need to consider the impact of any current laws and regulations.  The digital healthcare product, service or solution will need to be assessed to determine whether, depending on its form, contents and/or capabilities, among other features, existing legislative and regulatory requirements apply to that product, service or solution, as the case may be.

Aspects Subject to Existing Legislative and Regulatory Framework

In Malaysia, digital healthcare products or medical devices are primarily governed by the Malaysian Medical Device Act, 2012. Under this legislation, “medical device” means, among others, any instrument, apparatus, implement, machine, appliance, software, material or other similar or related article intended by the manufacturer to be used, alone or in combination, for human beings for the purpose of, among others, diagnosis, prevention, monitoring, treatment or alleviation of disease or injury or investigation, replacement or modification or support of the anatomy or of a physiological process.

Given the breadth of this definition, any software (and it can extend to similar or related technological offerings) that is capable of diagnosing, preventing, monitoring, treating or alleviating a disease or injury or investigating, replacing or modifying or supporting the anatomy or a physiological process would likely fall within the definition of “medical device” for the purpose of this legislation. If so, various provisions under this legislation relating to, among others, registration of the medical device will have to be adhered to prior to its roll-out into the Malaysian market. 

In addition to the Medical Device Act 2012, the existing healthcare-related legislation which may have an impact on digital health and digital medicine products, solutions and services include the Medical Act 1971, the Dental Act, 1971, the Sale of Drugs Act 1952, the Medicines (Advertisement and Sale) Act 1956, the Optical Act 1991, the Private Healthcare Facilities and Services Act 1998, to name a few, and newer legislation such as the Traditional and Complementary Medicine Act 2016 and the Allied Health Professions Act 2016 (together with all their related regulations). Any solution in healthcare using technology or digital platforms, whether it is a healthcare product, solution or service, a pharmaceutical dispensary/sale-related solution or a digital service or solution which measures or scans any part of the human anatomy for the purposes of delivering healthcare products, services or solutions to a patient or customer, will still have to comply with the existing legislative and regulatory framework in Malaysia. It will, therefore, be necessary to conduct a regulatory compliance check of various aspects of these healthcare technologies or digital platforms and what they are capable of doing (such as diagnostics, monitoring, measurement and/or treatment capabilities).

Aspects Not Subject to Existing Regulatory Framework

What is clearly not regulated, under the current legislative and regulatory framework in Malaysia, is the specific choice of technology and related aspects.

Key Technologies Enabling New Capabilities in Digital Healthcare and Digital Medicine

Big data analytics, AI, geographical information systems (GIS) and blockchains are utilised to manage high volumes of structured and unstructured data in the Malaysia Health Data Warehouse, which is part of the MyDIGITAL initiative (see 2.2 Recent Regulatory Developments for more details).

The Malaysia Health Data Warehouse is a national healthcare information-gathering and reporting system which seeks to cover all Government and private healthcare facilities and services and which enables users to capture, store and analyse health data in a centralised manner. See also 8.1 Developments and Regulatory and Technology Issues Pertaining to the Internet of Medical Things and 11.1 The Utilisation of AIand Machine Learning in Digital Healthcare for a detailed discussion on AI and the internet of medical things (IoMT).

In Malaysia, the lack of a defined regulatory framework for digital healthcare has resulted in uncertainty over what is and is not permitted.

For example, telemedicine is currently subjected to the existing healthcare framework with Acts of Parliament that go as far back as 1952. Telemedicine, as a part of digital healthcare, appears to be gaining traction. With the gain in popularity of telemedicine, ancillary legal issues are emerging relating to online-platform governance and accountability, such as the prescription of certain medicine and the promotion of medical services. These issues are being driven by the current COVID-19 pandemic and the aggressive marketing of the telemedicine platforms, coupled with the increasing concern by the regulators who are still operating under archaic statutory regimes. 

COVID-19 has accelerated digital adoption and transformation. It is used in the pandemic for the entire spectrum of public health measures, from contact tracing, disease surveillance, diagnostics, reports, dashboards, hospital surge capacity (beds, ventilators, labs, PPE), strategic communications, drugs' trials, vaccine management, forecasting and modelling, virtual clinics and webinars. Digital healthcare or healthcare technology has basically been used both at the community level as well as for operational and strategic purposes. The “MySejahtera” application was developed to assist in the monitoring of the COVID-19 outbreak, as well as to provide pandemic-related information to the public such as an outbreak tracker, COVID-19 health guidelines, vaccination registration/information and information on healthcare facilities available. With regard to clinical care, the Ministry of Health signed a Memorandum of Understanding with a digital healthcare platform to establish a Virtual Health Advisory to provide the public with access to free consultations regarding COVID-19. Various public and private healthcare facilities were also constrained to establish their own teleconsultation services, primarily to ensure continuity in clinical care. Some healthcare facilities have entered into partnerships with digital healthcare platforms to provide home-assessments and virtual consultations, with a view to reducing the congestion at healthcare facilities during the pandemic.

