E-HEALTH IN THE CLOUD

meatcologneInternet και Εφαρμογές Web

3 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

56 εμφανίσεις

E
-
HEALTH

IN THE CLOUD

NVvIR voorjaarsvergadering

17 June 2010
-

Amsterdam


Avv. Dr. Paolo Balboni: TILT, EPA & IIP

www.europeanprivacyassociation.eu

www.istitutoitalianoprivacy.it

www.paolobalboni.eu


paolobalboni@istitutoitalianoprivacy.it


2

Introduction (i)


“In order to fulfil European recommendations,
national requirements and to exploit the full value of
e
-
health services,
interoperability between different
local and national Electronic Health Records
(“
EHRs

) has to be guaranteed

(…)




2

3

Introduction (ii)


“Given the strong focus on interoperability and the
potential business efficiency impact of cloud models,
a
number of Local Healthcare Authorities

(“
LHAs

)
are considering

to jointly enter into an agreement with
a national

telco


for
the creation of their own cloud
(…)





3

4

Introduction (iii)


“(…) The LHAs plan
to migrate

to the cloud services,
i.e.,
EHRs, EHFs, online reservation of health
examinations and,
other less critical services, e.g.,

back
-
end services, HR, payroll, e
-
learning.





4

5

Structure of the Presentation

1.

EU Regulatory
Background

2.

ENISA
GovCloud

Project

3.

e
-
Health

Scenario

4.

Nailing
Data Protection

Issues

5.

Few Preliminary
Considerations

6.

Q&A


5

6

EU Regulatory Background







Better informed
,
More efficient
,
Patient focused
,
a



European market






E
-
Health action plan:
COM(2004) 356
e
-
Health
-

making healthcare better for
European citizens: an action plan for a European e
-
Health Area


i2010 Subgroup on eHealth


Lead Market Initiative
-

eHealth


Article 29 WP (
WP 131/2007
) Working Document on the processing of personal
data relating to health in electronic health records (EHR)



COM(2008) 414
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL on the application of patients' rights in cross
-
border
healthcare


COM(2008) 415
A Community framework on the application of patients' rights in
cross
-
border healthcare


Study on the Legal Framework for Interoperable e
-
Health in Europe (2009)






6

7

ENISA GovCloud Project (i)


Aim



To analyse and evaluate the impact that cloud computing
have on resilience and security of services in a
Governmental organisation and to provide
recommendations and good practices for Eu MSs
planning to migrate to cloud computing

Subject



Both services to citizens (eGov) and internal IT service
(back end) are considered


7

8

ENISA GovCloud Project (ii)


Legal Aspects



Legal aspects are NOT the main focus of the paper, that is
security and resilience


We are going to publish an annex to the main report with data
protection and legal considerations

Background


The project has to be considered as follow up action of the work
done by ENISA during 2009 and, in particular, of the report:

Cloud Computing: Benefits, risks and recommendations for
information security


8

9

E
-
Health Scenario

The analysis will be based on 4 cases/scenarios:


1.
E
-
Health


Local and Regional Healthcare Authorities

2.
Local and Regional Public Administrations

3.
Gov Cloud


Computing as a Service

4.
Supra
-
National Cloud



E
-
Health questionnaire to be distributed to 2 Italian LHAs,
NICTIZ and Rotterdam’s regional healthcare network


9

10

Nailing Data Protection Issues

Data Controller
-

Data Processor (Who is who?)



Article 2 (d) and (e) Directive 95/46/EC


Article 29 WP:
Opinion 1/2010 on the concepts of "controller"
and "processor"


EDPS: “
Data Protection and Cloud Computing under EU law

,
speech delivered by Peter Hustinx at the Third European Cyber
Security Awareness Day, Brussels, 13 April 2010


Article 29 WP:
Work Programme 2010
-
2011



10

11

Nailing Data Protection Issues

Does EU law apply?




(a) if the data controller has a relevant establishment in the EU
and (b) if it uses equipment in the EU. Thus:


A cloud provider established in the EU
-

or acting as processor
for a controller established in the EU
-

will in principle be 'caught'
by EU law.


A cloud provider which uses equipment (such as servers) in an
EU Member State
-

or acting as processor for a controller using
such equipment
-

will also be caught.


A cloud provider in other cases
-

even if it mainly and mostly
targets European citizens
-

would not be caught by EU law.



(Peter Hustinx
-

EDPS)

11

12

Nailing Data Protection Issues

Safeguards for Data Subjects



Right to create an EHR and/or EHF


Entities Processing the Data


How to access the EHR and/or a EHF


Data Subject

s Rights


Limitations on Data Dissemination and Cross
-
Border Data
Flows


Information notice and Consent


Security Measures


(Communications to the Local DPAs)

12

13

Few Preliminary Considerations

Key Issues



Limitations on Data Dissemination and Cross
-
Border
Data Flows



Security Measures

(
CAMM Project
)

13

Thanks for your attention!

Q&A

NVvIR voorjaarsvergadering

17 June 2010
-

Amsterdam


Avv. Dr. Paolo Balboni: TILT, EPA & IIP

www.europeanprivacyassociation.eu

www.istitutoitalianoprivacy.it

www.paolobalboni.eu


paolobalboni@istitutoitalianoprivacy.it