a choice of "opportunity" to "go fast"

[ad_1]

The choice of Microsoft Azure has been criticized by several dozen professionals from the health and medical informatics sector in a column published by Le Monde, and is the subject of articles in this newspaper and in Mediapart early December.

The main criticisms are the choice of an American company presenting a risk of security and "digital captivity", in particular because of the Cloud Act, a law allowing American justice to access data stored on servers located outside the United States.

Microsoft Azure provides in particular "storage, management of logs and directories" and the computing power of the hub, said Stéphanie Combes.

Asked about this choice, she replied that "we needed a state-of-the-art platform, and it is not the role of the Ministry of Solidarity and Health to build it". "We were aware that this is not an ideal and potentially controversial choice. We would have preferred a French actor," she said.

At the launch of the Health Data Hub in the fall of 2018, "we met all the players in the ecosystem," she relayed. "We started with the French players: Thalès, OVH, Atos … None were able to do what we asked. Then we met Google, Amazon web services (AWS) and Microsoft."

The latter was "the only one capable of responding to our requests," said the director of the hub. "We preferred to go fast so as not to fall behind and penalize France compared to other countries".

Microsoft was then "the only certified company hosting health data (HDS) on the six activities" covered by the regulations, said Jean-Renaud Roy, director "corporate affairs" of Microsoft France, during his hearing by the mission evaluation and control of social security financing laws (Mecss) of the National Assembly on December 20. An argument also put forward Stéphanie Combes.

"If there had been an alternative, we would have had to go through a public market and the procedure would have been much longer," said Stéphanie Combes.

A "public market exemption" is possible "if a single company is able to respond to the offer," said Pierre Desmarais, lawyer specializing in digital and data law contacted by TICsanté. Microsoft being one of the only companies certified at the time, "it's not inconsistent," he commented.

For its part, Microsoft argues that it "is only a provider of cloud technologies, artificial intelligence (AI) and data handling" and "does not have to know the hosted data", a said Jean-Renaud Roy.

Azure "is just one technological brick among others," confirmed Stéphanie Combes. "The data will be pseudonymized and encrypted, and Microsoft will not have the encryption key."

"Overall positive" safety assessment

Asked by Mecss about data security, Laurent Schlosser, director public sector of Microsoft France, also highlighted the fact that Microsoft will not be able to decrypt the data, and that they will be pseudonymized.

"We have mounted a defense-in-depth architecture in which Microsoft is only one brick among others," Stéphanie Combes told TICsanté.

A security audit of the entire hub was carried out with the support of the national information systems security agency (Anssi), which "supports" its development. He was subjected to "nine cyber attack scenarios", and the results were "generally positive".

The centralization of data in the Health Data Hub has also been presented as a security risk factor by the forum published in Le Monde.

"If we want to do data processing on this scale, we have to centralize, it is the only solution," observed Stéphanie Combes. "Today, the reality on the ground is that data is processed without any security requirements," she added.

ANSSI was asked about the risk posed by the centralization of data in front of Mecss. For Yves Verhoeven, deputy strategy director of the agency, it allows "to increase the level of security".

"Today, the capacity to bring good digital practices is relatively limited in the healthcare world. The human resources capacity in cybersecurity is also limited. There is a great heterogeneity of information systems, but a level of weak security. Rationalization is the way of reason, "he said.

For Microsoft, "there is no problem" about the Cloud Act 

About the Cloud Act, Stéphanie Combes, like Microsoft officials interviewed by Mecss, highlighted the fact that this law concerns criminal investigations in matters of crime and terrorism.

"There is no problem on our side," said Jean-Renaud Roy to Mecss.

Pierre Desmarais explained that American law "effectively provides that any American service provider operating outside the United States may be required to provide information" to the American government, or even to American governments if bilateral agreements so provide.

But "the injunction must relate to a crime or a terrorist act, so a priori health data are not concerned". It must "target precise and nominative data, so it is difficult to see how a judge could be interested in health data".

The injunction can be challenged "when the request does not concern a US citizen or a person residing in the United States and that it violates a foreign law, or we have the GDPR (European General Regulation relating to the protection of personal data, nldr) and the public health code. " Finally, "the Cloud Act requires the transmission of data but not their decryption ", he explained.

Asked about the risk of captive data, Stéphanie Combes indicated that the hub will not use proprietary formats, and that Azure "provides virtual desktops that will run open source software or captive software".

[ad_2]