Key Regulatory Agencies

The key regulatory agencies which play a role in digital healthcare and digital medicine include the Ministry of Health, the Medical Device Authority, the Medicine Advertisements Board of Malaysia and the National Pharmaceutical Regulatory Authority of Malaysia. From the perspective of digital healthcare and digital medicine:

• the Ministry of Health has an overall supervisory regulatory role with specific divisions dealing with the practice of medicine/dentistry, advertisements of medical services and products and the sale of pharmaceutical products that monitor digital healthcare platforms to ensure compliance with existing legislation;
• the Medical Device Authority is empowered under the Medical Device Act 2012, to license and approve any digital health or digital medicine solutions and technologies (including technologies or devices which have diagnostics, consultancy and treatment capabilities, among others); and
• the Medicine Advertisements Board of Malaysia is empowered under the Medicines (Advertisement and Sale) Act 1956, to approve any advertisement that relates to the sale of medicine, among others, and which includes any online display.

The Ministry of Health, the Medical Device Authority and the Medicine Advertisements Board all have within their remit the regulation of various aspects of a digital healthcare, digital medicine or an e-wellness product, service or solution (depending on its form, contents and/or capabilities, among others), as discussed in 1. Digital Healthcare Overview.

Regulatory Development in the Digital Space

The Economic Planning Unit of the Prime Minister’s Department in Malaysia, on 19 February 2021, published the Malaysia Digital Economy Blueprint (Blueprint). The Blueprint sets out the Malaysian Government’s MyDIGITAL initiative, which is a national initiative symbolising the aspirations of the Government to transform Malaysia successfully into a digitally driven, high-income nation and a regional leader in a digital economy. The Blueprint discusses the digital economy's contribution to the Malaysian economy and builds the foundation to drive digitalisation across Malaysia in many sectors, including, but not limited to, the healthcare services' sector. The MyDIGITAL initiative by the Government spans across three phases of implementation up to the year 2030. In terms of healthcare, the initiative includes the development of a framework for rapid-growth adoption of technology for healthcare-related products and the acceleration of usage of the Malaysia Health Data Warehouse with the inclusion of blockchain. 

There has been, however, no new specific legislative or regulatory development introduced to date that has impacted digital healthcare or digital medicine.

Regulatory Enforcement

Regulatory enforcement may take different approaches, depending on the alleged offence being committed and the applicable legislation. One key area is to ensure that activities undertaken by anyone in the digital healthcare industry in Malaysia, which can be said to be within the realms of the practice of medicine are not delegated to non-medical practitioners using these digital healthcare platforms or devices. Other areas for compliance include activities related to the prescription or dispensation/sale of certain pharmaceutical products through the digital platforms. These examples are not exhaustive and, as previously explained, much will depend on the digital healthcare product, solution or service being delivered.

The Private Healthcare Facilities and Services Act 1998 gives extensive powers to officers from the Ministry of Health to investigate, raid, seize items and order facilities to stop operations if they are found to be acting contrary to the provisions of the Act. These acts of enforcement can be undertaken without notice. Sanctions include substantial fines and imprisonment.

It is recommended that each digital healthcare-provider keeps a checklist of compliance with all relevant Acts and regulations. If ever prosecution is threatened, representations can be made to the Ministry of Health or such other relevant minister or regulatory authority and/or the Attorney General’s Chambers; and if charges are proffered, a defence will then need to be mounted in court.

There are several non-healthcare regulatory agencies which may play a role in the development of medical technologies in the Malaysian landscape, including the Ministry of Science, Technology and Innovation (MOSTI), the Malaysian Communications and Multimedia Commission (MCMC) and the Malaysian Investment Development Authority (MIDA). From the perspective of digital healthcare and digital medicine:

• the MCMC, created pursuant to the Malaysian Communications and Multimedia Commission Act 1998, has extensive powers to regulate the communications and media industry, including powers to order internet service-providers to block websites to prevent the commission of an offence or the attempted commission of an offence; and
• the MOSTI introduced the National Technology and Innovation Sandbox, which is a co-ordination centre that attempts to enable innovators and start-ups to stress-test their products, services, business models and delivery mechanisms with some relaxation from all or selected regulatory requirements and/or processes. Medical and Healthcare technology is an identified prioritised sector.

