Abstract:
BACKGROUND: Art. 50 of the proposal for a Regulation on the European Health Data Space (EHDS) states that \"health data access bodies shall provide access to electronic health data only through a secure processing environment, with technical and organizational measures and security and interoperability requirements\".
OBJECTIVE: To identify specific security measures that nodes participating in health data spaces shall implement based on the results of the IMPaCT-Data project, whose goal is to facilitate the exchange of electronic health records (EHR) between public entities based in Spain and the secondary use of this information for precision medicine research in compliance with the General Data Protection Regulation (GDPR).
METHODS: This article presents an analysis of 24 out of a list of 72 security measures identified in the Spanish National Security Scheme (ENS) and adopted by members of the federated data infrastructure developed during the IMPaCT-Data project.
RESULTS: The IMPaCT-Data case helps clarify roles and responsibilities of entities willing to participate in the EHDS by reconciling technical system notions with the legal terminology. Most relevant security measures for Data Space Gatekeepers, Enablers and Prosumers are identified and explained.
CONCLUSIONS: The EHDS can only be viable as long as the fiduciary duty of care of public health authorities is preserved; this implies that the secondary use of personal data shall contribute to the public interest and/or to protect the vital interests of the data subjects. This condition can only be met if all nodes participating in a health data space adopt the appropriate organizational and technical security measures necessary to fulfill their role.
OBJECTIVE: To identify specific security measures that nodes participating in health data spaces shall implement based on the results of the IMPaCT-Data project, whose goal is to facilitate the exchange of electronic health records (EHR) between public entities based in Spain and the secondary use of this information for precision medicine research in compliance with the General Data Protection Regulation (GDPR).
METHODS: This article presents an analysis of 24 out of a list of 72 security measures identified in the Spanish National Security Scheme (ENS) and adopted by members of the federated data infrastructure developed during the IMPaCT-Data project.
RESULTS: The IMPaCT-Data case helps clarify roles and responsibilities of entities willing to participate in the EHDS by reconciling technical system notions with the legal terminology. Most relevant security measures for Data Space Gatekeepers, Enablers and Prosumers are identified and explained.
CONCLUSIONS: The EHDS can only be viable as long as the fiduciary duty of care of public health authorities is preserved; this implies that the secondary use of personal data shall contribute to the public interest and/or to protect the vital interests of the data subjects. This condition can only be met if all nodes participating in a health data space adopt the appropriate organizational and technical security measures necessary to fulfill their role.
摘要:
背景:艺术。欧洲卫生数据空间(EHDS)法规提案第50条规定,“卫生数据访问机构应仅通过安全的处理环境提供对电子卫生数据的访问,具有技术和组织措施以及安全性和互操作性要求\“。
目的:根据IMPaCT-Data项目的结果,确定参与健康数据空间的节点应实施的具体安全措施,其目标是促进设在西班牙的公共实体之间的电子健康记录(EHR)的交换,并根据通用数据保护条例(GDPR)将此信息用于精密医学研究。
方法:本文分析了西班牙国家安全计划(ENS)中确定的72项安全措施中的24项,并由IMPaCT-Data项目期间开发的联邦数据基础设施成员采用。
结果:IMPaCT-Data案例通过协调技术系统概念与法律术语,有助于澄清愿意参与EHDS的实体的角色和责任。数据空间网守的最相关安全措施,识别并解释了启用者和消耗者。
结论:只有在公共卫生当局的受托责任得到保留的情况下,EHDS才是可行的;这意味着对个人数据的二次使用应有助于公共利益和/或保护数据主体的切身利益。只有参与健康数据空间的所有节点都采用履行其职责所必需的适当的组织和技术安全措施,才能满足此条件。
目的:根据IMPaCT-Data项目的结果,确定参与健康数据空间的节点应实施的具体安全措施,其目标是促进设在西班牙的公共实体之间的电子健康记录(EHR)的交换,并根据通用数据保护条例(GDPR)将此信息用于精密医学研究。
方法:本文分析了西班牙国家安全计划(ENS)中确定的72项安全措施中的24项,并由IMPaCT-Data项目期间开发的联邦数据基础设施成员采用。
结果:IMPaCT-Data案例通过协调技术系统概念与法律术语,有助于澄清愿意参与EHDS的实体的角色和责任。数据空间网守的最相关安全措施,识别并解释了启用者和消耗者。
结论:只有在公共卫生当局的受托责任得到保留的情况下,EHDS才是可行的;这意味着对个人数据的二次使用应有助于公共利益和/或保护数据主体的切身利益。只有参与健康数据空间的所有节点都采用履行其职责所必需的适当的组织和技术安全措施,才能满足此条件。
