Increasing digitalization in the healthcare sector
The importance of digitalization in the healthcare sector is undeniable. Organizations seek to optimize their processes, improve the quality of care, and enhance the confidentiality of medical information. The growing integration of artificial intelligence in healthcare also opens up new perspectives, with the collection of data from a multitude of medical devices. These data, valuable nuggets of information, allow for refining diagnoses and patient profiles, bringing medicine closer to a personalized approach.
Significant legal challenges in Switzerland
However, these technological advances, whether in telemedicine, connected devices (IoT), or business applications, software, or computerized patient records, raise legal questions, especially regarding the hosting of health data. Many providers of telemonitoring devices, patient record digitization, or custom application and software developers opt for storage on cloud servers. This raises questions about the legitimacy of outsourcing this data, whether hosting can be done in Switzerland or abroad, and also raises questions about security and regulatory compliance more generally.
In this article, we will explore what Swiss law says and what the best practices are for managing and hosting patient and health data. We will also address crucial points for securing a server intended to host sensitive data in Switzerland. Examples of secure digitizations carried out by our teams will also be provided.
Edana is Your Digital Agency in Switzerland
We support you from strategy to execution
Respect for medical confidentiality and data protection (LPD)
Article 10a, paragraph 1 of the Swiss Data Protection Act (LPD) authorizes the processing of personal data by a third party under certain conditions. However, the question arises regarding compliance with medical confidentiality (art. 321 CP) in the transfer of data to third parties, especially to IT service providers.
The majority doctrine considers IT service providers as “auxiliaries” of healthcare professionals, allowing them to subcontract data processing without violating professional secrecy. However, this qualification poses a problem when the provider hosts the data abroad.
Hosting health data abroad (Azure cloud, AWS, etc.): A legal puzzle
Article 6, paragraph 1 of the LPD prohibits the transfer of personal data abroad if the personalities of the individuals concerned are seriously threatened due to the absence of legislation ensuring an adequate level of protection. However, the transfer may be authorized under certain conditions, such as sufficient contractual guarantees.
However, doctrine emphasizes that hosting medical data abroad may result in a breach of professional secrecy. The risk is exacerbated by the uncertainty regarding the applicability of art. 321 CP abroad and the possibility that a foreign authority may request the disclosure of this data.
This is one of the reasons why cloud services offered by web giants such as Amazon and Google such as Azure, AWS, Digital Ocean, Linode, etc., are generally to be avoided for hosting such sensitive data. Although some of these giants are starting to establish data centers in Switzerland, they are still controlled by foreign parent companies. From a purely ethical point of view, it remains safer to turn to a completely Swiss provider.
Our customized solution for Filinea and its data management
As experts in custom business software development and digital transformation, we have assisted various Swiss companies in storing and handling patient data and sensitive data as well as increasing their profitability and optimizing their operations.
Filinea is a company mandated by the state of Geneva to support young people in difficult situations. To optimize the daily work of its thirty or so employees, the company entrusted us with the development of a custom internal software. The management and storage of sensitive data (including medical data) were included, all of which are stored on a secure server located in Switzerland that our engineers deployed and manage according to appropriate security standards.
In the following sections of this article, we will provide various technical and administrative recommendations regarding the protection of health data that we apply when designing our projects handling patient and health data in Switzerland.
Recommendations from our experts for prudent management of patients and medical data in Switzerland
Faced with these challenges, recommendations emerge to ensure the security of health data:
1. Prefer hosting in Switzerland
Opt for hosting providers in Switzerland as much as possible, benefiting from a strong reputation for data protection.
2. Ensure anonymization of health data
In case hosting in Switzerland is not possible, ensure that data is anonymized end-to-end, with the private key held by the data controller.
3. Obtain patient consent
If transfer abroad is unavoidable, obtain explicit consent from the patient for the transfer, thus lifting medical confidentiality.
4. Risk assessment
If transferring to a provider outside of countries recognized as offering adequate protection is the only option, carefully assess the risks and obtain explicit consent from the patient as well as lifting medical confidentiality.
5. Avoid violating medical confidentiality at all costs
If none of the previous options are possible (or in case of patient refusal), refrain from transferring data to avoid a breach of medical confidentiality.
How to secure a server to host sensitive data such as patient data?
Hosting a server within a Swiss data center is not enough. Securing such a machine intended to host medical data is a crucial task that requires a rigorous and attentive approach. Confidentiality, integrity, and availability of data must be guaranteed to comply with security standards and protect sensitive information in the medical field. Here are some recommendations for securing a web server hosting medical data:
1. Encryption of communications
Use the HTTPS protocol (SSL/TLS) to encrypt all communications between the web server and users. This ensures the confidentiality of data transmitted between the server and users’ browsers. Be sure to use advanced encryption protocols and avoid weak encryption such as 128-bit whenever possible. Also, use a recognized and reliable certification entity.
2. Regular update of the operating system (OS) and software
Regularly apply security updates to the operating system, web servers, databases, and any third-party software installed on the server. Known vulnerabilities are often addressed by these updates.
3. Firewall and packet filters (Firewall)
Set up a firewall to filter incoming and outgoing network traffic. Limit server access to authorized IP addresses and block any unnecessary traffic.
4. Strict access control
Implement rigorous access control mechanisms. Limit access to medical data only to authorized users. Use individual user accounts with appropriate privileges.
5. Server monitoring
Implement server monitoring tools to detect suspicious activities, intrusion attempts, or abnormal variations in traffic. Well-configured activity logs can help identify potential issues.
6. Regular backups
Regularly back up medical data. Store these backups in a secure location, ideally off-site, to ensure recovery in case of data loss or a major incident.
7. Vulnerability management
Conduct regular security scans to identify and address potential vulnerabilities. Intrusion testing and security audits help ensure system robustness.
8. Strong password policies
Implement strong password policies. Require complex passwords, encourage frequent password changes, and use two-factor authentication mechanisms.
9. Isolation of services within the secure server
Isolate services on the server as much as possible. For example, run the database on a separate server and limit access to other services only to necessary machines.
In summary: managing and hosting patient records in Switzerland
In conclusion, the dilemma of hosting health data in the era of artificial intelligence and digitization of companies and organizations raises complex issues, requiring a thoughtful approach in line with Swiss legal requirements. Respect for medical confidentiality and data protection should guide healthcare professionals’ choices in an ever-evolving digital landscape.
Hosting on a server located in Swiss territory and securing this server with reinforced cybersecurity measures is imperative to comply with current legislation and protect patient data as well as any sensitive data in general.