With regard to wellness, fitness and self-care, depending on the contents and capabilities of the solution through technology or various digital platforms, these may still be regulated by the current healthcare statutory framework. For example, any wellness, fitness and/or self-care platforms that relate to the provision of traditional and complementary medicine will also need to comply with the provisions of the Traditional and Complementary Medicine Act, 2016, and platforms that involve any allied healthcare worker will need to ensure compliance with the Allied Health Professions Act 2016.

In addition, ministries such as the Ministry of Domestic Trade, Co-operatives and Consumerism have also issued guidelines which will have to be complied with by anyone undertaking a beauty centre which provides various beauty, wellness and/or aesthetics services (including slimming and laser treatments).

The difference between preventative care and diagnostic care under the Malaysian healthcare system is not very different from that in other jurisdictions. Diagnostic care, being curative in nature, is perhaps more easily understood among Malaysians than preventative care as Malaysians generally veer towards diagnostic care in their healthcare pursuits rather than preventative measures. It is uncertain if this could also be attributed to the fact that preventative care is perhaps less apparent, with less related data or information being available from either the public or private sector.

The trend of utilising digital solutions in healthcare delivery, whether from a business-to-business or a business-to-consumer perspective, has contributed to the increased use of preventative care. It is undeniable that the spread and management of COVID-19 in the last two years have been pivotal to the growth and demand for digital solutions in healthcare products and services, whether in the public or private healthcare sectors.

Other factors which have led to the increased use of preventative healthcare include the proliferation of social trends such as fitness and wellness with many healthcare insurance companies introducing fitness and wellness mobile apps to their customers.

To the extent that wellness and fitness data forms part of a medical record of a patient, the Private Healthcare Facilities and Services (Private Hospitals and Other Private Healthcare Facilities) Regulations 2006 mandate that the licensee and the person in charge of the private healthcare facilities shall be responsible to safeguard information in the patient’s medical record against loss, tampering or use by unauthorised persons.

In the event that wellness and fitness data contain personal data relating to physical or mental health, such personal data is deemed as sensitive personal data under the Personal Data Protection Act 2010. Where sensitive personal data is processed by a data user, prior explicit consent of the data subject is required.

There is currently no reported decision by the courts in this specific area.

Preventative healthcare in the context of medical devices falls under the auspices of the Medical Device Act 2012.The Personal Data Protection Act 2010 would apply in relation to data stored or transmitted by medical devices and other software.

The Ministry of Science, Technology and Innovation launched the National Technology and Innovation Sandbox (NTIS) to allow for testing of products and services in a live environment (including healthcare related products and services). See 3.1 Non-healthcare Regulatory Agencies, Regulatory Concerns and New Healthcare Technologies. The Ministry of Health recently launched the Online Healthcare Services (OHS) Regulatory Lab, to allow the Ministry of Health and regulators to better understand new online healthcare services in a live and controlled environment. The Ministry of Health seeks to identify the appropriate regulatory instruments and improvements based on the findings from the regulatory lab. It is expected that further regulatory developments in this area may emanate from the NTIS and OHS Regulatory Lab.

Challenges faced by non-healthcare companies entering the market by introducing new technologies and the application of existing technologies to healthcare may include the failure to understand the applicable legal and regulatory framework pertaining to the healthcare sector. Such companies may initially dismiss the applicability of healthcare specific law to their new technologies without realising the breadth and scope of the said law. This can, unfortunately, lead to significant repercussions and in some cases immediate enforcement actions on the part of the regulator and/or the cessation of their business or product offerings.

The advent of 5G networks has allowed for significantly higher data-transfer speeds, allowing connected devices to share data more efficiently. See also 9.1 The Impact of 5G Networks on Digital Healthcare.

Although there has been a general heightened interest in the adoption of digital healthcare by major hospitals in Malaysia, there is no publicly known large-scale adoption of connected devices in the services provided by hospitals, including remote health and in-home care after discharge.

Patients aggrieved by adverse healthcare outcomes may initiate civil claims premised on, inter alia, breach of statutory duties, contract and/or tort. Authorities may also trigger criminal prosecutions under the relevant and applicable legislation, or the Penal Code. There does not appear to be any judicial reference and/or recognition relating to “claims of inability.”

Potential cybersecurity risks may arise with regard to the internet of medical things (IoMT) in both a cloud computing environment and in an on-premises and local computing environment, especially in respect of the security of patient data collected from connected devices.

