Cybersecurity l EHDS Regulation
Originally proposed in 2022, the European Union ("EU") has taken a transformative step towards a resilient and secure digital health ecosystem with the adoption of the European Health Data Space ("EHDS") Regulation. This initiative aims to set a standard how health data is accessed, exchanged and ultimately utilised, promoting enhanced healthcare outcomes within the EU.
Principal Objectives
Secure Digital Access -- MyHealth@EU
One of the cornerstone objectives of the EHDS is to provide citizens of the EU with faster and secure access to their Electronic Health Records ("EHR") regardless of whether they are in their home Member State or another. In line with established principles of data protection,1 individuals will enjoy a greater degree of control over the purposes on which their health data will be utilised. Under the adoption, each Member State is set to establish a digital health authority tasked with the enforcement of such data protection.
Interoperability
Interoperability is another objective of the EHDS. Currently, the digitalisation of health data is incredibly fragmented among EU member states, hindering the possibility for cross-border data exchange.
By having a set standard and requiring all EHR systems to be compliant with the European electronic health record exchange format, such challenges in interoperability will be addressed.
Secondary Data Use -- HealthData@EU
As part of the European Data Economy Strategy of 2018, the EHDS is not limited to primary health care use. Asides from the direct benefits, the adoption is set to enable the reutilisation of health data for research and innovation with the introduction of HealthData@EU, set to be fully operational by 2028.2 Such utilisation aims to establish a platform for evidence-based policymaking within this field.
Adherence to data protection measures such as pseudonymisation and anonymisation mitigate identification risks and the establishment of secure processing environments maintains control over sensitive health information.
Cybersecurity – The Backbone of EHDS
As seen with recent proposals and adoptions, cybersecurity is yet again the lynchpin. The integration of advanced cybersecurity measures underscores the importance of cybersecurity and its effect, in this context, on the protection of sensitive health information. The adoption includes:
- Adherence to the Cyber Resilience Act (Regulation (EU) 2024/2847): EHR systems must comply with stringent cybersecurity requirements to protect data integrity;
- Privacy by Design: Systems are designed with built-in safeguards to protect data during storage, transmission, and access;
- Secure Processing Environments: Secondary data use is restricted to secure environments, preventing unauthorised access and ensuring that only pseudonymised or anonymised data is accessible; and
- Monitoring and Enforcement: Health data access bodies will oversee compliance, conduct audits, and impose penalties where necessary.
Concluding Remarks
As we prepare for our upcoming Tech Law Seminar Navigating the New Technology Law Paradigm, this transformative adoption will be discussed.
Together, we will explore how the EHDS and other adoptions reflect a new wave of technology law within the EU. This seminar will delve into the opportunities and challenges posed by these regulations, highlighting the pivotal role of the tech and legal communities in shaping this evolving landscape.
Footnotes
1. Notably, the GDPR, Data Governance Act, Data Act and the Network and Information Systems Directive.
2. https://acceptance.data.health.europa.eu/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.