NHS England has signed a deal with Amazon to provide health information via its Alexa voice assistant. The deal is aimed at two groups. The first is those patients who need additional help to use the Internet. The announcement identifies two of these groups as being the elderly and the blind. There are likely to be others such as those who are disabled.
The second goal of this deal is to alleviate pressure on the NHS and GPs by allowing Alexa to provide information for common illnesses. As such, it will be aimed at anyone who has, or who buys, an Amazon Alexa.
In a canned statement, Matthew Gould, Chief Executive of NHSX, said: “The public need to be able to get reliable information about their health easily and in ways they actually use. By working closely with Amazon and other tech companies, big and small, we can ensure that the millions of users looking for health information every day can get simple, validated advice at the touch of a button or voice command.
“Part of our mission at NHSX is to give citizens the tools to access services and information directly, and partnerships such as this are an important part of achieving this.”
What information will Alexa dispense?
Alexa will listen to questions and then search the existing NHS website for answers. Some of the suggestions in the release include:
- “Alexa, how do I treat a migraine?”
- “Alexa, what are the symptoms of flu?”
On the face of it this is innocuous. If it can speed up a response to a patient and also relieve pressure on GPs and others, there is much to recommend this. The initial goal is to only provide people with access to information currently available on the NHS website. The challenge is how it will interpret the question and provide the information to the users.
An example of where this gets complicated is:
- “Alexa, how do I treat an overdose?”
With accidental overdoses on the increase due to the rise in casual use of party drugs, this is a very real question. Type that question into the NHS website and it lists places to get treatment for addiction and details of NHS walk in services. It doesn’t directly answer the question so what would Alexa do next? Will it put the caller through to the NHS Hotline? Would it connect the user with the emergency services?
Over time, Alexa will get a lot of questions that it cannot answer directly from the NHS website so what happens then? Amazon calls Alexa an AI so will Alexa go searching other sources for information? If so, how will the accuracy of that information be established? None of this is covered in the brief announcement of this deal.
A real risk to patient privacy
There is also a significant risk to patient privacy here. When US Senator Chris Coons asked the company about its privacy and data security practices for Alexa devices, the company’s response was eye opening.
Among the questions Coons asked were: “Do users have the ability to delete any or all of these transcripts” and “are there any transcripts that a user cannot delete?”
In its response, Amazon said that customers can: “.. delete individual voice recordings, voice recordings from particular timeframes, or all of their voice recordings. When a customer deletes a voice recording, we delete the transcripts associated with the customer’s account of both of the customer’s request and Alexa’s response.”
It went on to say: “However, we may still retain other records of customers’ Alexa interactions, including records of actions Alexa took in response to the customer’s request. And when a customer interacts with an Alexa skill, that skill developer may also retain records of the interaction. For example, for many types of Alexa requests – such as when a customer subscribes to Amazon Music Unlimited, places an Amazon Fresh order, requests a car from Uber or Lyft, orders a pizza from Domino’s, or makes an in-skill purchase of premium digital content – Amazon and/or the applicable skill developer obviously need to keep a record of the transaction. “
It is this second extract from its response that is worrying. The NHS system falls into the Amazon skill category. It is reasonable, therefore, that the developers would want to retain the data for continuous training of Alexa. However, this data is linked to the users Amazon account. It means that there is personably identifiable and sensitive data that the user will not be able to delete. On the face of it, failing to properly erase data upon request would be a GDPR fail. The NHS needs to show that it Amazon will adhere to the provisions of the legislation.
Can Amazon be trusted not to sell the data?
Amazon makes its money from selling stuff. The more data it has on you the more effectively it can sell you things. Additionally, the more data it has, the more it can pass to retailers who can sell you things. But who wants to be constantly reminded of when they were last ill? Or that embarrassing hook-up when they had to ask for information on an STI?
It is not a big jump to see Amazon answer a question and then recommend where someone can get treatment, medication or medical devices. This would certainly fit its current sales model but would require data to be handed to third-parties raising questions over privacy and control.
There is nothing in the publicly available data on this deal to say what restrictions there are on how Amazon can use this data. Neither Amazon or the NHS has provided any details beyond the brief announcement from the NHS. In fact, the deal hasn’t even made the Amazon news page yet.
What is the NHS saying about privacy?
Enterprise Times asked the NHS four questions about privacy and how data was to be handled. They were:
- Has the NHS asked Amazon to keep all data inside the UK?
- Does the agreement require Amazon to absolutely delete all patients and user data on request without withholding data based on any criteria?
- What audit arrangement has the NHS put in place to ensure that Amazon is protecting user data and deleting upon demand?
- Will patient advocacy groups be given access to the audit results or allowed to audit the data themselves?
None of these are unreasonable questions and we could have gone into much more detail and asked a lot more questions. At the time of going to press we have had no response from the NHS. If we do get any response, we will update this article.
Will the NHS work with other digital assistants?
What is not clear is if the NHS will buy thousands of Amazon Alexa’s to giveaway. If not, take-up will be limited to those who already have a device.
Additionally, is this an exclusive deal with Amazon? Is the NHS going to announce a deal to use the Google Assistant or with Apple for Siri? It this is exclusive and the NHS is having to buy devices, there will need to be careful monitoring to see if it is cost effective. After all, one of the claims is that this will reduce pressure on the NHS and GPs. If, as with many other NHS IT projects, this turns out to be a net cost at a time when money is scarce, any benefits will be quickly overshadowed.
There are reasons to think that this could be a good deal but they are overshadowed by the bad ones. Organisations are developing their own digital voice assistants on an almost daily basis. Given the amount of money spent by the NHS on IT, it would have been a simple task to have written their own digital voice assistant. This wouldn’t, however, get over the initial usage problem.
Enterprise Times: What does this mean
Digital voice assistants are becoming more and more accepted. Businesses see them as a route to speed up mundane tasks. Users like them at home as they can set alarms and select music without having to search for a CD. Children like them as they help find facts for homework. But the use of them does come with risks.
David Emm, principal security researcher at Kaspersky, said: “We know that people are relying on these devices more and more, and their popularity is growing. They do have their benefits, and they are convenient, however, they are, at their core, smart listeners and have made headlines in recent times because of this – leaving a scepticism around them.”
There have been numerous cases where vendors with smart listeners have issued security warnings over their devices. From cyber gangs to spies, these devices have been hacked into providing access to personal and business data. But this is not about the risk of the smart listener. It is about the risk of more data being collected and potentially misused.
As Emm point out: “We know that Amazon is storing and analysing data that these devices collect, which also raises cybersecurity alarms when it comes to how this data will be used. They will be privy to sensitive health data, and so it must be made clear to the public how our data will be protected. It is integral, however the many benefits they can provide the NHS with, that Amazon is totally transparent about this, to provide consumers with the assurance they need that their data is well safeguarded. It is also important that people are provided with a way of opting out of their data being stored, if they choose to do so.”
This is just the sort of deal that the UK ICO should be looking at and ruling on.