In a cloud computing environment, since the servers forming part of the network are in the cloud, healthcare institutions are largely dependent on the infrastructure security provided by the cloud service providers. Such risks are to some extent addressed in the contracts with the cloud service providers; however, large cloud service providers may insist on their standard form contracts which may not offer the healthcare institutions an optimal level of protection.

With regard to an on-premises and local computing environment, healthcare institutions have more control over the cybersecurity measures to be taken as they would have more bargaining power when negotiating the contract with their service providers.

Healthcare institutions may also address cybersecurity risks in their information technology policies by, for example, restricting access to patient data only to a small group of personnel, allowing devices to be connected with only minimum parts of the network where they need to perform and conduct regular penetration testing.

To date, there are no specific proposed regulations or regulatory guidance being contemplated in the field of the IoMT. The existing regulatory regimes under the Medical Device Act 2012, the Communications and Multimedia Act 1998, the Personal Data Protection Act 2010 would, however, be generally applicable.

CyberSecurity Malaysia, which comes under the auspices of the Ministry of Communications and Multimedia on 5 May 2020 issued the Guidelines for Secure Internet of Things. These guidelines are, however, expressly for informational purposes only and do not establish any rights for any person and do not have any binding force.

Regulatory Definition of Software as a Medical Device

As previously stated, under the Medical Device Act 2012, the term “medical device” is widely defined. See 1.2 Regulatory Definition, "Aspects Subject to Existing Legislative and Regulatory Framework" for the definition of a medical device. Given the breadth of this definition, any software or application that is capable of any of the foregoing would likely be a “medical device” for the purpose of the aforementioned Act. Given the breadth of this definition, any software or application that is capable of any of the foregoing would likely be a “medical device” for the purpose of the aforementioned Act.

Medical Device Authority

The regulatory authority is the Medical Device Authority, which is a federal statutory agency under the Ministry of Health to implement and enforce the Medical Device Act 2012.

Categorisation of a Medical Device by Risk

Medical devices are generally categorised by risk associated with:

• the vulnerability of the human body;
• the technical design of the medical device; and
• the manufacture of the medical device.

The rules of classification are based on:

• the intended use;
• the duration of use (transient, short-term and long-term); and
• the part of the human body (non-invasive or invasive with respect to body orifices, surgically invasive interventions, central circulatory system, central nervous system).

A manufacturer is responsible for classifying its medical device - the classes of medical device range from Class A (low risk) to Class D (high risk).

Software Improvements on a Continuous Basis

The Medical Device Authority does not currently separately address the fact that software improvements are made on a continuous basis; thus, at the time of writing, it is not clear if conventional timeframes for approving a medical device could hold back device improvement and patient care.

Artificial Intelligence and Machine Learning

In light of the broad definition of “medical device”, as set out above, products that use artificial intelligence and machine learning are not more likely to meet the regulatory definition of medical device compared with another type of software. This will have to be assessed on a case-by-case basis.

There does not appear to be a difference in regulation between software that uses adaptive or continuous learning from artificial learning and machine learning compared with “locked” algorithms and software in software-based or software-enhanced devices, as both are treated in the same manner.

A challenge which companies from outside the healthcare industry face when offering software as a medical device technology is the potential gap in the knowledge and experience relating to the provision of healthcare. Such companies may have the technological ability and expertise to produce the medical device; however, the device may not include certain features which are considered indispensable by a healthcare service-provider or healthcare practitioner. It would, therefore, be prudent to explore collaborations between such companies and healthcare service-providers or healthcare practitioners.

Role of Telehealth in Healthcare

Telehealth may potentially serve as a primary care modality that provides access to healthcare to those who prefer not to have in-person consultations or are not able to do so. There is not, however, sufficient data to demonstrate the rate of conversion and hence, to confirm if telehealth is indeed playing this role in any significant manner.

In Malaysia, telehealth primarily encompasses digital healthcare monitoring, virtual consultations and dispensation/sale of medication. Based on the growth reported by certain digital platforms, virtual consultations, in particular, have seen a steep rise since the start of the COVID-19 pandemic. Anecdotal reports suggest that, during the lockdown in Malaysia that commenced in March 2020, private medical practitioners saw a drop in patient in-person visits by about 70%-80%. Patients, however, appear to have delayed their consultations and may not necessarily have chosen virtual consultation as an alternative. Internet connectivity, which is a pre-requisite to an established national telehealth network, is a main hindrance to patients embracing telehealth and remote healthcare, particularly in rural Malaysia. As the licensing of practitioners is tied to their place of practice, telehealth which crosses provincial, state and national borders would challenge the concept of where the “practice of medicine” occurs. There is, however, no guideline nor judicial precedent in Malaysia that would assist with this concern at this stage. Virtual hospitals, however, do not appear to have gained any traction in Malaysia at the time of writing.

