The current statutory regulatory regime in Israel does not contain specific provisions concerning digital healthcare or digital medicine. Moreover, the current legislation is yet to be adapted to address the various aspects of the fourth industrial revolution of digital transformation in general.

But technological advancement does not wait for the government or the legislature. Digital transformation affects many fields, including all facets of the healthcare industry, from the application of big data, AI and machine learning to aspects such as precision/personalised medicine, the shift from treatment to predictive and preventative medicine, improved drug discovery procedures and clinical trials performance, the development of sophisticated diagnostic procedures (including those based on wearables), as well as improvements in the day-to-day management of logistical aspects of the provision of healthcare services by health maintenance organisations (HMOs) and hospitals. In addition, as the provision of healthcare uses more and more digital channels, the opportunity for researching the resulting data increases even further.

As noted above, there are no regulatory definitions of digital health and digital medicine. There are several circulars of the Ministry of Health (MoH) addressing certain aspects of these activities. The main body of regulation that is not health specific but that applies to digital healthcare is the privacy protection framework.

Some of the key technologies enabling new capabilities in digital healthcare and digital medicine are:

• sensor technologies, facilitating nano-level detection as well as various non-invasive techniques; these are particularly useful for wearables;
• AI and machine learning technologies – these are useful both for studies aimed at finding treatment and diagnostic solutions that will improve predictive medicine and personalised medicine, as well as for the development of decision support systems for physicians and other workers of the healthcare industry, and workflow systems for large healthcare institutions;
• high-speed and high-bandwidth sophisticated telecommunications systems useful for both telemedicine and remote care; and
• advanced computer vision technologies that facilitate, together with AI and machine learning technologies, improved interpretation of various medical imaging devices and are currently used as decision support tools for physicians.

The emerging key legal issues in digital health are explored in more detail below. Briefly put, they include privacy and data security issues, healthcare regulatory concerns such as anonymisation and preservation of confidentiality of health data, regulatory limitations on data sharing, and the application of contract and commercial law to the evolving industry of data access and licensing.

The impetus behind developing and adopting digital healthcare technologies was strong even before the COVID-19 pandemic. Nevertheless, the pandemic did bring about a certain acceleration because of the increased motivation, both for the public sector and the private sector, to invest financial resources into more efficient provision of healthcare services. This included telemedicine solutions, AI-based monitoring solutions (for example, a monitoring system that enables advance prediction of respiratory complications of patients hospitalised in intensive care units or another hospital unit) and automation of digital processes. Home diagnostics devices connected to the internet enabled patients who are limited in their ability to make it to the physician at the clinic to transmit medical data on an ongoing basis to their physician.

Lastly, the highly developed infrastructure for big data studies enabled data studies of the results of the national vaccination programme that resulted in millions of people being vaccinated in a very short period of time. The results reported in prestigious magazines have enabled the global medical community to benefit from Israel’s experience within a very short period of time.

The key regulatory agency is the Ministry of Health. The MoH is responsible for most aspects of the healthcare and pharmaceutical industries. It issues marketing authorisations for pharmaceuticals and for medical devices, including regulation of the requisite clinical trials. It also regulates the activities of the HMOs. Finally, the MoH regulates the practice of medicine by physicians. There is no separate agency that is entrusted with the regulation of digital medicine, digital health and/or medical devices.

The digital transformation of the healthcare industry is highly active, but the development of a comprehensive and detailed digital healthcare regulatory scheme is lagging and lacking. The government published a national digital transformation plan and the MoH followed suit with its own digital health programme. However, primary legislation was not amended. Draft regulations (secondary legislation) relating to health data anonymisation and health data used in sharing have been published for public comments but have not been published yet.

Thus, the main regulatory documents that have been published today are circulars of the general manager of the MoH that concern certain aspects of secondary use and sharing of health data, the use of digital means in the process of obtaining informed consent, the use of cloud computing in the Israeli healthcare system, the criteria for operating telehealth medicine, providing patients accessibility to personal health data (“healthcare in the palm of your hand”), the protection of information in computerised systems in the healthcare system, etc. The circulars are aimed to be enforceable on the HMOs and hospitals, although this is partially disputed by certain HMOs. Their enforceability on the private sector is dubious (but since the private sector relies on access to data held by healthcare institutions, actual control over actual conduct is substantially achieved).

