By Nathalie Boudet-Gizardin, Marine Vanhoucke, associated, Patricia Bodalo, collaborator and Linah Bonneville, intern
SPECIAL FILE | Sensitivity of health data: measure the importance of impact analysis!
“Sensitive” data
All players in the world of health are concerned. All hospitals, clinics, pharmacies, medical analysis laboratories, assistance companies and healthcare professionals must ensure the protection of the personal data of the patients they care for.
Health data is indeed considered as “sensitive” data., i.e. high risk, by the General Data Protection Regulation (EU 2016/679) more commonly known as the GDPR.
They are thus defined in its article 4.1 as:
“Personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the state of health of that person. »
The processing of personal health data is therefore particularly regulated, in particular in the fields of preventive medicine and occupational medicine (when assessing the ability to work of employees, medical diagnoses, health and social care, or the management of systems, health care and social protection services). There is also the question of their legal protection in the face of the proliferation of health innovation projects.
The CNIL (Commission Nationale de l'Informatique et des Libertés) specifies that health data are:
- “information relating to a natural person collected when registering to benefit from health care services or when providing these services : a specific number, symbol or element assigned to a natural person to uniquely identify him for health purposes;
- information obtained during the test or examination of a part of the body or bodily substance, including from genetic data and biological samples;
- information concerning an illness, disability, risk of illness, medical history, clinical treatment or the physiological or biomedical state of the data subject (irrespective of its source, whether it comes for example from a doctor or other healthcare professional, a hospital, a medical device or an in vitro diagnostic test);
- certain measurement data from which it is possible to deduce information on the state of health of the person. »
Health data is all the more sensitive and confidential, as it contains personally identifiable information (PII) such as name, date of birth, health insurance numbers, medical diagnoses of patients…
Health data and cyberattack risk
Cyberattacks in the field of health are unfortunately recurrent in France and abroad and can take various forms such as theft, manipulation of data, unauthorized access to health systems, even the interruption of health services. health.
This is how in Spain, on March 5, one of the main hospitals in Barcelona, the Hospital Clinic, saw its computer system completely blocked. Hundreds of surgeries and thousands of consultations have been canceled. RamsonHouse, the author of the attack, had requested the payment of a sum of 4,5 million dollars to release the encrypted information and had made public on the dark web part of the information stolen from the hospital. As the confidentiality of the data was compromised, the hospital had to inform its patients, staff and partners, in accordance with the GDPR.
On March 17, Alliance Healthcare, Spain's fourth-largest drug distributor, was also the victim of a cyberattack. The latter, however, indicated that the patient data had not been stolen.
There are also many recent cyberattacks that have occurred in French hospitals, for example within the hospital centers of Dax, Villefranche-sur-Saône, Oloron-Sainte-Marie or even the Health Foundation for Students of France (FSEF) with more or less publicized consequences.
The CNIL is therefore particularly interested in the field of health and does not hesitate to sanction breaches that may facilitate cyberattacks.
Thus, DEDALUS BIOLOGY, a company marketing software solutions for medical analysis laboratories, was condemned by the CNIL on April 15, 2022.[1] to pay a fine of 1,5 million euros due to a security breach. Many technical and organizational shortcomings in terms of security had indeed been observed, leading to a massive leak of medical data. The data not being encrypted despite their sensitive nature, this had made it possible to disseminate the confidential information of nearly 500 patients on the Internet.
The company DOCTISSIMO has also just been sanctioned, on May 11, 2023, with a fine of €380.000 by the CNIL, for having committed four breaches of the GDPR, more specifically the obligation to retain data for a limited period of time. objective sought (article 5.1.e of the GDPR), the obligation to obtain the consent of individuals to collect their health data (article 9 of the GDPR), the obligation to regulate by contract the processing carried out with another controller of processing (Article 26 of the GDPR), and the obligation to ensure the security of personal data (Article 32 of the GDPR). On this occasion, the CNIL also noted a breach of the obligations related to the use of cookies (article 82 of the Data Protection Act)
The DPIA: a means of preventing cyberattacks
The risks of cyberattacks related to health data are of increasing concern as health systems adopt digital technologies for the management of medical records.
In this context, the GDPR provides for the obligation to carry out a Data Protection Impact Assessment (DPIA) when the processing of personal data is likely to create a high risk for the rights and freedoms of data subjects (Article 35). It generally aims to study the risks to data security (confidentiality, integrity and availability) as well as their potential impact on the privacy of the persons concerned, in order to determine the appropriate protection and risk reduction measures.