Acceleration of Telemedicine by the COVID-19 Pandemic

Malaysia passed the Telemedicine Act 1997, in June 1997, but it never came into force and as such, has no force of law.

During the COVID-19 pandemic, and amidst calls for regulatory guidance for the provision of telehealth, the Malaysian Medical Council issued an Advisory on Virtual Consultations which was expressed as being applicable only during the COVID-19 pandemic. 

There is a push for the Malaysian Medical Council to provide even clearer guidance to healthcare practitioners who have commenced telemedicine consultations. The Ministry of Health has, in the meantime, been engaging with the relevant stakeholders to develop an Online Healthcare Services Regulatory Framework, with a view to rationalising the existing legal framework and providing clarity. It cannot, however, be said that regulatory barriers have been relaxed or removed, as the Ministry of Health has been actively monitoring digital healthcare-providers and active enforcement has been taken against some. Online platforms such as Zoom or Microsoft Teams are not specifically regulated, and there is no restriction on the use of platforms for telehealth at the time of writing. The appropriateness of the technology used is to be determined by the healthcare practitioners, as stated in the Advisory of the Malaysian Medical Council.

Rules and Regulations on Payments for Telehealth Services

There are no express rules that regulate the fees for telehealth services in Malaysia. Section 108 and the Seventh Schedule of the Private Healthcare Facilities and Services (Private Hospitals and Other Private Healthcare Facilities) Regulations 2006 regulate the fees for various procedures undertaken at private healthcare facilities. Consultation fees are provided under the Schedule. Arguably, the same consultation fee range would apply to telehealth consultations, whether it is the prescribed fee for general practitioners, the fee for initial specialist consultations and the fee for specialist follow-up consultations.

Further to this, paragraph 1.12 of the Malaysian Medical Council’s Code of Professional Conduct states that it would be an improper or unreasonable or unjustified demand or acceptance of professional fees from patients if the fees are contrary to the relevant schedules and provisions. Paragraph 4.10.3 of the Malaysian Medical Council’s Good Medical Practice states that a doctor must charge reasonably. These general rules should apply to telehealth services.

Internet of Medical Things

The IoMT refers to a connected infrastructure consisting of medical devices which use embedded sensors, microprocessors and communication hardware to collect, process and send data acquired from patients. Specific applications include wearables, which monitor heart rates and blood pressure of patients, and which send the monitored data to the patients’ doctors.

Some of the technological developments that have enabled the IoMT include machine learning and artificial intelligence. For example, medical devices which are AI-enabled may be able to measure and analyse patient data remotely on a real-time basis. 

The regulatory issues to look out for which may be relevant to connected and smart devices (such as hospital beds), wearables, implantable and data exchange with other devices and hospital networks will depend on the form they take and their contents and capabilities. See 1. Digital Healthcare Overview for more details.

Security Risks

Potential security risks which arise with regard to the IoMT include situations where a device/wearable/implantable (Device) is hacked, resulting in the potential loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction of patient data residing in a Device.

When Devices are updated, it is crucial that the software/firmware update be encrypted (possibly in packets) to prevent hacking and interception. It is therefore important that the software/firmware update is secure and encrypted before it is uploaded on to the Device.

If the software/firmware update fails to be properly installed in a Device as a result of a hacking or interception event, there may be severe consequences, for example in a pacemaker. Issues of liability will need to be analysed primarily from the perspective of the party at fault and whether the alleged fault caused the harm alleged.

5G Network and Digital Healthcare

5G is expected to transform the existing mobile network in Malaysia as more data is transferred via 5G at much faster speeds, reduced congestion and lower latency (ie, the delay before a transfer of data begins following an instruction).

As telehealth is the provision of healthcare services remotely by utilising telecommunication technologies, it is likely that 5G networks will increase the use of telehealth in Malaysia in light of the exponential increase in data-transfer speed. For example, in the case of telemedicine, 5G will enable better transmission of video/audio between doctors and patients, leading to a more efficient consultation, diagnosis and treatment experience.

With regard to the internet of things (IoT), it is expected that the much higher data-transfer speed will enable more IoT devices to be connected and share data amongst one another much faster than before. In the context of healthcare, this will mean, for example, that wearables will be able to transmit data to a healthcare professional faster than before. The same applies to medical treatment in disaster areas and by first responders as the high data-transfer speed will translate to emergency services being provided much more quickly.