At the data protection and privacy level, the Privacy Protection Authority has published statutory regulations covering the various aspects of data protection. The regulations were inspired by, and are generally consistent with, the European General Data Protection Regulation (GDPR).

The main regulatory enforcement activity currently conducted concerns privacy protection enforced by the Privacy Protection Authority. The extreme sensitivity of health information on the one hand and the high pace of adoption of digital health solutions against the background of a lack of a detailed and systematic regulatory healthcare scheme are obvious drivers to the special attention paid by the Privacy Protection Authority.

The enforcement activities of a regulatory authority can be conducted on the administrative or criminal level. Administrative measures may be, for example, the imposition of fines, calls to remove officers from office and the like. Before imposing an administrative sanction, the regulatory authority must collect evidence sufficient to justify its decision and, in general, must allow the institution to be heard before a final decision is made. Criminal enforcement is conducted by filing suit to a court having jurisdiction and may result in imprisonment, a fine or both.

The Privacy Protection Authority is a non-healthcare regulatory agency responsible for enforcing the privacy and data protection legislative scheme in Israel. All other health-related issues (including wellness, fitness and self-care) are regulated by the MoH.

The Privacy Protection Authority is primarily concerned with issues such as the manner of collecting of data; the manner of sharing data; and the preservation of the confidentiality of private data, including health data, including protection against data breaches, cyber-attacks and the like. The MoH is concerned with probably all aspects of the healthcare and medical industries. These include the health of the patients (safety and efficacy of treatments), proper management and financial stability of the health institutions, the national health budget, and the rights of patients. Thus, the issue of health data use and sharing is subject to overlapping jurisdiction. As regards data anonymisation, the MoH takes the lead. Discussions between the two authorities are generally not transparent.

There is no significant difference between preventative care and diagnostic care under Israel’s healthcare systems, since both of them are regulated under the same laws and regulations. For example, the definition of “practice of medicine” under the Physicians Ordinance [New Version], 1976, does not differ between specific fields: “means any examination, diagnosis or treatment of, and the giving of any prescription for, sick or injured persons, attendance to women in connection with pregnancy and childbirth, and other services generally performed by a physician”. Accordingly, health maintenance organisations provide a wide range of medical services, including services of preventative care, as well as of diagnostic care.

Social trends such as people becoming more knowledgeable and active about their health during the COVID-19 pandemic, brought about an expansion of digital health. Government initiations (such as the food labelling reform) have also contributed to health awareness and increased the focus on preventative care. Accordingly, healthcare and non-healthcare organisations began investing in the wellness field. Health maintenance organisations began to implement their services and technologies for healthcare and wellness. For example, Clalit (a healthcare service) provides its members with the “Active” app – a program for promoting a healthy lifestyle, which recommends to its users various personal goals, such as a daily number of steps, and other physical activity, as well as drinking of water, sleeping hours, and more. 

Israel is a leading country in preventative care. One of the fields in which Israel invests is Food-Technology. For example, in 2020 the Inaugural Global Wellness Summit Prize for Innovation was awarded to Amai Proteins, an Israel-based innovator that developed protein-based products for food and beverages, including a sweet designer protein as a substitute for sugar, (“Designer Sweet Proteins”) that significantly reduced added sugar in a wide variety of food and beverages. The awareness of preventative care is constantly rising, leading to the development of new technologies that promote a healthy lifestyle.

Wellness and fitness data are not subject to specific healthcare or privacy regulations, but rather to general regulations that apply to data and digital health (see a list of relevant regulations in 4.1 Preventative Versus Diagnostic Healthcare).

In addition, the General Director (GD) of the Ministry of Health (MOH) published a few circulars referring specifically to digital health, as listed below:

• GD Circular dated 17 January 2018, regarding secondary uses of health data;
• GD Circular dated 17 January 2018, regarding collaborations based on secondary uses of health data; and
• GD Circular dated 11 November 2019, regarding patient access to personal health data – “Healthcare under your Control.”

The health data circulars currently prescribe the extent of protection over health data. In general, unless otherwise specified by law or approved by an explicit opt-in, any data under secondary use will be de-identified. Furthermore, any secondary use of health data for research purposes must be pre-approved by the Helsinki Committee.

