Your patient data must be sent to the US cloud – Norwegian data protection authority warns – NRK Norway – Overview of news from different parts of the country

In a conference room on the seventh floor of Helse Sør-Øst’s office in Oslo, two managers are trying to explain why the country’s largest healthcare company would want to put patients’ personal data on an American-owned cloud.

– We will use cloud services to create a quality service for patients when they arrive at the hospital and when they leave it. The system will record the patient’s outpatient attendance, name and social security number, and which outpatient clinic they go to, says managing director Terje Rootwelt at Helse Sør-East.

Helse Sør- Øst will begin rolling out the cloud service during the spring.

Sensitive personal data in the cloud

The cloud solution will contain information about whether a patient has, for example, cancer, heart problems, lung disease, abdominal disease, substance abuse problems, or suffers from a mental illness.

This is sensitive personal data that should not be accessed by unauthorized persons.

The country’s largest healthcare company responsible for healthcare services for 3.1 million Norwegians. Among the patients are the country’s leading figures in politics, society and business.

Now, sensitive personal data from these patients will be available on an American-owned cloud solution.

American and American companies are not safe

According to Norwegian and EuropeanIn accordance with European legislation, personal data cannot be shared with countries outside Europe, such as the United States. The reason is that there is no agreement on such transfer between the European Union and the United States of America.

– Today, the USA is not considered a safe country to send personal data to, says Line Coll Director of the Norwegian Data Protection Authority.

The risk is that sensitive personal data may be handed over to the authorities of other countries, if requested.

– As we understand it, the supplier of this system reserves the right to hand over data to authorities in countries outside Europe. Basically, Cole says, it’s not legal.

The management of Helse Sør Øst notes that the subcontractor is not located in the United States, but in Ireland, and that all data processing takes place in Europe. But the company responsible for the cloud service is owned by the American company Microsoft. Helse Sør -Øst management recognizes that the cloud provider cannot guarantee that the data will not be disclosed.

No, they can’t guarantee it, says Rootwelt.

Helse Sør-Est believes that American intelligence will not be interested in the data of the Norwegian patient and that there is little possibility in the future.

– We have looked at US legislation, and our lawyers have assessed that there is no reason why they would want to obtain information about health data, and this has not happened before, and we believe that in practice there would be no opportunity for that, says Roots.

According to a memo from Helse Sør-East that NRK has access to, they believe Microsoft has never received requests for access from US authorities to European public institutions.

The Norwegian Data Protection Authority does not have the same assessment as Helse Sør-Öst.

– The fact that it is unlikely that the information will be handed over to the US authorities is irrelevant on our part, says the director of “Kool” from the Norwegian Data Protection Authority.

The Danish Data Protection Authority warned a few weeks ago that financial pressures and cost cuts in hospitals could lead to weaker IT security and weaker privacy. The Authority believes that funds for IT security in the health sector are necessary.

cloud service now

The Norwegian Data Protection Authority Helse Sør Øst has given a series of advice on protecting sensitive patient data, so that personal data is not shared and the cloud solution becomes legal.

– We have given Helse Sør Øst concrete and practical advice on how to protect personal data in this system, for example by encryption or pseudonyms. So that the patient data cannot be read by the supplier or the US authorities or the authorities of 3 countries. We expect Helse Sør Øst to take our advice seriously, says Line Coll, director of the Norwegian Data Protection Authority.

But Helse Sør Øst management believes that it is not possible to make the information inaccessible to the company behind the cloud service by encryption or pseudonymization in Health Logistics.

– This cannot be done with a payment solution. After all, you have to know who the patients are, Rotwelt points out.

Personal data will be visible to the cloud provider during the treatment period until the patient pays for health services. It can be up to 30 days.

However, the manager stresses that encryption takes place during data transmission and during storage.

– We believe that information security will improve. Rootwelt says that development is moving in the direction of using cloud solutions, and the question is how can we do this in a secure way.

One solution is to wait

The Norwegian Data Protection Authority asserts that one solution is for Helse Sør-East to wait with a cloud service until the EU and US agree an agreement on personal data sharing.

But Helles-sur-Ost has no time to wait. The country’s largest healthcare company is building a number of new hospitals and is planning them with digital solutions and cloud services.

– We need to move forward in terms of new hospitals being built. If we had not considered this legal or justified, we would of course have chosen another solution, but it would have been difficult because planning for new hospitals has come so far. It certainly would have been more expensive and more complicated for hospital patients and staff, Rootwelt stresses.

– If they do not implement measures to protect personal data, they are liable for transferring personal data to a country where it is not legal to do so in the first place, says Coll at the Norwegian Data Protection Authority.