One of the commercial and contractual considerations healthcare institutions face in entering into arrangements with telecoms-providers to deploy and manage the 5G network is ensuring that such arrangements will enable them to make full use of the 5G network at a capped cost, instead of being charged on the basis of the amount of data downloaded or uploaded. Such healthcare institutions should also ensure that the telecoms-providers adhere to strict service levels in terms of 5G network availability to enable uninterrupted data transfer.

Data Use and Data Sharing

Data protection is a key legal issue with regard to the sharing of personal health information in research and clinical settings, unless that personal health information is processed for research purposes and the results of the research are not made available in a form which identifies the data subject. The same legal framework, ie, the Personal Data Protection Act 2010 regulates both data use and data sharing in Malaysia.

De-identification will alleviate, although not entirely remove, the risk of identifying the individual, as identifiers such as alphanumeric tags may still be present after de-identification. Data aggregation will also lessen the risk of certain personal health information being considered personal health information if individuals are not identifiable following the data aggregation exercise.

When a wearable healthcare device sends data to healthcare and non-health entities, consent must be obtained upfront, by checking a box consenting to the processing of personal data in the manner described in a personal data protection notice.

The Private Healthcare Facilities and Services Act 1998, makes it mandatory for written consent to be obtained for any invasive procedure. If such procedures are contemplated during a virtual consultation held with a view of securing consent, consent may be confirmed after a discussion by checking a consent box in a mobile application rather than obtaining a wet signature.

The essence of informed consent, however, remains. Any patient using digital healthcare solutions must be made aware of any added material risks that may be involved, including any risk or shortfall in the technology and any limitation related to virtual consults. 

The obligation to ensure the protection of patients’ personal data lies primarily with the healthcare practitioner. However, if there is a breach or unauthorised use or access to personal health information, one cannot discount liability being imposed on digital healthcare platforms as well.

The Utilisation of AI and Machine Learning in Digital Healthcare

AI is both “artificial intelligence” and “augmented intelligence”, depending on which aspect of healthcare is in discussion. For example, it is more likely to be augmented intelligence in the case of precision surgical tools (which combine both human skills and augment machine intelligence for precision) and artificial intelligence when a healthcare mobile application is involved.

An aspect of data use and data sharing of personal health information which is relevant to providing training data for machine-learning algorithms is the requirement that such use and sharing is:

• for a lawful purpose directly related to an activity of a data user that is the entity which uses or has control over or authorises the use of the personal health information;
• necessary for or directly related to that purpose; and
• adequate but not excessive in relation to that purpose.

Some of the key roles that machine learning plays in digital healthcare are the analysis of medical records and medical images for diagnostic purposes and streamlining electronic record-keeping by storing records in a more organised manner. It is likely that the analysis of medical records and medical images poses the most risk to misuse or leak of sensitive data and cybersecurity attacks due to the storage of such data, unless regular penetration testing is carried out on the server to ensure the security of that data.

The strength of using a centralised electronic health record computer system is accessibility and convenience for a patient and a doctor. The weakness would, of course, be that if the centralised system is hacked, all of a patient’s records would be in jeopardy, hence, placing a considerable amount of pressure on the owner or operator of such a system to ensure that the security systems are robust. The Personal Data Protection Act 2010 applies in the case of data use and data sharing in the machine-learning context. Under the Private Healthcare Facilities and Services (Private Hospitals and Other Private Healthcare Facilities) Regulations 2006, the licensed holder and the person in charge of the private healthcare facilities shall be responsible to safeguard information in the patient’s medical record against loss, tampering or use by unauthorised persons.

Natural language processing (NLP) is a segment of AI in which the machine seeks to understand and derive meaning from human language. NLP aims to simplify our lives by managing and automating smaller tasks first. Common-use scenarios are smart assistants such as Apple’s Siri, email filters, predictive text, and even urgency detection. Although no specific regulatory scheme is implicated, the product liability scheme set out in the Consumer Protection Act 1999, may be relevant in the event of a failure in a common-use scenario except where that scenario relates to healthcare services provided or to be provided by healthcare professionals or healthcare facilities.

No specific privacy regulations have been enacted or proposed that address the use of AI and machine learning data in healthcare. There have not been any regulatory developments or ongoing government studies that address potential bias in AI and machine learning.

An AI-based healthcare product may, however, fall within the scope of a medical device under the Medical Device Act 2012 (see 1.2 Regulatory Definition, "Aspects Subject to Existing Legislative and Regulatory Framework" for the definition of a medical device).  In such event, the provisions of the Medical Device Act 2012 may apply.

