Cloud Temple, Docaposte, Oodrive, Outscale and OVHCloud publish a joint open letter on the strategic issues of digital security and sovereignty associated with the new repository for hosting healthcare data.
Trust and security: that's the least that citizens can expect when it comes to data as sensitive as their medical consultations, test results or operation reports... In this sense, the revised Health Data Hosting (HDS) certification standards, which guarantee the security of health data hosting, provide important guarantees. As European suppliers of cloud services, we have supported from the outset the objectives set out in the revision project launched in 2022 by the Délégation au Numérique en Santé and the Agence du Numérique en Santé.
This is the purpose of our first joint letter, published in February 2023, to reaffirm the importance of guaranteeing the protection of hosted health data, based on the dual requirements of digital security and sovereignty in the face of extraterritorial laws. This is also the essence of the work of the future "Trusted Digital Solutions" Strategic Committee, which aims to support the development of protective services that meet users' expectations.
While we support the new HDS standard, we are also reaffirming our call to go even further in protecting healthcare data when the new standard is revised in 2027. Here's a three-point anatomy of an unprecedented step forward that still needs to be amplified to provide lasting security for the digital transformation of healthcare.
Point 1 : A more transparent and demanding benchmark for sovereignty
Protecting healthcare data in an increasingly connected sector means combating unauthorised access, whether from cybercriminals or third countries. Even today, this type of access compromises the control that users are entitled to demand over the use and processing of this particularly sensitive data. The most striking example is undoubtedly the Foreign Intelligence Surveillance ActThis controversial law, which the US government has just extended for two years, allows intelligence services across the Atlantic to access the data of non-American users without their knowledge.
Against this worrying backdrop, the issues at stake are not only digital, but also political, economic, societal and ethical. The new HDS standards formalise a number of advances in the control and transparency of healthcare data. The addition of a new section, comprising four requirements relating to data sovereignty, is the first firewall we were hoping for. By imposing the exclusive physical hosting of health data within the European Economic Area and strict transparency requirements, this section has the dual merit of improving data protection while increasing the level of information available to users, particularly about the risks of transferring their data outside the European Union.
Point 2: The French digital industry ready and committed to protecting European health data
These new advances in the HDS standard should make users more aware of the need for greater protection of their health data, and enable them to seize the opportunity, at a time when the French digital sector is being structured to better meet their expectations.
The official launch of the work of the "Trusted Digital Solutions" Strategic Committee on 15 May marks an important milestone in this respect. It is all the more significant in that it is taking root in a country, France, which has been a pioneer in data protection and the development of its industry. This Committee illustrates the industry's collective commitment to offering innovative digital services tailored to users' need for confidence. As the industry grows, the digital and technological autonomy of France and Europe is at stake. French players are already ready and able to meet the most stringent security requirements.
Point 3: The future version of the repository will have to be more ambitious to guarantee confidence
The Marchand-Arvier report published in January 2024 highlights the fact that the potential of our health data assets remains largely under-exploited, held back by long and complex processes and, above all, a lack of cooperation and trust within the ecosystem.
This is why we recognise that the development of the HDS standard is a positive first step, but one that must be followed by others: the next revision of the standard, already scheduled for 2027, must guarantee genuine sovereignty for health data, by requiring immunity from extraterritorial laws. This level of protection must go beyond the mere requirement of data localisation, which is insufficient to protect data against any access by third countries. We therefore need to align ourselves with the criteria set out in chapter 19.6 of the SecNumCloud 3.2 guidelines issued by the French National Agency for Information Systems Security (ANSSI) to ensure real control over data and restore confidence within the ecosystem. This development is also in line with the impetus given by the law on "securing and regulating the digital space", which will require certain public sector data to be hosted on cloud services that guarantee the highest standards of security and data protection.
In an uncertain geopolitical context, and given the inestimable value of health data, we are defending a resolutely European and ethical model of society, in the interests of organisations and citizens. We, the European cloud industry, are calling for digital healthcare that simplifies, innovates and protects.