BCIs & Data Protection in Healthcare: Data Flows, Risks, and Regulations

This post is the second in a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.

Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed it, read the first blog post in this series, which unpacks BCI technology. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.

I. Introduction: What are BCIs?

BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs). 

BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.

II. Health-related BCIs Diagnose Medical Conditions, Modulate Brain Activity for Cognitive Disorder Management, and Promote Accessibility

Facilitating Diagnoses: BCIs can be used to help make certain diagnoses by providing a means for practitioners to quantify fatigue, identify depression, and measure stress. Diagnostic BCIs can also assist even when a patient is unable to provide responses. These situations may occur when patients experience disorders of consciousness, such as locked-in syndrome, whereby individuals are fully conscious but unable to move, speak, or explain how they are feeling. Additionally, current research efforts focus on BCI applications that diagnose the stage and advancement of progressive conditions, such as glaucoma.

Modulating the Brain to Treat or Overcome Conditions: While diagnosis typically involves simply recording brain activity, other health-related BCI uses may actively modulate patients’ brains and nervous systems. For example, brain modulation can be used to disrupt seizures for epilepsy patients. Recent advances in interventive BCI modulation include a vision restoration study in which the image bypasses the eye and the optic nerve in order to feed directly to the brain—resulting in low-resolution vision capabilities.

Improving Accessibility and Rehabilitation Opportunities: The latest prosthetic limbs (i.e., neuroprosthetics) rely on BCIs, which enable the limbs to move in response to thought stimuli. Examples of this BCI application include robotic arms, as well as BCI-powered automatic wheelchairs. User control over neuroprosthetics and personal devices are operated by BCIs collecting neurodata about intended limb movements or an activity associated with what the user wants to do. An example of the latter involves users thinking of physical activities like “eating,” rather than specific words like “table,” to direct their chair to a nearby object. BCIs can also act as the channel for providing haptic feedback or haptic sensory replacement within prosthetics and exoskeletons for purposes of patient rehabilitation, regaining sensation, and an increased ability for patients to perform previously inaccessible tasks.

There are also efforts to connect BCIs with smart devices and the Internet of things (IoT), which could provide individuals experiencing neurological disorders or motor impairments with greater independence in the ability to perform daily living activities. These efforts could improve or sustain a user’s quality of life through increased accessibility within their home environment.

Beyond Medicine – BCIs and Commercial Wellness: BCIs are also starting to emerge in the commercial wellness space as a method of personal data tracking, intended as a means of improving cognitive abilities (such as attention) and/or mental and physical health (such as sleep monitoring). Many of these wellness BCIs overlap with functions included in the gaming and toy space. The NeuroSky Mindwave Mobile 2: Brainwave Starter Kit provides the user with information about their brain’s electrical impulses when relaxing and when listening to music. The product includes an EEG-fitted headband and connects to companion apps via Bluetooth. The device also provides training games purported to help improve meditation, attention, and enhance the user’s learning effectiveness. Further, the device includes tools for players to create their own brain-training games.

III. Health-related BCI Risks Include Security Breaches, Infringement on Mental Privacy, and Data Inaccuracy

Security Breaches: Security breaches are some of the most prominent risks in the health BCI space. Like other technology-based medical devices, BCIs are vulnerable to cyber risks. Researchers recently showed that hackers, through imperceptible noise variations of an EEG signal, could force BCIs to spell out certain words that do not align with the wearer’s actual thoughts or intentions. The consequence of these security vulnerabilities can range from user frustration to severe misdiagnosis and physical harm. Breaches of BCIs may also compromise sensitive health information that could be captured or inadvertently shared.

BCI Accuracy: An equally important risk among health-related BCIs is the extent to which device accuracy is verifiable and sufficient. In many applications, high reliability of medical BCIs is critical because inaccurate interpretation or modulation of a patient’s brain could result in serious consequences, including death. Patients relying on modulating BCIs to help mitigate cognitive disorders, such as epilepsy, could suffer grave health consequences if the BCI failed to work as intended and anticipated. Risks are particularly acute when patients rely on BCIs to communicate crucial information, such as their choices regarding treatment or even end-of-life decisions. Accuracy is also crucial to reliable, continuous accessibility, as prosthetic limbs, wheelchairs, and other devices controlled via BCIs must operate correctly and safely according to users’ intentions.

