French Institutions

The French Government Hands out its Citizens' Medical Records to Microsoft

French Medical Records to Microsoft

By ECLJ1592469444892

This translation is being reviewed

On 31 March 2019, the President of the French Republic officially launched an "artificial intelligence" (AI) plan [1]. The process began a year earlier, on 28 March 2018, with a report by Cédric Villani, deputy of La République en Marche. On April 16, 2018 [2], Emmanuel Macron received at the Elysée Palace the founder (and still a shareholder) of Microsoft, Bill Gates. This process led to the adoption of the Health Law of 24 July 2019 [3], intended to "provide a human framework for the use of artificial intelligence and big data" and to the creation in the form of a public interest grouping of a database system and related services: the Health data hub (the term has not been translated by government authorities), abbreviated to HDH, which allows health databases to be cross-referenced. This "hub", which extends the missions of the former National Institute for Health Data, brings together all the computerized systems of hospitals, pharmacies, shared medical records and research data from different registries.

 

A truly provisional and secure collection of health data?

During containment, the order of 21 April 2020 supplementing an order of 23 March 2020 prescribing the measures for the organisation and operation of the health system necessary to deal with the covid-19 epidemic in the context of the state of health emergency [4] was published in the Official Journal. It authorises the collection of data relating to the state of health of patients by this "hub" (HDH), in principle "for the purposes of managing health emergencies and improving knowledge about the covid-19 virus", the National Commission for Information Technology and Civil Liberties (CNIL) in its deliberation of 20 April[5] having insisted on the necessarily temporary nature of this measure. But can we believe in the truly provisional nature of data storage and in the effectiveness of the "legal and technical measures adapted [...] to ensure a high level of data protection" recommended by the CNIL, since all this data is stored on Microsoft Azure, the cloud computing platform of the American giant Microsoft?

As Pierre-Alain Raphan, deputy of the presidential party of Essonne, pointed out in the economic newspaper Les Echos on October 28, 2019, at the origin of the HDH platform are "some actors, close to the GAFAM" like Gilles Wainrib, "the Founder of the start-up OWKIN, which regularly raises funds from Google Venture"[6] (OWKIN was launched with a Sanford PostDoc grant in 2016 and is now thriving thanks to French and Chinese funds[7] from Cathay Capital[8]). On February 18, 2019, the online magazine La Lettre A[9] presented the HDH as "a showcase for the French-style artificial intelligence wanted by Emmanuel Macron as well as a huge opportunity for Google, Amazon and Microsoft". While specialists were defending alternative solutions, HDH director Stéphanie Combes had to admit as early as December 2019 [10] that Microsoft's choice was an "opportunity choice" in order to "go fast" in the development of the platform. "If there had been an alternative, we would have had to go through a public contract and the procedure would have been much longer," she told a journalist from TicSanté magazine [11]. 

"To prevent leaks within the Health Data Hub, the emphasis has been on pseudonymization of data, but complete anonymity is impossible: as several academic studies show, a limited amount of data can be cross-referenced to re-identify a patient," Raphan noted in his forum. And this is not the only problem with Microsoft hosting the French platform. In March 2018, the US government passed a law called the Cloud Act that allows the US judiciary to access data stored in third countries. The president of the CNIL declared in September in the National Assembly that this text was contrary to the general regulation on data protection (RGPD) which is supposed to protect European citizens[12].

 

The additional risk of a cyber-attack

In addition to judicial issues, the risk of a cyber attack must also be considered. "The HDH is developing on a centralized model, with the consequence of a higher impact in case of hacking. You'd think the Gafam would offer ultra-secure solutions. However, attacks often come from within, i.e. from personnel with access to the data," emphasised in Le Monde of 10 December 2019, a collective initiated by professionals in the sector and medical IT[13].

In May 2019, WhatsApp announced that a flaw in its application allowed malware created by the cyber security company NSO Group[14] to be downloaded to a smartphone via a simple missed call. The Financial Times also revealed that NSO has developed a new spyware called Pegasus, which is not only capable of collecting data stored on a smartphone, but also information stored on the cloud servers of Apple, Google, Facebook, Amazon or Microsoft if the victim uses their cloud services. NSO now uses the technology of this software to propose a tracing of patients carrying Covid-19 [15]. Geo-location data, archived messages and photos of users can be captured.

Finally, let us recall that Edward Snowden highlighted in his revelations of 2013 the porosity between Microsoft and the American intelligence agencies, which at the time had caused a crisis of confidence among users of the "clouds" provided by American operators [16]. These revelations, which nevertheless corroborate the concerns of the President of the CNIL mentioned above, have clearly not worried our decision-makers.

 

The seriousness of the issues at stake calls for vigilance

The National Council of Bars and Law Societies[17], the National Council of the Order of Physicians[18], collectives of software publishers[19], and health professionals[20] have drawn public attention to the dangers presented by the Health Data Hub. This danger should not only be seen in the light of the current state of the possibilities of legal or pirated data appropriation, but also in the light of the plans of the major international trusts.

