No CrossRef data available.
Article contents
European Health Data Space – Is the Proposed Certification System Effective against Cyber Threats?
Published online by Cambridge University Press: 18 April 2024
Abstract
The proposal for a European Health Data Space aims at creating a common space where individuals may control their health data in a trusted and secure way. The objective is not only improving healthcare delivery, but also enhancing the opportunities to use health data for research and innovation. To achieve these results, the proposal implements a mandatory self-certification scheme for European health records systems as well as for wellness devices and applications, setting up essential requirements related to interoperability and security. Although this is the first intervention that sets a horizontal framework that is mandatory for all Member States, the security requirements that are included in the legislative proposal are not sufficiently detailed and comprehensive. Given that cyberthreats are increasing and security incidents affecting health data may potentially have an impact on the lives of patients, it is important that cybersecurity measures are adopted and implemented in the most effective way. The paper will analyse the European Health Data Space proposal pointing to the open issues and doubts that may be emerging and it will compare them with the proposed Cyber Resilience Act, identifying the issues that may be solved thanks to this horizontal regulation and the ones that instead remain open.
- Type
- Articles
- Information
- Copyright
- © The Author(s), 2024. Published by Cambridge University Press
References
1 Commission, “A European strategy for data” (Communication) COM(2020) 66 final.
2 Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (2022) OJ L 152/1.
3 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (2023) OJ L2023/2854.
4 This data-driven approach vis-à-vis health data was already defined in Commission, “Enabling the digital transformation of health and care in the Digital Single Market; empowering citizens and building a healthier society” (Communication) COM(2018) 233 final. See P de Hert and A Kiseleva, “Creating a European Health Data Space: Obstacles in Four Key Legal Areas” (2021) European Pharmaceutical Law Review.
5 Commission, “Digital health data and services – The European health data space” (Consultation) which ran from 23 December 2020–04 February 2021, <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12663-Digital-health-data-and-services-the-European-health-data-space_en> (last accessed 21 March 2024).
6 AEPD, “Approach to Data Spaces from GDPR Perspective” (AEPD 2023) <https://www.aepd.es/documento/approach-to-data-spaces-from-gdpr-perspective.pdf> (last accessed 21 March 2024). M Shabani, “Will the European Health Data Space Change Data Sharing Rules?” (2022) 375 Science 1357.
7 P Terzis, “Compromises and Asymmetries in the European Health Data Space” (2022) 30 European Journal of Health Law 345; Shabani (n 6); S Slokenberga, “Scientific Research Regime 2.0? Transformations of the Research Regime and the Protection of the Data Subject That the Proposed EHDS Regulation Promises to Bring Along” [2022] Technology and Regulation 135; S Slokenberga, O Tzortzatou and J Reichel (eds), GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe, vol 43 (Springer International Publishing 2021); de Hert and Kiseleva (n 4); E Biasin, “Synthetic Data: Implications for Healthcare and Data Law” (2023).
8 Few exceptions are P Terzis and (E)OS Echeverria, “Interoperability and Governance in the European Health Data Space Regulation” (2023) Medical Law International 096853322311656; G Bincoletto, “Data Protection Issues in Cross-Border Interoperability of Electronic Health Record Systems within the European Union” (2020) 2 Data & Policy e3; C Stellmach, MR Muzoora and S Thun, “Digitalization of Health Data: Interoperability of the Proposed European Health Data Space” in P Scott and others (eds), Studies in Health Technology and Informatics (IOS Press 2022).
9 E Biasin and E Kamenjasevic, “Cybersecurity of Medical Devices: Regulatory Challenges in the European Union” in IG Cohen and others (eds), The Future of Medical Device Regulation (1st edn, Cambridge University Press 2022).
10 This contribution will not address the case of devices and application that fall into the definition of medical devices, as they are covered by the rules defined in the Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (2017) OJ L117/1. For more discussion on this issue please see K Ludvigsen, S Nagaraja and A Daly, “When Is Software a Medical Device? Understanding and Determining the ‘Intention’ and Requirements for Software as a Medical Device in European Union Law” (2022) 13 European Journal of Risk Regulation 78.
11 Commission “Proposal for a Regulation (EU) of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020” <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454> (last accessed 21 March 2024). Pending the publication, the Proposal was approved by the European Parliament on 12 March 2024. The article will refer to the latest version of the document, before the EP approval.
12 P Kierkegaard, “Electronic Health Record: Wiring Europe’s Healthcare” (2011) 27 Computer Law & Security Review 503.
13 S Hoffman, “EHR Data Security,” Electronic Health Records and Medical Big Data: Law and Policy (1st edn, Cambridge University Press 2016) 16–20.
14 For the initial (negative) evaluation of the EHR system adopted in US by doctors and medical experts, see ibid. 32–33.
15 See point 3 (d) of the Recommendation on cross-border interoperability of EHR systems.
16 Art 29 Working Party also highlighted this issue in the first appraisal of the EHR system. See Art 29 Working Party “Working Document on the processing of personal data relating to health in electronic health records (EHR)” (WP 131, 2007).
17 For an overview of the applicable national legislation, see Anna Essen et al., “Patient Access to Electronic Health Records: Differences across Ten Countries” (2018) 7 Health Policy Technology 44, 45.
18 Commission, “European Electronic Health Record exchange format” (Recommendation) COM(2019) 800 final.
19 Respectively <https://health.ec.europa.eu/ehealth-digital-health-and-care/eu-cooperation/ehealth-network_en> (last accessed 21 March 2024), and <https://health.ec.europa.eu/ehealth-digital-health-and-care/electronic-cross-border-health-services_en> (last accessed 21 March 2024).