No law in this field has been developed by courts or judges, but rather by legislative enactment.

To date, no regulation applying specifically to preventative healthcare has been enacted in Israel.

The digital healthcare market’s landscape is in constant flux, and there are many areas of uncertainty; it may also vary among countries. Thus, partnering with an institution with experience in the field is advantageous. Special attention must be paid to the regulatory schemes applicable to both the R&D stage, as well as to the commercial marketing and sales stage.

All the following have enabled the enhanced use of connected devices in digital healthcare:

• technologies of telehealth;
• wearable electronics that allow user data capture;
• AI/machine learning that enable user data processing, analysis, diagnostics and prediction;
• a cloud that allows remote monitoring of patients; and
• robotics that allow automatisation of tasks in hospitals and assisted surgery.

In this regard, Clalit provides its members with the "TytoHome" device that can be used at home, through which doctors can remotely perform a live examination and provide a diagnosis, treatment notes, and any referrals or prescriptions. The TytoHome kit allows for detailed health readings on critical areas of the body, such as the heart, lungs, ears, throat, abdomens and skin, as well as heart rate and body temperature. Another example is the CardioSen’C device of SHL, a portable device that monitors heart activity, and which is equipped to communicate the results instantaneously to a cardiologist.

There is no specific legislation on digital health, hence general tort law applies. This includes, primarily, the tort of negligence and the regime of strict (no fault) liability under the Defective Products Liability Law, 5740-1980. Breach of contractual warranties may also come into play.

When using a cloud computing environment, questions arise regarding the privacy and security of the data uploaded to the cloud, and its security. When the cloud is located outside of Israel, questions arise regarding the authority to transfer such data outside the country’s borders.

The Privacy Protection Regulations (Transfer of Personal Information to Databases Outside the State Borders), 5761-2001 set out conditions for transferring data abroad; for example, the party the data is transferred to must undertake to comply with the conditions for data retention and use applying to a database located in Israel (section 2 (4) of the Regulations). In July 2019, the MOH authorised, for the first time, hospitals and healthcare organisations to use cloud services. Alongside the benefits of using cloud services (such as digital medicine upgrading and cutting back on computing costs), there is concern about stealing patient medical data and the risk of cyber-attacks. Oracle decided to set up a data centre in Israel, which will include two cloud servers: one designed for the government and security forces, with a particularly high level of security; and the other for the business sector, corporate clients, as well as start-ups.

As to the local computing environment, the concern regarding the privacy and security of the uploaded data still exists but can be minimised by setting forth and implementing data security standards. The Protection of Privacy Regulations (Data Security) 5777-2017 states that, in the event of a contract between a database owner and an outside entity for the purpose of receiving a service, a number of provisions must be stipulated in the agreement, including:

• the data that the outside entity may process and the purposes of the use permitted in the contract;
• the manner of implementation of data security obligations the holder has;
• the contract term; and
• the return of the data to the owner at the end of the contract.

The health data circulars prescribe the extent of protection over health data. In general, unless otherwise specified by law or approved by an explicit opt-in, any data under secondary use will be de-identified. Furthermore, the circulars set detailed conditions for privacy, medical confidentiality and data security.

To date, there are no specific proposed regulations or regulatory guidance in the field of the internet of medical things.

Unfortunately, there is no statutory definition of software as a medical device. The registration of medical devices is entrusted to the medical accessories and devices (MAD) unit of the MoH. It must be noted that there is no legal requirement to obtain marketing approval for medical devices. The MAD unit nonetheless operates because HMOs and hospitals will not purchase non-approved devices. The MAD unit recognised US (510K) and EU (CE) approvals, meaning that holders of such approvals can easily obtain authorisations in Israel as well.

To date, telehealth has been more widely used in Israel in some fields. Patient-physician consultations through video calls have become popular but primarily after hours (through central service centres). Remote monitoring by means of handheld medical devices carried by the patients in their home has also become popular. This device not only monitors certain indices but also allows the physician to (partially) inspect the patient as if the patient were in the clinic. Surgeries have been conducted in hospitals with the participation of foreign experts through video calls. Virtual hospitals have not yet been established.