Article 35.7 of the Regulation specifies that the impact analysis must contain:
“a) a systematic description of the processing operations envisaged and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects in accordance with paragraph 1; And
d) the measures envisaged to deal with the risks, including the safeguards, measures and security mechanisms aimed at ensuring the protection of personal data and providing evidence of compliance with this Regulation, taking into account the rights and legitimate interests data subjects and other affected persons. »
The DPIA therefore constitutes a tool for assessing the risks associated with the processing of personal data, including those related to cybersecurity.
When an organization performs a DPIA, it examines in detail the different dimensions of data processing, in particular the security measures put in place to protect this data against cyberattacks. This requires the assessment of potential computer system vulnerabilities, measures to protect data in transit and at rest, protocols for managing access and authentications, and mechanisms for detecting and responding to cybersecurity incidents.
By identifying the potential risks of cyberattacks within the framework of the DPIA, an organization can put in place appropriate security measures in order to mitigate these risks (implementation of encryption technologies, firewalls, detection solutions intrusions and regular data backups, etc.).
The aim of the DPIA is therefore to ensure that personal data is treated securely and in accordance with data protection requirements., including protection against cyberattacks. By identifying the risks associated with cybersecurity and putting in place adequate measures, organizations can strengthen their security posture and minimize the potential consequences of cyberattacks on personal data.
The need for DPIA
In the field of health, there are a large number of data processing operations likely to create a high risk for the rights and freedoms of natural persons. The AIPD is therefore essential in many cases, not only to reduce cyberattacks but more generally to strengthen the protection of patient data.
The European Data Protection Board has listed 9 situations requiring the completion of a DPIA[2]such as the analysis of highly personal data or the use of new technologies. A company carrying out data processing corresponding to at least two of these situations must necessarily carry out an impact analysis.
Otherwise, the CNIL has listed 14 processing operations that must also be subject to a DPIA. [3]
The following are thus in particular subject to the completion of a DPIA:
- the processing of health data implemented by health or medico-social establishments for the care of individuals;
- processing involving the genetic data of vulnerable people (patients, etc.);
- the processing of health data necessary for the constitution of a personal data warehouse or a register to serve research purposes.
On the other hand, the processing of health data necessary for the care of a patient by a health professional practicing in an individual capacity, whether within a practice, a pharmacy or a medical biology laboratory. This nomenclature includes in particular the management of appointments, medical records, editing of prescriptions, patient follow-up, establishment and remote transmission of care sheets, communication between professionals and accounting.[4].
Medical research organizations are also affected by the AIPD. In this context, the CNIL checked two organizations between January and July 2022 which had not carried out a DPIA before carrying out their research. It was found that the information provided to research participants was incomplete, specifying neither the nature of the data collected nor their retention period. Furthermore, some documents did not mention the contact details of the data protection officer or the possibility of appealing to the CNIL. Finally, an information notice incorrectly claimed that the data was anonymized, when it was pseudo-anonymization.
In response to these shortcomings and although the data processing concerned by these shortcomings has ceased, the CNIL recalled that health research must either be the subject of direct authorization by itself, or comply with the methodology reference. In these two hypotheses, the research must therefore be the subject of a DPIA[5].
These controls demonstrate the increased attention of the CNIL in the application of the GDPR, more specifically in its provisions applicable to health data, and the strengthening of the obligations weighing on health actors in this area. As a reminder, the CNIL can sanction a breach of the GDPR with a fine of up to 20 million euros or 4% of worldwide turnover.
So be vigilant with your patients' health data!
[1] Deliberation SAN-2022-009 of April 15, 2022 https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000045614368?init=true&page=1&query=san-2022-009&searchField=ALL&tab_selection=all
[2] Guidelines on Data Protection Impact Assessment (DPIA) and how to determine whether processing is "likely to create a high risk" for the purposes of Regulation (EU) 2016/679, https:/ /www.cnil.fr/sites/default/files/atoms/files/wp248_rev.01_fr.pdf
[3] List of the 14 processing operations of the CNIL: https://www.cnil.fr/sites/default/files/atoms/files/liste-traitements-aipd-requise.pdf
[4]CNIL, List of types of processing operations for which a data protection impact analysis is not required, https://www.cnil.fr/sites/default/files/atoms/files/liste -aipd-treatments-not-required.pdf
[5] CNIL, Reference Methodologies: MR-001, MR-002, MR-003, MR-004, MR-005, MR-006
Nathalie Boudet-Gizardin
Partner
Expert in health law and regulated professions (advice and litigation), she works in various fields: structuring the activity of health professionals, advice on the regulatory and ethical aspects of their activity, defense of health actors in complex litigation, corporate health, civil and disciplinary litigation of regulated professions.
Marine Vanhoucke
Partner
Marine Vanhoucke advises companies on Intellectual property and accompanies them on their subjects of Compliance.
Head of Hong Kong office, she assists French companies in their establishment and growth in Asia and has built up expertise in legal issues of international law, notably combining French and Asian interests.