Health data sovereignty is under threat
While we have always been cautious about healthcare-related data, the Covid crisis has made all of us even more sensitive to privacy issues associated with healthcare related data.
Health data are a need for numerous players in the medical research environment. Digitization has been ongoing already for years, now the healthcare industry is promising better medicine, better efficiency at medical institutions, better care at home and stronger support for everyday health and wellbeing. In order to achieve these goals, they need to have access to massive amounts of data. But individuals and institutions are reluctant to share such personal confidential information. This leads to the need for infrastructures and procedures to ensure health data are made accessible to stakeholders who need them while ensuring the needed level of privacy. In addition, efficient use of health data requires a high level of standardization to ensure interoperability.
Many initiatives have been undertaken worldwide to protect citizens' health data. For instance, in Europe, national governments are in the process of regulating healthcare related data while the EU is setting up its own model.
Controversy has been raging in France, already for years, about data hosting for the Health Data Hub (HDH), the French government-controlled repository for health data. The goal of the HDH is to host non-nominative data on a secure platform, in order to provide raw material to researchers, with the hope of building an internationally competitive advantage for research and innovation. The HDH includes all the health data associated with a health insurance reimbursement, whether collected during a hospital treatment, a doctor’s visit, participation in a research cohort or an epidemiological or practice register, etc., However, to remain relevant, data need to include numerous details about patients, thus they are pseudonymized and not totally anonymized. The government has allowed the body that controls the HDH to host their data on US-based Microsoft servers for three years as part of the EMC2 project, a European project aimed at connecting several platforms equivalent to HDH. This decision creates an exception to the rule specified by the French national data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés - National Commission on Informatics and Liberty), to host all sensitive data in the EU. While other bodies, such as hospitals have claimed that they own the necessary platforms to securely host these data, the CNIL justify their decision by the lack of secure hosting solutions in Europe. Potential suppliers, such as OVHcloud, claim they are certified SecNumCloud, for sovereign data hosting, and HDS (Hébergeur de données de santé – health data hosting service). NumSPot, a French consortium including Docaposte, Dassault Systèmes, la Caisse des Dépôts and Bouygues Télécom also positions itself on secure data hosting. Finally, Cloud Temple, a supplier of SecNumCloud-certified cloud services, has been criticizing the CNIL decision, saying they are compliant and ready to provide hosting services for the HDH.
The Internet Society France (ISOC), a Non-Governmental Organization representing French internet users and supporting the French presence in global internet regulatory bodies, has filed a complaint requesting the cancellation of the CNIL decision. The ISOC considers the HDH structure is not qualified, the decision does not comply with GDPR, the prime minister instruction of sovereign cloud is not respected, and the decision constitutes a disproportionate attempt to privacy. Consequently, they ask the French government to find an alternative to Microsoft that should respect data sovereignty principles.
The French decision is to be understood in the context of the European Health Data Space (EHDS), the European Commission proposal to build a health specific ecosystem that would at the same time provide health data to researchers and guarantee individuals' control on their electronic personal health data, at national level and EU-wide. In this context, EMC2 is the incarnation of the European health data research platform, with the HDH as the project leader.
Regulation is coming from all parts! The WHO, World Health Organization, positions itself as the regulator of the relations between Artificial Intelligence and the healthcare community. The WHO, which is already listing key regulatory considerations on artificial intelligence (AI) for health, insists on transparency of data management, risk management, data quality, privacy and data protection.
Depending on sources, common quotes are "data is the new gold" or "data is the new oil". This is truer in healthcare than in any other field.
Image credits: Bing image creator - Photo from Unsplash - Photo by Owen Beard on Unsplash - Photo from Unsplash
Comments