First published in The Jakarta Post (8/10/21)
Recent data leakages from PeduliLindungi and the Electronic-Health Alert Card (E-HAC) has exposed cybersecurity risks on consumers' health records in the digital space and therefore the adoption of a regulatory sandbox in technology-enabled healthcare (health tech) services could help address this weakness by fostering innovation to improve security in the sector.
Indonesia’s booming digital health is unlocking numerous societal benefits. Teleconsultation service, for example, increases efficiency, puts downward pressure on prices, and eases consumers’ access to the service. The sector is rapidly growing and it is expected to reap revenue of $973 million by 2023.
However, as with other digital services, it faces challenges in guaranteeing data privacy and data security. Innovation is central to address these challenges, and regulatory sandboxes may help provide an ecosystem that allows disruptive innovation to materialize.
A regulatory sandbox is a setting where innovators are given a supervised space to experiment and live test their services and products in the real market with limited real consumers for a certain period. The supervisor will afterward evaluate whether the innovations meet a certain standard, typically with regards to data and transaction security, risk management, and business model before they are given a license to fully operate.
The use of regulatory sandbox originates in the financial technology (fintech) sector. In Indonesia, Bank Indonesia (BI) and the Financial Service Authority (OJK) pioneered the approach through BI Regulation No. 19/12/PBI/2017 and OJK Regulation No 13 /POJK.02/2018. According to the latter, fintech providers are given 1 year to pilot their innovation over a limited period and receive assessments whether they are permitted to fully operate on a larger scale.
In practice, the design of regulatory sandboxes varies and evolves according to policy needs. In Singapore, for example, a sandbox arrangement is employed to test possible amendments to the country’s Personal Data Protection Act. More progressively, Malaysia launched the National Technology and Innovation Sandbox (NTIS) in June 2020 as a part of its broad economic recovery plan. Through the NTIS, businesses from various sectors are encouraged to innovate and adapt to the post-covid new normal. Ongoing projects under this scheme include the use of robots in farms and hospitals.
In encouraging innovations, the sandbox scheme is superior when compared to traditional top-down policymaking. Rather than mandating burdensome compliance lists to startups, regulatory sandboxes encourage and foster innovation based on lessons from real-life practice. This works best for disruptive innovations that face regulatory uncertainty, like health tech.
Sandbox for health tech
Digital health services, delivered by health facilities or by digital health platforms, are unique because they manage users’ sensitive data to deliver services. Teleconsultation service, for example, requires doctors to know their patient’s conditions, or even medical history before giving any advice. Similarly, purchasing certain medicines will also require medical prescriptions. Therefore, platforms need to apply best practices to safeguard data privacy.
The rapid adoption of telemedicine and other digital health platforms has changed the healthcare service landscape in the country, despite having to face regulatory uncertainty.
There are only 2 regulations that govern digital health services. Ministry of Health Regulation 20/2019 on Telemedicine Services as part of Health Services Facilities, and National Agency of Drug and Food (BPOM) Control Regulation No. 8 of 2020. To fill the gap, the Indonesian Medical Council (KKI) has also issued Regulation No. 74/2020 on clinical authority and medical practice through telemedicine during the COVID-19 pandemic in Indonesia. Nonetheless, all these regulations provide limited provisions on consumer data protection standards, and this is further worsened by the long dragging debates on Personal Data Protection (PDP).
The absence of regulations and standards in this sector means that regulatory sandboxes can play an anticipatory role - to develop regulation alongside technological changes of new products and services. Through this process, telemedicine providers can be given a space to test out current best practices in data management, sharing, and protection. From this, regulators can then be informed about the current technological stage in the industry and how to provide an innovation-supportive regulatory framework for the sector.
As a testing ground for innovative startups, regulatory sandboxes for telemedicine can also be applied to advance the interoperability of the platform with different health-related services such as private and public insurance, and e-payment.
Technical standards developed from testing settings can also be a reference for government-initiated health services such as E-HAC and PeduliLindungi. Tenders for digital public health platforms should also be required to meet these standards.
The sandbox scheme can still be applied even after such standards and regulations are established later on. The sandbox environment allows exploration of technological advances by the private sector that may break existing policies but bring a positive impact if adopted as a standard practice.
In conclusion, innovation is needed to improve the delivery of digital services in Indonesia, including in digital health, and regulatory sandbox can help stimulate this. Rather than limiting technological standards with compliance lists or leaving firms with regulatory uncertainty, the live-testing environment provided by the sandbox scheme allows regulators to learn from current best practices and design support tools to help the sector grow. Developers of public health platforms can also benefit from the standards produced by the sandbox settings and provide better protection for consumers.