The GIP PDS, the public actor charged by law with collecting the most important French health databases, missed a new opportunity to improve data protection and stimulate European technological supply.
This is what the CNIL deplores in a widely commented decision authorizing the public interest group ‘Health Data Platform’ to set up a data warehouse with Microsoft. The name of this project: EMC2.
A new data warehouse on the Microsoft cloud
Behind the name PDS hides the very controversial Health Data Hub, criticized from its origins for the choice of a foreign service provider and subject to extraterritorial laws. This original decision now forces France to confirm the selection of a host “which does not benefit from SecNumCloud certification”.
If the CNIL regrets this, it can only note the exception that the Health Data Hub constitutes. For health data warehouses matched with the SNDS (National Health Data System), the regulator “has always asked project leaders (…) to ensure that the data host is not subject to to non-European legislation.”
And “this recommendation had, until now, always been accepted”, recalls the Commission. The particularity of the Health Data Hub in this sector will therefore be maintained since the CNIL resolves to authorize the processing of new health data for three years via the European EMC2 project.
EMC2 is a health data warehouse intended to enable research, studies and evaluations to be carried out. It is the result of a call for tenders from the European Medicines Agency (EMA) for the creation of a database in order to conduct pharmacoepidemiology studies.
Maintenance motivated by an expert mission
The CNIL had expressed reservations, wanting the warehouse “to be protected from any risk of communication of data to foreign states.” In response, the State set up an expert mission. Its conclusions explain the choice to maintain Microsoft.
The mission considered in particular “that no potential service provider” was able to align with the technical and functional requirements of the GIP PDS “within a time frame compatible with the requirements” of the EMC2 project. In addition, the creation of a specific warehouse “could delay the migration of the hosting solution” of the GIP for all of its missions.
The experts also note that the development of a “trusted cloud” demonstrator, likely to be applied in the future to the Health Data Hub, “should continue over the coming years”. For these various reasons, the mission recommended, pending a migration, to keep the current technical solution, namely Microsoft.
The CNIL therefore stands behind the conclusions of the mission commissioned by the State. She nevertheless deplores it, and in more than one way. The strategy for access by researchers to health data could have been an opportunity “to stimulate a European offer capable of meeting this need.”
Missed opportunity for the European offer
The original sin, however, is the choice of the public sector, from the founding of the health data platform, to opt for the cloud. This policy “has led to favoring offers from American players from whom it now appears difficult to break away in the short term despite the gradual emergence of sovereign suppliers.”
“The EMC2 project could have been retained by the GIP PDS to foreshadow the sovereign solution to which it must migrate,” underlines the CNIL. This is a missed opportunity. And the “commitments made to the EMA” immediately prevent a questionable choice from being remedied.
Examples illustrate that another policy is possible. In 2023, AP-HP signed a technological partnership with OVHcloud on health data warehouses. Its objective: to develop open source building blocks for the European ecosystem.
HOURAA, a new shared and regional health data DataHub, brings together four French university hospitals and two technology companies, Thales and Docaposte, for its construction. The publisher, a subsidiary of the La Poste group, is also a member of the consortium behind Numspot, a sovereign cloud provider.
Sovereign clouders stand ready
Alongside Dassault Systèmes, Bouygues Telecom and Banque des Territoires, Docaposte also considers Numspot capable of hosting the Health Data Hub, replacing Microsoft. The leaders of the consortium were very clear on this subject during a progress update to the press in November 2023.
“The HDS is a big debate. Like many, I consider health data to be among the most critical. And it would be good if we arrived at the end, I understand it is difficult immediately, to have an HDS which is close to the SecNumCloud, not to say which goes on SecNumCloud”, reacted its executive president, Alain Issarni.
Guillaume Poupard, deputy general director of Docaposte and former director of Anssi, recognizes that health and education have been faced with a lack of offers. On the cloud, these players “maybe initially had no choice and we make a choice by default.”
SecNumCloud a must for the Health Data Hub
The security expert encourages these players “to ask the question again now that there is a solid trust offering” by reviewing their strategy and the choice of “North American clouders.” For Alain Issarni, a decision in a sector as sensitive as health cannot be based solely on functionalities, an area where hyperscalers dominate.
“We must not foster a complex (…) Talking only about functionalities is also the best way to forget about security. Features and security [juridique] must be placed at the same level,” declares the boss of Numspot.
Laure Martin-Tervonen, director of public affairs at Cloud Temple, a French SecNumCloud and HDS qualified cloud provider, notes that compliance with the technical and functional requirements presented by the Health Data Hub will reach 95% in spring 2024.
She also recalls that the IGAS report of December 5, 2023 recommends “defining within six months the most appropriate sovereign transitional solution in the current state, in order to accelerate the provision of data from the main database of the SNDS.” Microsoft may not definitely have the last word.