Any company seeking to introduce any new healthcare offering or business in any jurisdiction should expend sufficient resources and effort to understand the existing legal and regulatory requirements.

In Malaysia, enforcement actions undertaken at the regulators’ own initiatives or on the complaints of whistle-blowers or patients/customers of such offerings resulting from a failure by healthcare companies to understand the said legal and regulatory requirements are relatively common. For example, digital healthcare products or medical devices are primarily governed by the Medical Device Act, 2012. A “medical device” has a broad definition under the Medical Device Act 2012 (see 1.2 Regulatory Definition, "Aspects Subject to Existing Legislative and Regulatory Framework" for the definition of a medical device). Accordingly, any software that is capable of diagnosing, preventing, monitoring, treating or alleviating a disease or injury or investigating, replacing or modifying or supporting the anatomy or a physiological process would likely fall within the definition of “medical device”. In such cases, various provisions of the Medical Device Act 2012 relating to, among others, registration of a medical device will have to be complied with prior to its roll-out in the Malaysian market. 

In light of the foregoing, established IT companies that have introduced digital healthcare technology as part of their technology and service offerings have sought to adapt to operating in a regulatory healthcare environment by conducting a regulatory and diligence compliance check of various aspects of technology and service offerings and the associated capabilities (such as diagnostics, monitoring, measurement and/or treatment capabilities). The exercise of such diligence will enable the IT company to ensure that it brings its new offering within the existing framework and to also anticipate future developments.

In entering into contracts for new digital healthcare technologies, healthcare institutions and other customers of new technologies have requested for protective provisions, especially in relation to warranties and undertakings for compliance with the law. Such warranties include, without limitation, warranties relating to proactive cybersecurity and data protection measures especially with regard to the reporting of data breaches.

IT Upgrade for Digital Healthcare

Other than cloud servers, on-premises state of the art servers which are able to process information at a much faster speed are required to support digital healthcare, especially in the fields of telehealth, machine learning, the IoMT and data transmission. Network security should also be upgraded, to support in particular the IoMT and data transmission. This goes hand in hand with enhanced encryption which facilitates data protection in the context of the IoMT where data is uploaded and downloaded between wearables and servers residing in healthcare institutions.

Healthcare institutions should also explore procuring AI-driven platforms with the capacity to analyse massive amounts of data which accelerate machine learning and which in turn encourage automation.

In addition, the IT infrastructure of healthcare institutions should be upgraded in relation to its internet connectivity to improve the audio and video quality of telehealth consultations. Virtual private networks could also be explored.

There are no specific proposed or enacted regulations regarding the implementation of IT upgrades. With regard to data management practices and technologies, the Personal Data Protection Standard 2015 prescribes certain requirements to be complied with by entities which process personal data to ensure the safety of personal data from loss, misuse, modification, unauthorised access and disclosure. These requirements relate to security, retention and data integrity and include the requirement to, inter alia:

• update the backup/recovery system and anti-virus to prevent personal data intrusion;
• maintain a proper record of access to personal data periodically;
• maintain a disposal schedule of personal data which is inactive for 24 months; and
• ensure that personal data is accurate and updated.

Scope of Protection of the Intellectual Property

The scope of protection under patent and copyright in so far as it relates to digital health is the same as that afforded to inventions and works in any other field. There is no specific legislation for the protection of trade secrets in Malaysia, so it is possible to try to protect certain information as confidential information under common law and/or by way of a contract using non-disclosure agreements.

Compilations of data and databases may be eligible for protection under copyright by reason of the selection and arrangements of their contents, but not for the data or database per se. If the data or databases are under confidentiality obligations, the rules under trade secrets may apply.

Based on current legislation (and in the absence of any case law or judicial decisions to the contrary, as is currently the case) protection of patents and copyright in Malaysia appears to relate only to inventions or works that are human-made or at least human-directed. If the invention or work was created purely by AI without any human intervention or contribution, the current legislation does not recognise the AI as a valid or legal “inventor” or “author” of the invention or work and, as such, may not by that reason accord protection to the invention or work in question under the relevant existing intellectual property laws.

The main types of intellectual property protection that should be considered for digital health products would be patents, industrial designs, trade marks, copyright and trade secrets.

A patent could potentially protect the digital health devices and/or technologies that are developed.  Obtaining patent protection would provide a monopoly for a certain period of time, but the route to obtaining a patent can be difficult and expensive as issues relating to novelty and inventiveness as well as use of AI would have to be addressed in determining patentability of the digital health invention. 

