1- What is health data?
Health data are personal data considered as particularly sensitive by the RGPD (article 9). It includes information about natural or legal persons collected or used for medical purposes (prevention, diagnosis, care or medico-social follow-up).
Mobile applications requiring the hosting of personal data must comply with these provisions when the data has been collected for medical purposes (excluding so-called "wellness" applications).
Note: the hosting activity is not characterized in the case where legal entities or individuals entrust data for a short period of time to a service provider so that the latter can carry out data entry, formatting, materialization or dematerialization.
2- Health data hosting: analysis of some cases
In 2021, the CNIL defined a priority objective of data protection and thus controlled companies organizing health data hosting in order to ensure that they are legally collected and sufficiently protected. This priority is all the more understandable when hospitals and laboratories are increasingly victims of cyber attacks.
The subject of data sovereignty has been particularly highlighted this year, notably through three cases:
Doctolib was the subject of controversy when the company was chosen by the Ministry of Solidarity and Health to be the main intermediary for the Covid-19 vaccination while the platform was hosted by Amazon. However, unlike the RGPD, US law does not ensure such a high level of personal data protection.
The Conseil d'Etat considered that Doctolib had taken sufficient measures to protect health data and noted in particular that:
the data collected by Doctolib did not include health data but only concerned the identification of individuals and the making of appointments;
the contract with Amazon provided for the challenge of any access request by a foreign authority that did not comply with European regulations;
Doctolib also implemented a security system for the data hosted by Amazon based on a trusted third party located in France in order to prevent the reading of data by third parties.
The Health Data Platform (HDP) -- "Health Data Hub", created in 2019 to facilitate the sharing and retrieval of health data from a wide variety of sources, was intended to be hosted by Microsoft.
The Court of Justice of the European Union (CJEU) ruled in 2020 that the U.S. "Privacy Shield" system did not provide the personal data protection required by the GDPR.
The Council of State recognized the risk that health data could be disclosed in the United States due to Microsoft's submission to U.S. law and called for additional safeguards to be put in place.
While the government had committed to using another technical solution in 2022, in January it cancelled the Health Data Hub's request for authorization from the CNIL to use data from some 40 databases (including those of the national health data system), bringing the project to a halt.
According to several media, including Le Monde and SiecleDigital, the request was cancelled to prevent any controversy over data sovereignty in the run-up to the elections.
On January 27, 2022, the CNIL closed the formal notice for the company Francetest, which processed data on behalf of pharmacies during Covid-19 screening.
Following an anonymous notification on August 27, 2021, the CNIL carried out online and on-site inspections of the company. It found that a database containing identification data, contact data, social security number and test results was exposed.
In addition, the CNIL found that the health data was hosted by a provider that did not have HDS approval, as well as several security breaches (authentication processes not sufficiently robust, weak cryptological processes, inadequate logging of server activities).
In October 2021, the CNIL gave Francetest formal notice to comply.
3- Les certifications HDS : comment ça marche ?
Because of their sensitivity, European and national legislators have been keen to protect health data in particular and to introduce certification for their hosts.
This obligation excludes compulsory and complementary health insurance organizations, research organizations in the field of health, sports activity associations for disabled people.
The decree of February 26, 2018 indicates the certification procedure. Two types of HDS certifications are possible:
the "hosting provider" certificate for the provision of virtual infrastructure, software platform, administration/operation and outsourced backup activities;
the "physical infrastructure host" certificate for the provision of physical hosting premises and hardware infrastructure.
The certification is issued by an accredited body for a period of three years (with a surveillance audit every year) after a documentary audit and an on-site audit. The accredited body will verify that the applicant organization complies with the measures prescribed by the certification standard.
The common base for both certifications gathers the following elements
ISO 27001 standard "information systems security management system" in its entirety, which establishes a general information security management system by identifying security-related risks in order to develop a security policy.
ISO 20000 standard "Service quality management system" relating to the planning, design and implementation of new or modified services, service continuity and availability management.
ISO 27018 standard "Protection of personal data" which is in line with the RGPD on the protection of people's rights, the responsibilities of the hosting company, transparency and data security.
specific requirements for hosting health data such as additional security, confidentiality and traceability requirements.
Certification therefore requires not only technical measures but also organizational measures to ensure secure and transparent processing of health data.
In October 2021, the CNIL published a repository relating to the processing of personal data implemented for the purpose of creating warehouses in the health field. The repository is intended for organizations wishing to set up a health data warehouse as part of a public interest mission.
In this way, health hosts can check that the processing complies with the requirements of the standards, which define the procedures for declaration to the CNIL, the purposes and legal bases of the processing, the data that may be used, the retention periods, the procedures for accessing the data, the information that must be provided to the data subjects, the rights of the data subjects, the security of the data, the organization of subcontracting, transfers and the necessary impact analyses.
Actinuance helps you protect your health data:
Comments