Digital Consultancy & Business (EN) Featured-Post-ConsultingAudit-EN

Health Data: Hosting Patient Records and Medical Data in Switzerland

By Benjamin Massa
Views: 2286

Increasing digitalization in the healthcare sector

The importance of digitalization in the healthcare sector is undeniable. Organizations seek to optimize their processes, improve the quality of care, and enhance the confidentiality of medical information. The growing integration of artificial intelligence in healthcare also opens up new perspectives, with the collection of data from a multitude of medical devices. These data, valuable nuggets of information, allow for refining diagnoses and patient profiles, bringing medicine closer to a personalized approach.

Significant legal challenges in Switzerland

However, these technological advances, whether in telemedicine, connected devices (IoT), or business applications, software, or computerized patient records, raise legal questions, especially regarding the hosting of health data. Many providers of telemonitoring devices, patient record digitization, or custom application and software developers opt for storage on cloud servers. This raises questions about the legitimacy of outsourcing this data, whether hosting can be done in Switzerland or abroad, and also raises questions about security and regulatory compliance more generally.

In this article, we will explore what Swiss law says and what the best practices are for managing and hosting patient and health data. We will also address crucial points for securing a server intended to host sensitive data in Switzerland. Examples of secure digitizations carried out by our teams will also be provided.

Edana is Your Digital Agency in Switzerland

We support you from strategy to execution

Respect for medical confidentiality and data protection (LPD)

Article 10a, paragraph 1 of the Swiss Data Protection Act (LPD) authorizes the processing of personal data by a third party under certain conditions. However, the question arises regarding compliance with medical confidentiality (art. 321 CP) in the transfer of data to third parties, especially to IT service providers.

The majority doctrine considers IT service providers as “auxiliaries” of healthcare professionals, allowing them to subcontract data processing without violating professional secrecy. However, this qualification poses a problem when the provider hosts the data abroad.

Hosting health data abroad (Azure cloud, AWS, etc.): A legal puzzle

Article 6, paragraph 1 of the LPD prohibits the transfer of personal data abroad if the personalities of the individuals concerned are seriously threatened due to the absence of legislation ensuring an adequate level of protection. However, the transfer may be authorized under certain conditions, such as sufficient contractual guarantees.

However, doctrine emphasizes that hosting medical data abroad may result in a breach of professional secrecy. The risk is exacerbated by the uncertainty regarding the applicability of art. 321 CP abroad and the possibility that a foreign authority may request the disclosure of this data.

This is one of the reasons why cloud services offered by web giants such as Amazon and Google such as Azure, AWS, Digital Ocean, Linode, etc., are generally to be avoided for hosting such sensitive data. Although some of these giants are starting to establish data centers in Switzerland, they are still controlled by foreign parent companies. From a purely ethical point of view, it remains safer to turn to a completely Swiss provider.

Our customized solution for Filinea and its data management

As experts in custom business software development and digital transformation, we have assisted various Swiss companies in storing and handling patient data and sensitive data as well as increasing their profitability and optimizing their operations.

Filinea is a company mandated by the state of Geneva to support young people in difficult situations. To optimize the daily work of its thirty or so employees, the company entrusted us with the development of a custom internal software. The management and storage of sensitive data (including medical data) were included, all of which are stored on a secure server located in Switzerland that our engineers deployed and manage according to appropriate security standards.

Discover the Filinea case study

Create your own secure digital ecosystem

In the following sections of this article, we will provide various technical and administrative recommendations regarding the protection of health data that we apply when designing our projects handling patient and health data in Switzerland.

Recommendations from our experts for prudent management of patients and medical data in Switzerland

Faced with these challenges, recommendations emerge to ensure the security of health data:

1. Prefer hosting in Switzerland

Opt for hosting providers in Switzerland as much as possible, benefiting from a strong reputation for data protection.

2. Ensure anonymization of health data

In case hosting in Switzerland is not possible, ensure that data is anonymized end-to-end, with the private key held by the data controller.