One of the concerns raised in the context of telemedicine is the digital divide and the concern that certain populations will be discriminated against and not be able to benefit from these new services.

As yet, there are no special regulations for cross-border provision of services and the general rules apply (meaning that non-licensed practitioners cannot provide health services from abroad).

During the COVID-19 pandemic, certain relaxations of the regulatory scheme were made. For example, the guidelines regarding clinical trials were modified and relaxed in several aspects with a view to achieving social distancing during the informed consent process, meetings to discuss and approve the conduct of clinical trials, etc. Notably, studies on health data were exempted from certain approvals if the data was anonymised. All such relaxations were cancelled after the pandemic subsided.

Almost all healthcare services are provided by the four major HMOs. The HMOs are funded by the government based on the number of patients they treat. The HMOs are generally not required to provide drugs and medical services not funded by the government. Each year, a special committee approves the introduction of new drugs and new technologies to the "healthcare basket", thereby requiring the HMOs to provide such solutions.

A host of technological developments have enabled the internet of medical things (IoMT) to develop to its current stage. One could begin with continuous improvements in authentic communications infrastructure (culminating in the recently introduced 5G network technology) that facilitates connectivity and bridges geographical gaps, improvements in computer vision, as well as various imaging techniques, coupled with the miniaturisation of chips and other hardware components, the increased computational power of computers, the development of highly sophisticated sensors (in particular, non-invasive wearable ones), the improvement in energy storage and battery life, and the maturity of machine learning and AI as applied to health data, to name just a few of the driving technologies.

The development of IoMT facilitates a wide scope of functionalities, such as remote monitoring; remote measurements of patients’ indices, such as pacemaker monitoring, infusion pumps, insulin pumps and implant condition monitoring; as well as control and management of available resources and assets, building control and monitoring the environment of patients.

However, the growing use of these components and technologies results in increased exposure to cyberthreats, privacy risks through the exploitation of existing vulnerabilities, hostile takeovers and the like.

In order to assist health organisations in addressing these risks, the National Cyber Authority published in late 2020 a guide entitled “IoMT-Based Medical Device Protection Recommendations”, which concerns performing actions and controls to strengthen IoMT devices, while making recommendations for dedicated controls. The guide builds on classifications published by the Cloud Security Alliance (Managing the Risk for Medical Devices Connected to the Cloud). As it states, it should be remembered that there is no single technology applicable for all types of systems. Therefore, cyber protection for IoMT components has necessitated requirements for the protection of such components as well as protection from them. Also, a variety of components are provided by a variety of vendors and not every one comes with the same security settings. These facts make it difficult to create standardisation and uniform component management. This results in a need to protect IoMT components and their environments while combining different controls (policies, technologies, physical).

The introduction of 5G networks is expected to have major beneficial effects on the healthcare industry. Owing to its high bandwidth, high speed and improved latency and error rate, 5G technology is expected to:

• better facilitate remote monitoring and telemedicine;
• enable sophisticated surgeries conducted from remote locations and improved machine learning capabilities, particularly with respect to large image files;
• enable high computing power to mobile devices dependent on communications;
• obviate the need for close proximity between machine learning servers and data sets; and
• facilitate global immediately available medical consultation and other similar improvements.

Unfortunately, the deployment of the 5G network infrastructure in Israel has been considerably delayed and it is not yet clear when this technology will be fully operable in Israel.

The key legal issues in using and sharing personal health in research and clinical settings are as follows.

• Compliance with the requirements imposed by the privacy protection regulatory scheme. These include the maintenance of appropriate data security protocols, the use of collected data solely for the purpose declared upon collection, and the registration of databases containing sensitive health information.
• Compliance with the requirements imposed by the MoH regarding the use and sharing of health information. These include the requirement to maintain the anonymity of patients through de-identification, aggregation and sometimes the use of synthetic data; the need to obtain approval for the conduct of clinical trials as big data research is considered a type of a clinical trial requiring pre-approval; limitations on the grant of exclusivity for conducting big data studies; certain limitations on the permissible nature of big data studies; and requirements pertaining to their contractual undertakings for entities wishing to have access to health data in order to conduct studies, etc.

