Recently our Secretary of State for Digital, Cédric O was heckled in the Senate committee about his choice of #Microsoft for the Health Data Hub. This choice, moreover, had caused the emergence of a movement of our French digital actors, #PlayFranceDigital.

It happens that the Caisse Primaire d’Assurance Maladie, also has its opinion to give on the subject. You will find the full text of the council’s opinion, which has already been shared by the organization InterHop, which is also mobilizing on the subject.

The opinion of the CNAM board.

Governance, security, ethics and deontology in the use of health data, and legal and technical sovereignty in the service of stakeholder confidence, such was the roadmap defined by the CNAM Board to analyze the progress of the implementation of the Health Data Hub (HDH), in the context of the referral received on August 25, 2020, for an opinion on the draft decree in the Council of State relating to the processing of personal data known as the “national health data system” (SNDS).

This platform, whose purpose is to facilitate the sharing and use of health data, plans in particular to host the SNDS, which is considered the national treasure trove of health data or the memory of the health of insured persons, with a historical depth that could in the future extend to 20 years. While the mission of this platform is welcomed and shared by all, the choice of host and associated services, the cloud of an American company, not exclusively subject to the General Data Protection Regulation (GDPR), questions many members of the Council in many respects, and even raises strong opposition; all the more so as this choice was made by the PDS without a call for tenders. 

The CNAM advisors are concerned that this project, which is at the crossroads of the key issues of health and digital technology, which are priorities for the French, has not been thought through in a global way to benefit a French industrial solution.

Thus, after more than a dozen hearings conducted throughout 2021, that is, more than fifteen hours of rich discussions that allowed for an accessible exchange on complex issues related to the hosting and use of health data, with the players in charge of digital health strategy, regulatory authorities, legal, software and physical security of health data, manufacturers and start-ups developing health applications, The advisors of the Caisse Nationale d’Assurance Maladie (CNAM), who are thus better informed about the issues defined above, wish to take a constructive approach to informing the public authorities of their findings and proposals for guaranteeing confidence in a health data platform that is currently depreciated, and to contribute to its development in accordance with the new doctrine defined by the French government with respect to the cloud.

For a governance of health data better shared between experts and non-experts with regard to future uses in terms of public health  

On the issue of governance, the CNAM Board had, in its first expression, regretted the absence of a representative of the insured on the Board of Directors of the PDS, even though the insured of the general scheme are the main suppliers of health data and the main financiers of their exploitation. The President of the CNAM expressed his concern in a letter dated March 6, 2020, addressed to the management of the platform and the Minister of Solidarity and Health.

The hearings highlighted the fact that the executive governance of the SDP, reserved mainly for colleges of experts, was part of a more global context of reform of the governance of digital health, with a repositioning and strengthening of the role of the State as the legitimate pilot of a national digital health strategy, but defined and implemented exclusively by experts from the public and private spheres.

This approach did not allow for the involvement, from the outset, of the social insurers through their representatives and deprived them of the opportunity to express their recommendations and opinions, in order to share, on the one hand, their vision of the issues surrounding digital health, particularly from an ethical and deontological point of view, i.e., the framework of values for the use of data, and on the other hand, on the centralization and exploitation of data within a platform such as the PDS, and finally, on the structuring and therefore the executive governance of the health data platform.

The French are wary of the use of their data by the public authorities, as this is sensitive data that affects their private lives. On the other hand, they have more confidence in the Social Security authorities, in which the social partners participate in the governance.

Thus, in the context of the use of the health data of insured persons under the general health insurance scheme, it seems legitimate to involve the representatives of the insured persons, in order to gain their trust by guaranteeing total transparency with regard to the values of use of these data, in the context of their massive processing, in particular by artificial intelligence, the potential of which everyone recognizes in terms of public health, but which may raise ethical and deontological questions.

The latter must, in fact, play this role of trust within the SDP to guarantee the ethical and deontological values of the use of their data, and to ensure the exercise of their rights, but also to be the relays of innovative and concrete uses for their health, and more globally for public health, made possible by the use of their data.

