In early December 2022, the Versailles hospital centre was the victim of a major cyber attack which left its information system crippled. This attack once again puts the issue of the protection of health data centre stage, as such sensitive data is particularly sought-after by cyber criminals who then resell it on the Dark Web. As a result, healthcare establishments are among the hardest hit victims of cyber attacks: in 2021, more than 730 incidents were recorded in the health sector alone, i.e. more than double the previous year (source). Luckily, solutions to protect this data exist and offer optimum security for patients, provided by certified HDS providers, like Oodrive Work used by the Université Libre de Bruxelles, Belgium.
Are health data badly protected in France?
The cyber attack on the Versailles hospitals is far from an isolated incident. A few months earlier, the Corbeil-Essonnes hospital centre suffered a catastrophic attack of its computer system, leading to the theft of a significant amount of health data and causing major disruptions to the operations of related establishments.
Can we conclude that health data are badly protected in France? While this is a difficult question, it is true that French hospitals lack the resources to fight against cyber attacks, which are becoming more aggressive and sophisticated. Given the challenges faced on a daily basis by public hospitals in France (understaffing, cuts in funding, bed closures, etc.), issues related to cybersecurity and data sovereignty all too often take a back seat.
A textbook case study: the Health Data Hub scandal
The situation gets even more complicated when we consider the sharing of health data. The scandal sparked following the implementation of the Health Data Hub in 2019 is a clear example of the limits of government initiatives. The HDH aggregates data from the National Healthcare Data System to enhance the quality of care and assistance of patients and to promote research.
The problem is, the hosting of data is provided by Microsoft, a company governed by US law, and therefore the Cloud Act, which enables the government to seize any data hosted by a company whose headquarters is located on US territory. Yet, although it is planned to migrate the data to a sovereign, French or European solution, this is unlikely to take place before 2025…. Assuming academic hospitals can be convinced of the merit of such a migration, considering that they already use tools which are provided almost free of charge by Microsoft!
The issue of data protection therefore goes hand in hand with the concept of technological dependence on foreign solutions. Yet, in the French ecosystem, Cloud service providers capable of hosting health data in total security exist: they are easily identifiable, at present, thanks to the HDS certification.
What is the regulatory framework governing health data?
Within the framework of Cloud hosting and data process, in France and indeed throughout Europe, health data benefits from an increasingly stringent legal framework. Considered “sensitive”, health data is governed by the GRPD regulation at the European level, in turn transposed into French law and subject to strict supervision of the CNIL, the French Data Protection Authority. This framework requires data officers to provide optimal protection of user personal data, and in particular health data.
As a result, all organisations (public or private) who host or process such sensitive data must be HDS certified (Hébergeurs de Données de Santé – Health Data Hosting partners). This certification is designed to guarantee the quality of hosting services provided for health data, via reinforced security measures. In fact, it involves an additional level of security applied to the ISO 27001 standard for the security of information systems. Issued by a body certified by Cofrac, to obtain the certification, audits dedicated to both the ISO standard and the HDS certification are carried out.
The Oodrive Work solution to protect your health data: the case of ULB
The case of the neonatal testing centre at the Université Libre de Bruxelles, which has been using the Oodrive Work solution since October 2022, clearly illustrates the appeal of using a tool dedicated to data protection and supplied by a HDS-certified provider.
The testing centre analyses the results of blood tests carried out on close to 50,000 newborn babies. This systematic testing enables the identification of invisible infections at birth to ensure early treatment.
Once the results are known, the ULB shares the data with the relevant maternity services, external to the university campus.
“Transmission of the results is a key stage in the testing process”. “Communication between the testing centre and maternity services is therefore a significant part of our activities.” underlinedLionel Marcelis, Laboratory Manager.
These data are ultra-sensitive and therefore confidentiality must be guaranteed. The centre therefore was looking for a HDS certified Cloud service provider, “the solutions used before were not satisfactory, as they were too heavy, too slow, and not secure enough”.
The benefits provided by Oodrive Work
Hence the decision to use Oodrive Work, a platform for the sharing of sensitive documents and collaborative work designed by Oodrive. The solution, well-known by ULB for a number of years as it is used by a partner hospital, addresses all of the needs of the testing centre: rapid and intuitive, it offers a high level of security, but also availability, which is essential considering that “results can potentially be vitally important for newborns and must be available to maternity departments as quickly as possible”, underlined Lionel Marcelis.
Therefore, thanks to Oodrive Work, each maternity service has access to a secure space which centralises all communication. Oodrive’s HDS certification was therefore essential for ULB, particularly because the health data is hosted in French data centres.
Beyond the example of ULB, the relevance of a solution such as Oodrive Work illustrates that it is possible, within France, to take advantage of serious and quality tools which guarantee the security and sovereignty of data, and in turn their confidentiality. For healthcare facilities, this must gradually become an absolute priority.