There are no different regulatory frameworks for data use or for data sharing. The distinction made is between primary use, which is use of a person’s health data (including identifiable data) substantially for the purpose of treatment of that particular individual, and secondary use, which is defined as any other use. Primary use does not require the patient's consent. Secondary use requires either the patient's informed consent (opt in) or the use of anonymised data (which, if properly done, exempts from the need to obtain the patient's consent).

There are cases when the comparison of anonymised data with other data sources can result in re-identification. When access to the other data source requires informed consent (such as genetic data), the patient will typically be requested to provide consent to access their other phenotypic data. Alternatively, the database holder (eg, the HMO) will provide the researcher with unique keys that enable only the HMO but not the external researcher to connect and then analyse data with the identified data of the patient.

Informed consent may be obtained either by traditional means or by digital means. When digital means are used, this must be done in a procedure published by the MoH in October 2020. The general rule is that there must be a face-to-face meeting between the participant in the trial and the researchers. However, such a meeting can be conducted virtually and not necessarily in person. When choosing whether to make use of digital means in the process of obtaining informed consent, one must examine, among other things, the balance between the benefit of using such means and the associated risks, the severity of the medical intervention in the clinical trial, the characteristics of the target population and their accessibility to the proposed digital means, the number of participants and the degree of their accessibility to the place where the trial is conducted.

One declared goal of the procedure is to prevent the exclusion of various populations, having regard to the digital divide. Lastly, when asking a patient to opt in to participate in studies and activities that do not have direct benefits for such person, it is preferable that the request to opt in by way of an informed consent be done by a special recruiter rather than by the caring physician.

The regulatory scheme mainly addresses the issues of data security, data sharing, and anonymisation. It does not yet regulate the utilisation of AI and machine learning in general or the digital healthcare industry in particular.

Machine learning is particularly useful in the healthcare industry in research fields such as computer vision (the analysis of images for the purpose of diagnostics); associations between phenomena that are useful, for example, for drug repurposing and identifying novel indicators useful to predict illness; and gleaning the wisdom of the masses, namely, creating algorithms for decision support systems that produce a result that is equivalent to (if not better than) consultation with masses of peers.

One of the challenges for training machine learning algorithms is the need for access to sufficiently large and representative data sets and the need for removing bias underlying past decisions studied by the algorithm. Luckily, the data sets of the two large HMOs in Israel are relatively large. Nevertheless, when a particular research topic requires the pulling of data from different sources, the process is still cumbersome. Another limiting factor is the need to have geographical proximity between the machine learning server and data set.

Natural language processing (NLP) is particularly useful in big data analysis of interactions between a physician or a therapist and their patient. NLP may also be useful in the digitisation of handwritten records.

It seems that research on genetic data presents one of the higher risks of misuse of sensitive information. This is because in other use cases, such as studying medical conditions, the risk lies in the possibility of the perpetrator connecting between the data and the person. When it comes to genetic data, the data is the person.

To date, there are no specific enacted regulations that address the use of AI and machine learning data in healthcare.

However, an Artificial Intelligence and Data Science Committee was appointed in February 2020 by TLM (Forum for National Infrastructures for Research and Development), with the aim of examining the need for government intervention to accelerate the development of Artificial Intelligence and Data Science.

The committee recommended that future regulation in the field of AI should address the following parameters:

• “Enabling regulation”, namely a regulation that enables a rapid technological development that is not slowed down by out-of-date regulation;
• standardisation and legislation of algorithms, models and data;
• purchase and sale policy of algorithms and products, especially regarding products of the security forces;
• establishment of data centres and platforms for data sharing and models; and
• data management, cybersecurity and information protection.

To date, there are no specific enacted regulations that address the use of AI and machine learning data in healthcare.

However, an Artificial Intelligence and Data Science Committee was appointed in February 2020 by TLM (Forum for National Infrastructures for Research and Development), with the aim of examining the need for government intervention to accelerate the development of Artificial Intelligence and Data Science. The committee recommended that future regulation in the field of AI refers to the following parameters: “Enabling regulation”, namely a regulation that enables a rapid technological development that is not slowed down by out-of-date regulation; standardization and legislation of algorithms, models and data; purchase and sale policy of algorithms and products, especially regarding products of the security forces; establishment of data centres and platforms for data sharing and models; and data management, cybersecurity and information protection.

