For some time now, the Government has been aiming to set up a Medical Data Hub, called Health Data Hub, which comes from the transformation of the INDS platform (National Institute for Health Data). But what is the purpose of this platform?
The objective of this platform is to centralize health and research data from different public or parapublic entities. This is to facilitate access to health data in order to enhance it, by uses in Research or by Start-ups. The hope is to allow the emergence of disruptive innovation and concrete applications of Artificial Intelligence in massive data processing.
The main partners of this platform are: Health Insurance, the Army Health Service, the General Delegation of Companies (DGE), APHP (Public Assistance – Hospitals of Paris), INSERM (National Institute of Health and medical research) and many more.
The main objective is to set up a one-stop shop in order to encourage innovation through the use of Open Data of health data at our disposal.
In my opinion, this constitutes a rather commendable purpose and which we really need in order not to leave the field open to American actors. However, we must not forget the Chinese players who have also taken a good head start with Huawei, with initiatives on information infrastructures in the medical and hospital fields for example.
It is clear that the collection and exploitation of medical data from different sources such as Health Insurance, hospitals pose the problem of their confidentiality …
This project must obviously be confronted with the application of the General Data Protection Regulations (GDPR) and will be under the supervision of the CNIL (National Commission for Data Protection).
Asked by the daily Ouest-France, Isabelle Combes, the project manager at the Department of Research, Studies, Evaluation and Statistics (Drees) of the Ministry of Health, specifies that the fact that the data is hosted at Microsoft on the Cloud Azure does not present any problem because the data is encrypted and the encryption key is not in Microsoft’s possession…
Could we question the choice of Microsoft?
It is an interesting question. To answer it, let’s see first of all, the risks linked to this choice and what were the possible sovereign alternatives.
First question: can we be reassured by Ms. Combes’ statement?
I must say, I have some reservations about this. Certainly, the fact that the encryption keys are not in Microsoft’s possession is a reassuring factor. However, it remains an American player and therefore subject to the Patriot Act and the Cloud Act, allowing US government services to access and copy this data without even Drees being informed. It makes you think, doesn’t it? This leads to a new question: how, under these conditions, the Microsoft Cloud was able to obtain HDS certification (Health Data Host)?
Second question: it seems that contractually Microsoft (Cloud Azure) allows the output of data from European space according to an article by 01Net. What is it really like? If this is confirmed, this is a real cause for concern.
Last question: why this choice was made without a tender, when the urgency or the amounts seem incompatible with this procedure (Service-Public)?
Is this not in contradiction with the rules of any public procurement?
Finally, why did Drees not, a priori, evaluate sovereign hosting solutions like OVH Cloud which already had an approval for hosting health data since 2006, or Outscale, the sovereign cloud of Dassault Système, which has already won over the defense sector…
Conclusion : What actions ?
In the face of these contradictory state injunctions, it is necessary to return to Industrial Sovereignty and more particularly to Digital Sovereignty. When it comes to our Health data, a precious asset with multiple impacts, it is even more worrying, even if some seem reassured by an underestimation, in my opinion, of the risks (LaTribune).
French digital entrepreneurs are mobilizing through their April 9 Appeal, and their PlayFrance.Digital platform, an initiative to follow!
Personally, I encourage you to contact the DPO (Data Privacy Officer) responsible for the améli.fr site, in order to notify the CPAM of your refusal to see your data transmitted to this Health Data Hub and to contact the CNIL in parallel on this topic. If there are many of us mobilizing on this subject and in large numbers, this will accelerate the awareness of the actors of this program of the initial design error.
I would like to add, for people who think that pseudo-anonymization of data does not allow to go back to the individual, that they can be wrong! Indeed, depending on the data handled, anonymity can be easily lifted, for example in the event of orphan diseases, hospitals, genomics data and hospital service plus age group and biometric data, etc.
When we tackle the subject of managing our health data, several issues and regulations come together.