Five actions to get right when building a healthcare data ecosystem

By Uta Allenstein, Stefan Biesdorf, Ulrike Deetjen, Jessica Mayer, and Jannik Podlesny

The COVID-19 pandemic dramatically cut in-person visits to healthcare providers. To help fill the care void, many providers across the world turned to digital alternatives, especially teleconsultations and therapeutics apps. Providers are now better positioned than ever to integrate digital care with traditional care to improve access, outcomes, and patient engagement as the pandemic recedes. Incorporating digital care gives providers a more holistic view of patient health, which they can use to prevent or more effectively manage chronic conditions.

Growth in digital healthcare will accelerate the need for patient-centered data ecosystems. The healthcare sector still relies on extremely decoupled, decentralized data repositories due to the high bar of healthcare regulations such as HIPAA, technical complexity, and business concerns about data ownership and sharing. Any company that orchestrates an ecosystem will need to address not only technical considerations but also business issues, including agreements to share intellectual property, data contracts, service-level agreements, and more. Here we provide five actions to lay a solid foundation.

Develop a simple patient-consent process

Step one in setting up a data ecosystem is to receive patient consent with a process that encourages participation. The process must be convenient and transparent for the user and backed by policies and mechanisms to prohibit the transmission or use of data in ways that violate patient consent. These protections must be safeguarded across the entire data ecosystem. Additionally, the rapid pace of medical advances makes some patients reluctant to give consent because they are suspicious of how their blood, genome, or other medical information will be used—now or 20 years from now.

Ecosystem participants can encourage consent with messages that appeal to users’ altruism (for example, by emphasizing new, life-saving treatments that new research might yield). Additionally, when developing consent standards, they can partner with well-established and trusted patient-advocate organizations.

Ensure anonymity

Unlike passwords and email addresses, patient medical information, once exposed, cannot be changed. Anonymization is an important instrument to gain insights without risking exposure of highly personal data, but true anonymity is difficult to achieve.1 To strike the right balance between the data that need to be collected and shared and the risks of personal-data exposure, participants should focus on the specific business case and collect only essential data elements, an approach called “privacy by design.”

Ensure security across the data ecosystem

Security breaches can occur anywhere in the ecosystem. Depending on their severity, they can erode trust and even imperil lives. In 2018, unidentified bad actors breached the Singapore national health database and stole personal data belonging to 1.5 million people.2 In the United Kingdom, the WannaCry ransomware attack locked 34 hospitals out of their digital systems, destabilizing medical devices and reducing admissions during the lockout by 6 percent, resulting in losses of £5.9 million.3

Security is not simply a check-the-box exercise for the IT department or a concern only for the orchestrater. It is a mandate for all ecosystem participants and requires a shared commitment from the outset to embed security into culture, design, and technology. The ecosystem is only as strong as the weakest link, so every participant must stress-test and adhere to compatible IT security standards.

Manage IT integration

Of all the activities associated with building a data ecosystem, IT integration poses the highest risk of failure. The US healthcare sector has more than 40 standards-development organizations.4 There are multiple US standards for data transport and exchange—for example, Fast Healthcare Interoperability Resources (FHIR) and DirectTrust—and even for terminology.

The integration effort requires two building blocks: (1) a next-generation data layer that provides APIs to accommodate the wide range of interfaces and enables ecosystem partners to integrate their data repositories and (2) distributed data management with the ability to ensure data integrity and privacy.

Share data for the benefit of patients and the ecosystem

Organizations increasingly view data as a valuable asset. Some are amassing vast data stores and are reluctant to share them. As a result, patients must retrieve and provide data while navigating through the ecosystem, which leads to disconnects and limits visibility into health status and outcomes.

Although retaining ownership of the patient relationship is an important objective for ecosystem involvement, data sharing doesn’t undermine that goal. An ecosystem works only when everyone collaborates to achieve network effects, meaning the ecosystem’s value increases with more participants. By sharing complementary data, ecosystem participants can multiply the insights they derive from it—for their own benefit and that of patients. To encourage data sharing early on, participants can establish guidelines that will serve as a North Star, emphasizing collaboration over competition, supporting mutual growth, and helping to resolve any ownership battles that arise.

Data is the fuel that feeds the healthcare ecosystem engine. It can lead to more efficient treatment evaluations, provide real-world evidence to determine drug efficacy, support individualized patient journeys, and help identify personal disease risks. But first, ecosystem stakeholders must work to protect patient interests, embrace privacy and security as design principles and as part of the culture, and enable data integration and data sharing among participants. Doing this right can become a competitive advantage in the long term. With this foundation in place, supported by an effective governance model and with mutual interests in mind, the healthcare data ecosystem can begin to deliver on its promise.

Uta Allenstein and Jessica Mayer are consultants in McKinsey’s Munich office, where Stefan Biesdorf is a partner; Ulrike Deetjen is a partner in the Stuttgart office; and Jannik Podlesny is an alumnus of the Berlin office.

1 A historical example was when, in 1997, Latanya Sweeney managed to uniquely identify 87 percent of the US population by combining voter lists with anonymized healthcare data based on birth dates, zip codes, and sex.
2 “Singapore personal data hack hits 1.5 million, health authority says,” BBC News, July 20, 2018,
3 S. Ghafur, S. Kristensen, K. Honeyford, G. Martin, A. Darzi, and P. Aylin, “A retrospective impact analysis of the WannaCry cyberattack on the NHS,” npj Digital Medicine, October 2019, Volume 2, Number 1: p. 98,
4 Such organizations include Health Level 7 International, Clinical Data Interchange Standards Consortium, and International Health Terminology Standards Development Organization.