An industrial design on the other hand can protect the aesthetic or ornamental design of a wearable medical device but would not protect any functional aspects of such devices. The underlying software for the digital health devices and/or technologies would be protected under copyright as a literary work. Information having value (ie, not known or readily accessible information) can be protected as trade secrets and the usual manner of securing this type of protection is by way of contract.

The brand is also important as it would act as an identifier of source or origin which then leads to goodwill and trust generated in the market. Ideal protection would be a trademark registration with the Malaysian Intellectual Property Office, provided the brand meets the registrability criteria, in particular, distinctiveness.

The licensing structure when licensing intellectual property (IP) rights in digital healthcare would be similar to a licensing structure when licensing IP rights in other industries, but with regard to the digital healthcare industry, more importance or prominence must be placed on confidentiality, modifications or improvements of the licensed IP and termination. 

Digital healthcare is a new and innovative area. As such, the licence agreement should clearly set out who will own the modifications or improvements to the licensed IP. Another essential aspect is the confidentiality clause. This clause must clearly set out all the confidentiality requirements between the contracting parties and also limit disclosure of confidential information or trade secrets only on a need-to-know basis. The licensing agreement must also provide for the consequences of termination of the licensing agreement to ensure that a third party is not granted any rights to the licence upon termination or upon an act that would result in termination.

Generally, intellectual property rights can be allocated in any manner as may be agreed amongst the parties involved. In the absence of any such agreement to the contrary, the following general rules would apply.

Based on current patent legislation in Malaysia, inventions that are created during the course of employment would belong to the employer and, therefore, if the physician/inventor is an employee of the university or healthcare institution, the rights to that invention would be deemed accrued to the university or healthcare institution, unless the employment agreement states otherwise. The same principle applies to private-sector technology companies; if the invention was created by an employee in the course of employment, it would belong to the employer. If a third-party contractor was engaged by the company to be involved in the development of a device or medical innovation, the rights to the invention will be deemed accrued to the company unless the agreement states otherwise. Similar principles apply for works protectable under copyright and industrial designs.

Contracts and Collaborative Developments

Given the deeming provisions relating to ownership of inventions or works made during the course of employment or under commission, if the inventor/author wishes to retain ownership or be recognised as a co-owner of the invention or work, clear provisions on ownership must be set out in the contractual agreement or collaborative arrangement.

Liability in Patient Care

Hitherto, healthcare practitioners, healthcare-providers and their employees would be primary defendants in civil suits which are premised upon medical negligence. However, data analytics, AI and machine learning may challenge the existing convention and impose liability on various other parties in addition to healthcare practitioners, healthcare-providers and their employees.

The determination of liability is likely to be heavily dependent on the cause of the injury that is suffered and if the cause can be traced to the use of the data analytics, AI, machine learning and software. Any medical device used in the treatment of patients will need to be coupled with documented training and, possibly, accreditation of all potential users. Liability will depend largely on the reasonableness of the conduct and the sufficiency of the training. Bias in AI is not, however, an issue that can be easily addressed at this stage as there is insufficient applicable case law to assist.

Third-Party Vendors

Third-party vendors’ products or services could be a vector for cybersecurity attacks if those products are not encrypted or have not been properly virus-checked, making them more vulnerable to such attacks. In such an event, it is imperative to obtain the requisite product warranties and indemnities from those third-party vendors.

Consumer Protection

The Consumer Protection Act 1999, is of general application to goods and services that are offered or supplied to one or more consumers, subject to the proviso provided in Section 2(2) thereof, which stipulates, among others, that the Act does not apply to healthcare services provided or to be provided by healthcare professionals or healthcare facilities.

Whilst the provision of healthcare services is precluded from its ambit, arguably, the Act may apply to producers and/or developers of digital health technologies which do not involve the services of a healthcare practitioner or healthcare facility. Such scenarios may include complex and innovative AI systems, particularly those which use software based on self-learning algorithms.

Ultimately, the exposure to liability under the Act is product-dependent and, to date, has yet to be tested in the Malaysian Courts. Understanding the applicable digital health technology-based risks, how they are likely to be assessed under the current legal and regulatory framework and how this might change, is therefore key to any organisation thinking of implementing digital health technology.

Artificial intelligence and predictive healthcare appear to be a given in the near future. Digital platforms are shifting towards predictive healthcare solutions, such as wearables with tracking functions and mental health predictive platforms. Legal issues that may arise would likely revolve around the liability of practitioners monitoring data in the event of missed diagnoses, data security and the establishment of doctor-patient relationships.