While the provision of anonymized data in the context of the open data policy meets with the approval of policyholders and users, since it even gives rise to very interesting initiatives, as we saw during the health crisis in the monitoring of the epidemic, the provision of pseudonymized data calls for greater vigilance, since these can be associated with third-party data, making it possible to identify the person concerned.

Therefore, in order to remove the resistance related to the use of data, to bring the will of the insured to the right level and to ensure confidence in an ethical and deontological platform, the Council proposes:

• to strengthen the representation of the insured by including the President of the CNAM Council, or his representative, on the PDS Board of Directors
• to strengthen the role of the general assembly of the platform, currently reduced to a recording chamber, by granting it control powers and the means to prepare the major strategic and political orientations to come
• to contribute, alongside the PDS and the State, to the creation of a digital health charter based on ethical, deontological, human and environmental values
• to rely on networks of local actors, such as the local councils of health insurance funds, by organizing public councils responsible for informing and training insured persons in the various uses.

For a high level of security based on the most advanced expertise and certifications

On the issue of security, the CNAM Board indicated that it did not feel that the legal conditions necessary for the protection of this data had been met for the SNDS to be made available to a company that was not exclusively subject to European law (RGPD), regardless of any contractual guarantees that might have been provided. 

The hearings conducted support this position. Indeed, the risks of unauthorized access have been identified, with no possibility of appeal, and are recognized by the Council of State, the CNIL and the ANSSI, and the CJEU, which annulled the “Privacy Shield” by the SCHREMS II ruling on July 16, 2020.

The storage of data on the cloud, from an American company, no longer guarantees a level of data protection equivalent to that of the European Union. This therefore contravenes the GDPR and consequently creates legal uncertainty for the health data platform.  The Commission emphasizes that it was up to the prefigurators to measure the risks taken and pursued by this choice.

The Patriotact and then the Freedomact, Section 702 of the FISA Act, Executive Order 12333 and the Cloud Act, which enshrine the extraterritorial nature of American law on their companies, render null and void all national data protection provisions, whether they are legislative, regulatory or contractual. Thus, neither the emergency order of October 10, 2020, prohibiting the transfer of personal data outside the European Union, nor the contractual clauses allow to fight effectively against the risk of unauthorized access to health data.

Furthermore, concerning the pseudonymization circuits for individuals’ identifiers, the security measures and the respective responsibilities of the CNAM and the PDS have not yet been validated. The CNIL has not yet been informed of the evolution of the SNDS security guidelines, and the request for authorization concerning the hosting and use of health data by the platform has been withdrawn. 

As the Director General of the ANSSI reminded us, cybersecurity must be a concern at a strategic level. The security system must be robust and allow to anticipate attacks in order to gain the trust of users of digital applications.

In view of their vulnerability, the hosting and use of health data, when centralized and interconnected in a cloud, must be subject to the highest level of certification issued by the ANSSI, i.e. HDS (Health Data Hosting) and SecNumCloud, and expertise by the CNIL.

The CNAM’s advisors would like to be consulted beforehand and informed of the results of these CNIL certifications and assessments, before the SNDS is made available.

For the Council, security, which is at the heart of trust, is not fully guaranteed by the platform and therefore does not allow the SNDS to be hosted as it stands.

It calls for :

• to enshrine in the law the hosting of the SNDS on the national territory, by a company exclusively subject to the RGDP
• Opt for hosting with the most advanced level of certification, currently HDS and SecNumCloud
• to be regularly consulted in order to have clear and comprehensible information on the security of the data, and that everyone can fully exercise their rights (refusal of transmission, modification, deletion)

For a control of health data on a sovereign technological platform

On the issue of sovereignty, the CNAM Council also considered, in its last statement, that given the specific nature of health data with regard to their strategic importance, only a sovereign system that is solely subject to the RGPD will make it possible to gain the trust of insured persons in the use of their data

The hearings highlighted the fact that the issue of sovereignty was not a priority during the reflection on the digital health strategy and was therefore not an objective in the creation of the SDP. This was only seen from the perspective of reversibility, but without any real commitment to a possible migration to a sovereign host. 