Infringement on Mental Privacy and BCI-informed Decision Making: Finally, BCIs also present privacy risks. These risks refer to unauthorized access to personal information, including the inferences drawn from an individual’s conscious or unconscious behaviors and intentions. In addition to the existing privacy risks around all personal health data, BCIs raise new mental privacy risks due to the capacity of the neural networks underpinning many of these devices to associate certain thoughts and the ability of BCIs to define and interpret subconscious or causally-connected intentions on a wider scale. For example, a BCI-controlled wheelchair and its underlying neural network might not only deduce that the user is thinking about food, therefore directing the chair to move toward the table, but also draw other conclusions about the individual’s biology and preferences, such as whether or not an individual is hungry or thirsty and at what times. These additional inferences capture new information about an individual’s thoughts, intentions, or interests, many of which are related to an individual’s specific biology and unique preferences.

Privacy risks are magnified when these new inferences are combined with other personal information to make decisions that impact the person’s life, potentially without their knowledge or consent. Organizations collecting and processing brain signals, leading to granular inferences tied to an individual, could have incentives to repurpose this data for unrequested treatments or non-medical purposes, many of which may expose potentially sensitive biological information to third parties. Additionally, the sharing of patient data associated with BCI use could potentially disclose an individual’s medical condition to employers, private companies, public entities, or governments.

IV. Some Health BCIs are Subject to Common Rule Requirements, FCC Oversight, or International Frameworks

Common Rule: Some of the advancements in health BCIs involve human subject research, which is governed by a complex regulatory framework. U.S. researchers whose projects are federally funded are typically required to obtain subjects’ informed consent for data collection based on approval from a Common Rule-based Institutional Review Board (IRB) prior to undertaking studies.

FCC Oversight: Wireless IoT BCI devices are likely subject to Federal Communications Commission (FCC) oversight because of their designation as connected wearables. However, given the lack of regulations around consumer wellness technologies, devices marketed outside of the physician regulated context—such as brain training games and meditation-aiding devices—may lack strict oversight. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates covered entities such as physicians and health insurers that collect, use, process, and share health information, but does not usually apply to wellness device companies.

International Frameworks: In Europe, the Global Data Protection Regulation (GDPR) is the applicable framework for any processing of personal data for the purposes of scientific research, including where the research relies on special categories of personal data, such as data related to health, and biometric data processed for identification. There are several lawful grounds for processing under Article 6(1) that would allow the necessary processing of personal data for BCI research, as well as several permissions under Article 9(2) for the use of sensitive personal data. In some situations, this could allow data controllers to conduct this type of research even without individual consent for the processing of the data, specifically when sensitive data is necessary for public health purposes or for research in the public interest; however, there are many complexities surrounding this sort of processing, with the European Data Protection Board (EDPB) expected to adopt Guidelines on processing of personal data for scientific research purposes in the near future. Given the complexities surrounding privacy in human subject research, health researchers and other stakeholders seeking to develop or adopt BCIs must understand and verify how the product fits into this shifting regulatory landscape.

The EU’s recently proposed draft AI regulation covers all AI systems, including those relying on biometric data—and is likely to be relevant for future regulation of personal neurodata, significantly altering the regulatory landscape around BCIs and neurotech. It specifically focuses on AI systems that pose high risks to individuals’ “health, safety and fundamental rights.” BCIs that might be considered “high risk” AI systems under the proposed regulation could trigger requirements prior to entering the market, such as going through a conformity assessment, adoption of adequate risk assessment, security guarantees, and adequate notice to the user, among others. If considered a “low risk” system, organizations would still have to fulfill transparency requirements. The full scope and impact of the EU’s AI regulation on the development and use of BCIs remains subject to the ongoing legislative process.

V. Conclusion

Health BCIs are set to influence and potentially improve healthcare by expanding accessibility and rehabilitation opportunities, as well as by giving medical practitioners new ways to diagnose and treat conditions. However, these applications are not without risk. The data flows that underpin medical BCIs raise privacy considerations, as well as risks in regard to how neurodata is secured and whether such data is accurate. Companies dealing with medical BCIs must remain abreast of these challenges and analyze how medical BCIs interact with a dynamic, global body of regulation.   

Read the next blog post in the series: BCI Commercial and Government Use & Data Protection: Gaming, Education, Employment, and More