Sites Inria

Version française


F. Polge-Cohen - 11/06/2019

FUTUR.E.S : what protection for our health data?

The 10th edition of Futur.e.s will be held at the Mobilier National - Galeries des Gobelins from 13 to 14 June 2019. The first European festival of digital and sustainable innovation, Futur.e.s gives visitors the opportunity to explore different possible futures together and to give expression to digital plurality.
Cédric Lauradoux, an Inria researcher with the Privatics team, will be taking part in a round table entitled “Will there be a Cambridge Analytica for our health data ?”

Cédric Lauradoux focused on privacy issues when he first joined the Privatics team at Inria Grenoble - Rhône-Alpes in 2011. After studying cryptography and protection of privacy issues, he is now focusing on legal aspects. He believes a critical need now exists for reviewing all scientific technology from a legal perspective, to keep pace with civil society by responding to the following questions: Where are we headed? What is being done? Why are we doing it ?

Should we be concerned about health data breaches ?

Personal health data is considered sensitive within the meaning of the General Data Protection Regulation. This data relates to the future or present state of physical or mental health of an identified or identifiable natural person.
Cédric Lauradoux believes the question of data leaks is a legitimate one. Data leaks are a growing phenomenon and are inevitable, due to either human error or hackers.
Furthermore, there is cause for concern when we see various initiatives taking shape in our regions, without any established standards or standardised tools for processing medical data. As in other fields, there are bad practices being used in the medical community, such as exchanging data about a patient via email.

How can we manage and protect this personal data ? Through centralisation or fragmentation ?

The most distressing fact is that, in all likelihood, data leaks have already occurred. Yet it is difficult to detect them, either because the medical data is highly fragmented, or because the hackers succeeded in concealing their attacks.

Currently, the main data management model is centralised: a data controller manages all the data for an individual. This model simplifies many issues in terms of data protection, yet it clearly has not succeeded in protecting us from massive data leaks.
Data fragmentation involves distributing the data to mitigate the problem of leaks. Therefore, by fragmenting personal data, we prevent instances of one person’s error causing a massive data leak. Furthermore, in the event of an attack, someone might access a fragment of the data, but could not access the data in its entirety. The disadvantage of this solution is that each fragment of data must be secured to avoid mini data leaks.

We must therefore use caution concerning the goal of pooling all medical data management applications–on the one hand because this is a move towards the use of smartphones and, on the other hand, because it means centralization.

Many initiatives exist in regional hospitals and teaching hospitals for securing medical data. Each institution ensures the security of its medical data in its own way, which leads to fragmentation and contributes to limiting data leaks. On the other hand, it is extremely difficult to obtain an overall picture of the way medical data is protected.

Keywords: Cédric Lauradoux Health data Privatics Futur en Seine Futur.e.s