The World Economic Forum (Davos Forum), which is involved in global health structures such as the Coalition for Epidemic Preparedness Innovations (CEPI) launched at the Davos Forum in 2017[21], makes no secret of its intention to establish "traceability" of all the world's citizens based on their digital financial identity[22], making it possible to dematerialize all transactions but also to centralize all information on an individual's personal situation. And from the collection of data to their use for behavioural control purposes is sometimes only a step away, as the Chinese example has shown[23], which is particularly worrying when various elements covered by medical secrecy are involved, including in some cases the decoding of individuals' DNA.

The seriousness of the issues at stake makes all the more surprising the French government's haste to hand over citizens' health data to Microsoft's "cloud", even before there was even talk of a pandemic, and should prompt public opinion to be extremely vigilant.

Frédéric Delorca, Guest Author.

Juriste, sociologue, Auteur de « Les régimes populistes face au mondialisme » (Editions du Cygne, 2017)

____

[1] https://solidarites-sante.gouv.fr/actualites/presse/communiques-de-presse/article/creation-officielle-du-health-data-hub

[2] AFP, 16 avril 2018 à 11h04, repris par Le Point.

[3] https://www.innovation-mutuelle.fr/actualite/le-projet-de-loi-bioethique-veut-encadrer-par-lhumain-lemploi-de-lia-et-du-big-data-en-sante/

[4] https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000041812986&dateTexte=20200421

[5] https://www.cnil.fr/sites/default/files/atoms/files/deliberation_du_20_avril_2020_portant_avis_sur_projet_darrete_relatif_a_lorganisation_du_systeme_de_sante.pdf

[6] https://www.lesechos.fr/idees-debats/cercle/opinion-soignons-nos-donnees-de-sante-1143640

[7] Le 9 mai, Owkin a reçu un financement de 25 millions de dollars. Les investisseurs de cette ronde de financement comprennent Bpifrance Large Venture, Cathay Innovation et MACSF (Caisse de retraite des médecins-cliniciens français), ainsi que les investisseurs existants GV, etc. Le financement total de la première série de la société a atteint 43,1 millions de dollars américains. Owkin vend une plate-forme pour les chercheurs en médecine utilise des algorithmes d’apprentissage automatique et d’apprentissage en profondeur pour permettre aux utilisateurs de créer facilement des modèles prédictifs et de les appliquer dans tous les domaines de la recherche médicale, y compris pour optimiser le développement de médicaments, la prédiction de survie, la découverte de cibles, les essais cliniques et l’analyse du marché des médicaments. (Sina.com, 20 mai 2020, https://cj.sina.com.cn/articles/view/7281584087/1b20427d701900vzs2?from=finance).

[8] https://www.challenges.fr/finance-et-marche/cathay-capital-le-puissant-fonds-qui-surfe-sur-le-business-franco-chinois_585096

[9] https://www.lalettrea.fr/action-publique_executif/2019/02/18/comment-les-gafam-et-capgemini-s-invitent-dans-la-mine-d-or-des-donnees-medicales,108345136-ge0

[10] Mind Health https://www.mindhealth.fr/article/16988/stephanie-combes-health-data-hub-nous-envisageons-un-nouvel-appel-a-projets-d-ici-la-fin-de-l-annee/

[11] Léo Caravagna, « Microsoft prestataire du Health Data Hub: un choix "d’opportunité" pour "aller vite" », 27 décembre 2019 https://www.ticsante.com/story/4937/microsoft-prestataire-du-health-data-hub-un-choix-d-opportunite-pour-aller-vite.html

[12] https://www.vie-publique.fr/sites/default/files/rapport/pdf/194000532.pdf

[13] https://www.lemonde.fr/idees/article/2019/12/10/l-exploitation-de-donnees-de-sante-sur-une-plate-forme-de-microsoft-expose-a-des-risques-multiples_6022274_3232.html

[14] NSO a été fondé en 2010 par le département informatique des Forces armées israéliennes https://mondointernazionale.com/en/academy/the-nso-group-the-new-israeli-mossad-1

[15] NBC 27 avril 2020 https://www.nbcnews.com/nightly-news/video/an-inside-look-at-a-new-coronavirus-contact-tracing-tool-as-experts-raise-privacy-concerns-82595397550

[16] https://www.infoworld.com/article/2610903/the-nsa-s-spying-has-in-fact-hurt-u-s--cloud-providers.html

[17] https://www.cnb.avocat.fr/sites/default/files/11.cnb-mo2020-01-11_ldh_health_data_hubfinal-p.pdf

[18] https://www.conseil-national.medecin.fr/sites/default/files/external-package/edition/od6gnt/cnomdata_algorithmes_ia_0.pdf

[19] https://www.santenathon.org/

[20] https://interhop.org/le-gouvernement-contraint-les-hopitaux-a-abandonner-vos-donnees-chez-microsoft_en/

[21] https://www.weforum.org/events/world-economic-forum-annual-meeting-2017/sessions/cepi-a-global-initiative-to-fight-epidemics Cette structure est largement financée par la Fondation Bill et Melinda Gates.

[22] https://www.fanniemae.com/portal/research-insights/perspectives/security-concerns-meroz-deggendorf-022018.html

[23] https://www.lepoint.fr/monde/bons-ou-mauvais-citoyens-la-chine-compte-les-points-02-09-2019-2332904_24.php