Commissioned by the Dutch Minister for Medical Care and Sport, we recently conducted a study into the desirability of using cloud platforms for the storage and potential further processing of medical data of Dutch patients. The advisory report that we have submitted to the minister following our research has now been published (in Dutch).
The reason for the research consisted mainly of various news articles (1, 2) from the Dutch newspaper Algemeen Dagblad (AD), in which the question was raised whether the storage and further processing of medical data of Dutch patients would be safe enough in Google's (business) cloud platform. The AD also wrote about the report we delivered. (Next time without a cookie wall please.) Below are our most important conclusions and recommendations.
The desire to go 'into the cloud' is very understandable, also for parties involved in healthcare. Cloud providers generally offer possibilities for processing and protection of (medical) data that cannot be easily matched by healthcare parties themselves. Parties that process medical data can take advantage of these possibilities.
Strict legal requirements apply to the processing of medical data, arising in particular from the GDPR. For example, it is mandatory to perform a risk analysis, to make contractual agreements to protect the data, and to take additional measures when medical data can be stored outside the EU. If the cloud provider and buyer both demonstrably meet these requirements, a high level of safety will be ensured while processing medical data in the cloud.
In order to effectively enforce compliance with the GDPR, it is required that the cloud provider has at least one establishment or storage location in the EU. This is the case with the most popular cloud providers. There is also significant innovation taking place with regard to certification mechanisms to monitor and demonstrate compliance. The aim is to ensure that verification of compliance is as independent, continuous (or frequent and unexpected), complete and specific as possible, so that the risk of non-compliance is minimized as far as possible.
A special aspect of cloud services is that a cloud provider can be subject to multiple legal systems. An American company that stores medical data of Dutch people for an Amsterdam hospital in its data centers in the EU is bound by the GDPR but also by orders from the American authorities to receive or inspect data under their control. This is possible, for example, in the context of criminal investigations and secret orders from US secret services. Cloud providers can be in a difficult position if US legislation, such as the CLOUD Act, obliges them to provide personal data of people in the EU directly, and not through a request for legal assistance to the authorities in the country, while the GDPR prohibits that. They must then choose to either comply with the GDPR or the US legislation. Negotiations are already under way between the US and the EU to resolve this problem.
Our advice to the minister in this context is to facilitate as much as possible that agreements are made with other countries so that the authorities of those countries will be obliged to respect the legal privilege of medical data of Dutch patients. This legal privilege means that healthcare providers and cloud providers who process medical data for them cannot be forced to provide such data. This is also important in connection with the proposed e-evidence regulation, which should also make it possible for authorities in the EU context to request data without traditional requests for mutual legal assistance.
Another important risk is posed by a court case currently conducted before the EU Court of Justice. It concerns two commonly used instruments for legalizing the transfer of personal data from the EU to the US, namely the Privacy Shield and the model clauses. These instruments may not provide sufficient real protection against inspection by US authorities. Due to the lawsuit there is a real risk that these instruments will soon have to be revised or replaced (again). However, this can also be regarded as an opportunity for both the EU and the US to provide privacy protection in the US that is truly equivalent to that in the EU.
When a cloud provider falls under the jurisdiction of a country where equivalent protection of medical data, including the (derived) right of non-disclosure, is not certain, it is desirable to encrypt medical data of Dutch patients before they are transferred to the cloud provider.
This technical measure can also further minimize other risks. Although the new certification mechanisms mentioned above are promising, they will not be able to fully exclude the risk of non-compliance by the cloud provider. By applying encryption where the key is always kept outside the control of the cloud provider, it is technically enforced that the cloud provider itself cannot view the data, nor provide access to foreign authorities. Such encryption must be implemented with great care, requires the necessary expertise, and can also entail costs, obstacles or other disadvantages. Insofar as health care providers and other parties are unable to do so, we recommend the minister to facilitate as much as possible.
Another technical measure that is particularly important for protecting medical data in cloud storage is the use of two-factor or multi-factor authentication for access. Technical measures must also be taken to check the proper functioning of access security (logging). Finally, both the user's traffic to the cloud provider and the storage of medical data at the cloud provider itself must be encrypted in order to optimally protect stored medical data.
Despite all the cutting-edge security measures that the major cloud providers have implemented, trust in them is not yet optimal. On the one hand this is caused by the fact that these companies are regularly in the news because of privacy violations in their services aimed at consumers and on the other hand because of the risk of access by foreign (in particular American) authorities. If the cloud providers succeed in addressing these legitimate concerns better, this can help them to further strengthen their position.
In part C of our advisory report we make a number of recommendations to cloud providers, (potential) customers of cloud services, and governments, all in the context of storage and potential further processing of medical data in the cloud.