The choice of an American cloud, as a more costly host for health data, was made in relative haste on the basis of a market study that probably did not allow French or European manufacturers to identify precisely the needs of the platform, and thus to propose an alternative that was just as effective. However, France, but also Europe, benefits from a favorable ecosystem thanks to recognized technological companies. There are now suppliers of resources and solutions, offering storage, operating and data security services, which the Joint Commission was able to interview

Given the numerous delays observed and announced, the urgency often put forward no longer seems to be a sufficient reason. It would therefore have been more appropriate to bring them together and to build with them a solution that meets the expected technical requirements within the timeframe, or even to propose another architecture that corresponds more closely to the operation of a hub.

Moreover, if the “Off the shell” solution, hosting and services, chosen could be an advantage for the platform, it may be an obstacle to changing operator, in the medium or long term, insofar as the dependence is increasingly strong.

In addition, at the request of the Ministry of Solidarity and Health, and in accordance with the State’s new cloud doctrine, the platform will have to change operator within a period of between 12 and 18 months and, in any event, not exceeding two years (deadline specified on the CNIL website).

 The members of the platform’s General Assembly, which met on January 19, 2022, took note of the action plan for this year. This plan includes the finalization of the qualification of the sovereign offers (9 sovereign hosting solutions eligible within the framework of the reversibility benchmark) and the preparation of the migration and its implementation, as well as the continuation of the reduction of the adherence to the current solution.

This shift, which responds to the concerns of the CNAM Board, nevertheless invites us to put in place a few safeguards to regain confidence in order to avoid the pitfalls experienced in the past:

• Make the reversibility benchmark public
• Commit to a very specific migration schedule
• Ensure the destruction of health data deposited on the current platform
• Proceed with a call for tenders following an independent audit
• Publish documents expressing the comprehensive specifications of the SDP

In conclusion, the CNAM Board reiterates its full support for the use of health data to improve the quality and efficiency of care, to participate in and improve health security, and to promote innovation and research in public health.

It welcomes the exceptional mechanism put in place by the CNAM to accelerate the provision of health data for projects authorized by the CNIL, which will mobilize additional human and technical resources, in particular through an increase in the number of agents on the health data platform (PDS), thereby increasing the capacity for matching, targeting and data extraction.

The CNAM Board therefore supports this strengthened partnership between CNAM and PDS, while the platform is brought into compliance with the State’s new cloud doctrine.

APPENDIX 1 : proposal list

• In terms of governance:

• strengthen the representation of the insured by including the President of the CNAM Council, or his representative, on the PDS Board of Directors
• strengthen the role of the platform’s general assembly, currently reduced to a recording chamber, by granting it control powers and the means to prepare the major strategic and political orientations to come
• to contribute, along with the PDS and the State, to the creation of a digital health charter based on ethical, deontological, human and environmental values
• rely on networks of local actors such as the local councils of health insurance funds by organizing public councils responsible for informing and training insured persons in the various uses.

• In terms of security:

• enshrine in the law the hosting of the SNDS on national territory by a company subject only to the GDPR
• Opt for hosting with the most advanced level of certification, currently HDS and SecNumCloud
• be regularly consulted in order to have clear and comprehensible information on the security of the data so that everyone can fully exercise their rights (refusal of transmission, modification, deletion)

• In matters of sovereignty:

• Make the reversibility benchmark public
• Commit to a very specific migration schedule
• Ensure the destruction of health data deposited on the current platform
• Proceed with a call for tenders with the establishment of an independent commission
• Publish documents expressing the comprehensive specifications of the SDP

APPENDIX 2: hearings of the Joint Commission

 Introduction on Wednesday, March 10, 2021 on the state’s digital strategy by Ms. Laura Létourneau, ministerial delegation for digital health.