3. Obtain patient consent

If transfer abroad is unavoidable, obtain explicit consent from the patient for the transfer, thus lifting medical confidentiality.

4. Risk assessment

If transferring to a provider outside of countries recognized as offering adequate protection is the only option, carefully assess the risks and obtain explicit consent from the patient as well as lifting medical confidentiality.

5. Avoid violating medical confidentiality at all costs

If none of the previous options are possible (or in case of patient refusal), refrain from transferring data to avoid a breach of medical confidentiality.

Contact our experts to discuss your digitalization in complete safety

How to secure a server to host sensitive data such as patient data?

Hosting a server within a Swiss data center is not enough. Securing such a machine intended to host medical data is a crucial task that requires a rigorous and attentive approach. Confidentiality, integrity, and availability of data must be guaranteed to comply with security standards and protect sensitive information in the medical field. Here are some recommendations for securing a web server hosting medical data:

1. Encryption of communications

Use the HTTPS protocol (SSL/TLS) to encrypt all communications between the web server and users. This ensures the confidentiality of data transmitted between the server and users’ browsers. Be sure to use advanced encryption protocols and avoid weak encryption such as 128-bit whenever possible. Also, use a recognized and reliable certification entity.

2. Regular update of the operating system (OS) and software

Regularly apply security updates to the operating system, web servers, databases, and any third-party software installed on the server. Known vulnerabilities are often addressed by these updates.

3. Firewall and packet filters (Firewall)

Set up a firewall to filter incoming and outgoing network traffic. Limit server access to authorized IP addresses and block any unnecessary traffic.

4. Strict access control

Implement rigorous access control mechanisms. Limit access to medical data only to authorized users. Use individual user accounts with appropriate privileges.

5. Server monitoring

Implement server monitoring tools to detect suspicious activities, intrusion attempts, or abnormal variations in traffic. Well-configured activity logs can help identify potential issues.

6. Regular backups

Regularly back up medical data. Store these backups in a secure location, ideally off-site, to ensure recovery in case of data loss or a major incident.

7. Vulnerability management

Conduct regular security scans to identify and address potential vulnerabilities. Intrusion testing and security audits help ensure system robustness.

8. Strong password policies

Implement strong password policies. Require complex passwords, encourage frequent password changes, and use two-factor authentication mechanisms.

9. Isolation of services within the secure server

Isolate services on the server as much as possible. For example, run the database on a separate server and limit access to other services only to necessary machines.

Implement a secure, customized solution to manage my patient data

In summary: managing and hosting patient records in Switzerland

In conclusion, the dilemma of hosting health data in the era of artificial intelligence and digitization of companies and organizations raises complex issues, requiring a thoughtful approach in line with Swiss legal requirements. Respect for medical confidentiality and data protection should guide healthcare professionals’ choices in an ever-evolving digital landscape.

Hosting on a server located in Swiss territory and securing this server with reinforced cybersecurity measures is imperative to comply with current legislation and protect patient data as well as any sensitive data in general.

By Benjamin

Digital expert


Benjamin Massa

Benjamin is an experienced strategy consultant with 360° skills and a strong mastery of the digital markets across various industries. He advises our clients on strategic and operational matters and elaborates powerful tailor made solutions allowing organizations and entrepreneur to achieve their goals. Building the digital leaders of tomorrow is his day-to-day job.


Let’s Talk About You

A few lines are enough to start the conversation! Write to us and one of our specialists will get back to you within 24 hours.


Don’t miss Our Strategists’ Advice

Get our insights, the latest digital strategies and best practices in marketing, growth, innovation, technology and branding.

Make a difference, work with Edana.

Your 360° digital agency and consulting firm based in Geneva. We support a demanding clientele throughout Switzerland and create tomorrow’s industry leaders.

With over 15 years of multi-sector expertise, our multi-disciplinary team orchestrates tailor-made solutions adapted to your specifics.

Contact us now to discuss your goals:

022 596 73 70

Agence Digitale Edana sur LinkedInAgence Digitale Edana sur InstagramAgence Digitale Edana sur Facebook