The IT infrastructure of the HMOs giving care to the majority of the patient population in Israel is well developed to support digital healthcare. The same is true for the main large hospitals. Some of the challenges lying ahead include:

• commonly accepted standardisation of classification of clinical data;
• digitisation of old records;
• data curation;
• establishing infrastructure and promoting participation in platforms for the pulling of clinical information; and
• securing the resources necessary to recruit patients when opt-in is required, such as genetic and bio-sample studies.

To date, there are no specific proposed regulations or enacted regulations regarding the implementation of IT upgrades. In general, the manner in which data is managed is not statutorily regulated, except for regulation in connection with the protection of data privacy (Protection of Privacy Law, 5741-1981 and Protection of Privacy Regulations (Data Security) 5777-2017) and the health data circulars aimed at regulating secondary use of health data.

Patents are generally available for any invention that is a product or a process in any technological field that is novel, non-obvious, useful and capable of industrial application. A noteworthy exception to patentability is the prohibition of patents for a process of medical treatment of humans. This exception, coupled with case law trends concerning patentable subject matter, sometimes creates hurdles in pursuit of patent protection for inventions relating to personalised medicine. The territorial limitation of patents (patents being enforceable only within the territory of the country where they were registered) requires careful drafting of claims of patents relating to ex vivo diagnostics of medical conditions.

Copyright protects software as a literary work, but such protection generally extends only to the way of expression rather than the functionality and technological ideas underlying the code. The latter should be protected by patents where possible. Data sets are generally not protected by copyright and there is no sui generis database protection in Israel.

Trade secret protection is available in Israel and may protect confidential information, including non-patentable inventions and non-copyrightable data sets. However, in order to benefit from such protection, the information must be kept confidential, and the owner of the confidential information must show that they took reasonable efforts to protect the confidentiality of the trade secrets. Reverse engineering, as such, is permissible.

There is no case law, as yet, regarding inventions and works of authorship created by AI technologies without direct human contributions. The author would submit that any person who was involved in the process of creation and has provided inventive contribution to the inventive concept of the invention (under the classic inventorship criteria) should be deemed an inventor.

In general, IP rights in the field of healthcare are difficult to enforce, since there is a convention that healthcare should be for the benefit of the public and enforcing rights in this field can be deemed as harming the access to health.

Patent protection is governed by the Patents Law, 5727-1967. The law defines a patentable invention as one that is a product or process in any area of technology, which is novel, has inventive step, and has utility and industrial application. However, the law excludes a certain type of invention: a process for human medical treatment. Diagnostic and veterinary methods are not excluded per se.

A discovery, scientific theory, mathematical formula, game rules and computer software per se, are not patentable, due to case-law precedents. In general, if the invention involves a technological solution to a technological problem, it is patentable, whether the solution is in the software, or not. There is no specific legislation applicable to digital health inventions and every application is examined on its merits.

There are some difficulties in protecting software and algorithms, since, on one hand, patentability issues may arise, and, on the other hand it is difficult to enforce such rights from the evidentiary aspect (to prove that the competitor copied the code).

Copyright protection is governed by the Copyright Law, 5768-2007. Copyright law protection may be particularly relevant to software and certain compilations of data, but there is no protection of databases per se.

As of 2018, icons, graphical user interfaces and screen presentations are not protected by copyright, but rather by the Designs Law, 5777-2017. Non-registered designs are protected for three years and registered designs are protected for up to 25 years.

Trade secret protection is governed by the Commercial Torts Law, 5759-1999. A trade secret is defined as “business information, of all kinds, which is not in the public domain and is not easily disclosed by others lawfully, and the confidentiality of which affords its owners a business advantage over their competitors, provided that its owners take reasonable steps in protecting its confidentiality”.

The law prohibits misappropriation of a trade secret which is defined as:

(i) taking a trade secret without the owner’s consent by improper means, or the use of the secret by the acquirer;

(ii) use of a trade secret without the consent of its owner where the use is contrary to a contractual obligation or a duty of trust the user has to the trade secret owner; and

(iii) acquiring a trade secret or using it without the consent of its owners, where it is clear that the trade secret has been unlawfully obtained according to (i) or (ii). 