• Session I : Friday 19 march 2021

The national and European legal context by Mrs. Valérie Peugeot, Commissioner in charge of the health sector, and her colleagues – CNIL

• Session II : Thursdays 15 April et 22 April 2021

Ethical aspects were discussed during two seminars:

1. one on the ethical aspects of medical and digital medicine, invited by P. Didier Sicard, Honorary President of the National Advisory Committee on Ethics
2. The other, on the activities of CESRESS, invited Mr. Bernard Nordlinger, President of CESREES, a committee placed under the HDH.

• Session III : Wednesday 19 May 2021

The challenges of data security, storage, etc. with Mr. Guillaume Poupard, Director General of the ANSSI.

• Session IV : Friday 11 June 2021

To better understand the French digital ecosystem through its players, three representatives of the digital health industry spoke:

1. Pascal Gayat – Director of Digital Influence, a digital consulting company
2. Mister Sylvain Rouri – OVH cloud
3. Madame Servane Augier – Outscale (Dassault système) et M. Stéphane Messika – Kynapse)

• Session V : Friday 24 September et Monday 8 November 2021

Algorithms, data use and data sharing were discussed in two seminars:

1. one by representatives of two start-ups, Mr. Olivier de Fresnoye, CEO of Echopen factory, and Mr. Gaëtan Dissiez, Machine Learning Engineer at ai.
2. the other by Mr. Frédéric Rimattéi, Deputy Director General of the CHU of Rennes.

• Session VI : Wednesday 1^er December 2021

On the strategy and governance of IT tools for the improvement of care processes within the University Hospital of Geneva (HUG) by Mr. Antoine Geissbuhler.

What lessons can be learned?

We can only note, as did the CNAM board, that the government, on an eminently strategic subject, grouping together all the health data, has shown a technocracy and a total opacity in the decision-making process!

The same council regrets the absence of a representative of the insured, and in its proposals for improving governance suggests that this should be remedied by including the President of the CNAM Council, or his representative, on the board of directors of the health platform.

He does not stop there, wanting to expand the role of the General Assembly of the health platform so that it ceases to be a registration body.

These proposals only highlight the opaque and authoritarian functioning of this project.

The CNAM board is re-emphasizing subjects that we have already discussed, and that do not infuse the high administration and/or government level, such as this major point: how to respond to the sovereignty of our data and to the respect of the #rgpd, when the provider is American.

Many pro-technology Americans, such as Secretary of State Cedric O, will say that there was no other choice because they are the most efficient. Let’s specify that the said Secretary of State is in fact a communicant from the private sector after a course at HEC, one of the “French” business schools completely under the influence of the American digital lobbies. Let’s note the typical example of the manager and/or communicator without any technical knowledge who now presides over the destiny of France through beautiful PowerPoints with a guaranteed wow effect but disconnected from the reality of the field!

Let’s not forget that the specifications were not communicated in April 2020 when the #PlayFranceDigital collective was born. Indeed, how can we say that the players cannot respond to the requests for functionalities, if these are not communicated to them?

Another point raised which is key from now on for any organization turning to cloud solutions, is to ensure the reversibility of the chosen solution, that is to say that the possibility of leaving a given provider is not theoretical but easy to implement …

The other important point to put in place, and which corresponds to legal obligations, is the need to proceed to a call for tender following an independent audit!

Conclusions

It seems that several actors are starting to understand the strategic importance of regaining our digital sovereignty. And this is an issue that is neither purely technical, nor purely “business”. Indeed, the world in which we live is returning to times of conflict, and we have allies who are not our friends, as the Australian submarine affair has shown us.

Decisions can no longer be made solely on the basis of supposed or real performance criteria, often pushed by large consulting firms or communications agencies that are completely committed to American solutions. What could be more natural given that they have built their entire business model on the implementation of these technologies and the associated skills. Besides, selling what makes their life easier is their motorcycle, not what is really in the interest of their clients…

It is time that, for projects of migration to the cloud, all public or private organizations take the time to consider all the dimensions that this represents, technical, environmental, geostrategic, social and finally financial. This is a fight that we must continue.