20 See Commission, “State of Health Preparedness Report” (Communication) COM(2022) 669 final, 8.
21 See Bincoletto (n 8).
22 Art 6 EHDS Proposal clarifies that the format includes three main elements: the datasets containing electronic health data and defining structures, the coding systems and values to be used in datasets containing electronic health data, and the technical specifications for the exchange of electronic health data. Art 6 should be read in the light of the Recital 72 EHDS proposal, which explicitly refers to the European Interoperability Framework and promotes its use to ensure legal, organisational, semantic and technical interoperability. See also W Li and P Quinn, “The European Health Data Space: An Expanded Right to Data Portability?” (2024) 52 Computer Law & Security Review 105913.
23 Note that according to point 3.4 Annex II EHDS, the logging information that should be recorded are the following: “(a) identification of the health professional or other individual having accessed electronic health data;
(b) identification of the individual;
(c) categories of data accessed;
(d) time and date of access;
(e) origin(s) of data.”
24 Bincoletto (n 8).
25 Social engineering encompasses a broad range of activities that attempt to exploit human error or human behaviour with the objective of gaining access to information or services, see ENISA, “Health Threat Landscape” Report/Study 14 <https://www.enisa.europa.eu/publications/health-threat-landscape> (last accessed 21 March 2024).
26 See ibid.
27 See Italian Data Protection Authority, “Opinion on the Ministry of Health draft decree, to be adopted together with the Minister delegate for technological innovation and digital transition, in consultation with the Minister of Economy and Finance, on the Electronic Health Record (EHR)” (Opinion n. 256, 2023) <https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9900433> (last accessed 21 March 2024).
28 See ENISA, “Security and Resilience in eHealth Infrastructures and Services” (2015) Report/Study 21 <https://www.enisa.europa.eu/publications/security-and-resilience-in-ehealth-infrastructures-and-services> (last accessed 21 March 2024).
29 F Casarosa, “Cybersecurity Certification of Artificial Intelligence: A Missed Opportunity to Coordinate between the Artificial Intelligence Act and the Cybersecurity Act” (2022) 3 International Cybersecurity Law Review 115.
30 It is interesting that the EHDS Proposal does not mention the International Patient Summary developed by the European Committee for Standardization (CEN Technical Specification for the implementation guideline for European use of the International Patient Summary, CEN/TS 17288:2020) nor the ISO 23903 standard dedicated to interoperability and integration reference architecture. ISO/TC 215 Health informatics (2021) ISO 23903:2021, <https://www.iso.org/obp/ui/> (last accessed 21 March 2024).
31 See Art 28 EHDS Proposal.
32 See Art 31(7) EHDS Proposal. It must be noted that Art 28 EHDS Proposal clarifies that the market surveillance authorities will be subject to the rules defined in Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products (2019) OJ L 169/1, thus allocating both the investigative and enforcement powers as regards the product’s compliance.
33 Art 2(2)(o) EHDS proposal.
34 As is underlined by an evaluation of the proposal by the EDPB and EDPS, it is clear that the quality requirements and characteristics of the health-related data generated by wellness applications are lower than those generated by medical devices. See EDPB-EDPS, Joint Opinion 03/2022 on the Proposal for a Regulation on the European Health Data Space, 12 July 2022, p. 12, <https://edpb.europa.eu/system/files/2022-07/edpb_edps_jointopinion_202203_europeanhealthdataspace_en.pdf> (last accessed 21 March 2024).
35 EDPB-EDPS (n 34).
36 It is important to note that the definition of “personal health data” provided by the EHDS proposal is inconsistent with the one provided in Art 4(15) GDPR and may lead to doubts on the accuracy and reliability of data. See the detailed analysis in Richard Rak, Internet of Healthcare (Law): Privacy and Data Protection Aspects in an Internet of Everything, (Doctoral Thesis, 2023) <http://amsdottorato.unibo.it/10715/1/RichardRudolfRak_DoctoralThesis_final.pdf> (last accessed 21 March 2023).
37 See Terzis and Santamaria Echeverria (n 8).
38 See Annex II, point 3 EDHS Proposal.
39 See Art 26 EHDS Proposal.
40 Art 2 (2) (q) EHDS Proposal.
41 Art 29 (4) EHDS Proposal.
42 Commission “The EU’s Cybersecurity Strategy for the Digital Decade” JOIN(2020) 18 final.
43 Art 3(1) CRA Proposal.
44 Art 3(2) CRA Proposal. Note that the CRA proposal does not cover the case of Software as a service, as it may fall in the definition of cloud computing service providers already included in the category of essential operators, pursuant Art 3 NIS 2 Directive.
45 Art 10 (1) and Annex I Part 1 CRA proposal.
46 CEN/CENLEC, “What is a standard?” <https://www.cencenelec.eu/european-standardization/european-standards/> (last accessed 21 March 2024).
47 Art 23 and Annex V CRA Proposal.
48 Art 10 (7) and Art 24 CRA proposal.
49 Art 43(1) CRA Proposal.
50 The CSIRT is the body designated according to the Directive 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) (2022) OJ L 333/80.
51 Art 11 (1) and (2) CRA Proposal.
52 Art 11 (4) CRA Proposal.
53 Art 23 (3) CRA Proposal.
54 ENISA (n 25) 3.