It should be noted that disclosure of a trade secret through reverse engineering will not, in itself, be regarded as improper. Health data is a classic example of a trade secret but the requirement of keeping it “not easily disclosed by others” can be difficult while using AI technologies.

The health data circulars set forth the provisions to be included in collaboration agreements based on secondary uses of health data (such as the purpose of using the data or maintaining the confidentiality of the data). In general, the main contractual issues that need to be taken into account are:

• ownership of data;
• ownership of know-how products based on collaborations through which data is used;
• consideration for data sharing or know-how products based on use of the data, such as ownership in the outside organisation (if a company is concerned);
• right to use the know-how products;
• monetary compensation (such as royalties, licence fees, exit fees);
• period of use of the data;
• exclusivity of the data’s use;
• reach through royalties/licences;
• royalty rate and stacking; and
• the need to use other databases.

In general, HMOs request monetary considerations and rights to use the products, based on use of the data they grant access to. The issue of royalty-stacking may arise, leading to a burden of royalties to be paid by start-ups.

Employers, including universities and healthcare institutions, will generally be the owners of IP rights generated by their employees in connection with their employment. This is both in terms of the default rule under the Patents Law and the Copyright Law, as well as the standard practices of such organisations, which often expand beyond the statutory provisions by means of employment contracts and intellectual property by-laws. All academic institutions share the revenues collected by the commercialisation of such intellectual property with the researchers. HMOs differ in their approaches and practices. The allocation of IP rights when private sector technology companies are involved in developing the device or medical innovation is typically governed by contract. Special provisions apply to governmental hospitals, which are more limited in their ability to contract with the private sector.

The default rule is that any person who made an inventive contribution to the inventive concept of the invention is an inventor and is the owner of the invention. When there are several co-inventors, they will be co-owners (unless they are in the employ of a third party, in which case the employer will own a share of the invention). All of these default rules may be superseded by contract.

It is standard practice to distinguish between background IP and foreground IP, with ownership of the background IP remaining with the original owner, who may grant limited licences to use the background IP in order to exploit the foreground IP, and the foreground IP being owned as agreed by the parties. Because of regulatory constraints and other considerations, many HMOs will waive co-ownership in exchange for various monetary rights, such as royalties, milestone payments, exit phase, cross-licence or the right to use the resulting foreground IP.

The first theory of liability arising from decisions based on digital health technologies such as data analytics, AI, machine learning and software as a medical device is, of course, the tort of negligence. In general, the three main elements of this tort are the existence of a duty of care, deviation from a reasonable standard of practice, and a causal connection between the defendant's act or omission and the damage suffered by the plaintiff. The manufacturer of a medical device will generally be held to owe a duty of care towards users of the device. Adherence to acceptable standards should mitigate the risk of liability. Otherwise, the manufacturer will have to show that it took reasonable efforts to prevent the damage, with the foreseeability of the damage and the level of efforts required being directly related, namely, the more foreseeable the damage is, the higher the level of efforts required.

It is hard to see how a decision to use an approved medical device can be deemed negligent. However, a decision to use a medical device in development could theoretically attract liability and the putative defendant would have to show that they took reasonable measures to verify that the device’s algorithm will not cause harm or produce misleading results. As is the case with other industries, the courts will have to acquaint themselves with the developing best practices that aim to deal with the problem of lack of transparency of machine learning algorithms.

If a medical device inflicted physical damage on a patient, the manufacturer of the device may be held liable under the Defective Product Liability Law, which imposes a strict liability (no fault) on the manufacturer.

Theories of liability when third-party vendors’ products or services cause harm to healthcare institutions are generally the same as those discussed in 15.1 Patient Care. The main difference, however, is the ability of the healthcare institution to protect itself through contract by obtaining proper warranties and indemnification obligations. In addition, health institutions may forfeit at least part of the right for compensation if they are shown to have breached their obligation to mitigate damage. Thus, some institutions already proactively monitor their internet-connected equipment to detect vulnerabilities and prevent cyber-attacks.

One issue, briefly touched upon above, that is worth noting further is the question of the role that intellectual property rights – in particular, patents – will play in the fast-growing and developing digital healthcare industry. Given the limitations on patentable subject matter, the limitation on patenting methods of treatment of humans, it is interesting to see how the government will proceed in encouraging innovation in this field.