Machine translations by Deepl

EHDS - and what did VWS do? (part 1)

Sometimes we come across them, officials who dare to have a substantive and open conversation on topics that are politically sensitive. Recently, we met two of them.

After our critical reporting on the European Health Data Space (EHDS), the Ministry of Health reached out for an open conversation on the subject. That alone deserves special appreciation, and in two conversations, a lot more became clear.

In this article, we discuss the 'opt-out' and 'primary use' (within healthcare). The 'secondary use' (research and innovation) will follow in a subsequent article.

The EHDS is not yet complete. The analysis below is based on the commitment of EU member states negotiating in Brussels with the European Parliament on the final proposal. Those negotiations have now started. They are expected to be completed around March/April 2024.

In short

One thing the ministry has achieved in negotiations with the other member states is that we can opt out of the EHDS altogether. An 'opt-in' proved unfeasible. Our advice: sign out! You can always decide to join later.

Indeed, the architecture model of the EHDS (for primary use) is very similar to the 2011 National EHR. Thereby origin same risks for privacy and security, only on a European scale.

Fortunately, the ministry is open to suggestions on how to reduce the risks for Dutch citizens.

100x opt-in, 2x opt-out, DNA 'opt-in'

At least 100 times, VWS officials raised the Dutch desire for an opt-in with representatives of other EU member states. Everyone said 'no' except Austria, and no majority in the Council means no opt-in.

Instead, there will be 2x an opt-out and, contrary to our earlier analysis, there appears to be a simple logic behind this: the EHDS consists of not one, but two systems, and at both you can unsubscribe.

For 'primary use' there will be the National Contact Point for eHealth (NCPeH) and for 'secondary use' there will be a Health Data Access Body (HDAB). Moreover, it became clear that use for 'policy purposes' falls under 'secondary use'. So you can opt out completely as a citizen, thereby blocking the retrieval of your medical data at source.

In addition, each Member State may decide genetic data available only with your explicit consent. Fortunately, the Netherlands has decided to do so. Biometric databases are a thorn in Privacy First's side. If the European Parliament places any value on fundamental rights of citizens it will ensure that every European citizen having the right to 'consent', for the full EHDS.

How everything is fleshed out is also up to the member states themselves. In the Netherlands, the ministry wants to "Connecting to existing methods", also "For people who are less digitally literate". We are particularly happy with this. You register your 'opt-out' with (your GP's assistant) and they put two tick marks for you. Done!

Almost ready

Suppose we checked the opt-outs in advance for every citizen? That would be easier for you, less administration for your GP, and we would call it an 'opt-out by default'. We know this can be done, because this is what happened with the 'Corona opt-in'.

The ministry indicates "view all options" and will thereby "as much as possible in line with the initiated policy around 'data availability'“.

However, that policy was drafted together with the Health Insurers & Co. (see bottom-left). These have wanted an 'opt-out' for years and now envisage a 'virtual central file' (see bottom-right).

MyHealth@EU

For primary use, the EHDS consists of a European infrastructure called MyHealth@EU and per country a National eHealth Contact Point (NCPeH). Through MyHealth@EU, the European Commission provides core services, such as the shared cross-border IT infrastructure and terminology and interoperability services. MyHealth@EU does not process medical data itself. Data is exchanged between national contact points.

National eHealth Contact Point

For each connected patient, an index is maintained with the locations of their medical data (the 'locator facility'). A doctor may request that data only within the context of a 'treatment relationship', but that treatment relationship only arises when you walk into the doctor's office. The NCPeH-NL can therefore only check afterwards (via 'logging') whether the retrieval was justified. In principle, therefore, any doctor (or hacker) across Europe can request medical data for any valid BSN.

This is a fundamental problem in the in advance unfocused making medical data available, and we know this from the former Rural SPD (LSP). This works in exactly the same way and is based on the same fallacy: one solution for sharing (potentially) all medical data of anyone in any situation.

On top of that, the NCPeH-NL can also be used within the Netherlands and there is only one party providing a national index: the developer Of the LSP and Mitz! The NCPeH-NL thus acts as a new National SPD, without it being clear what say you will soon have in it.

Remember your opt-out!

End-to-end encryption

The minister states that 'end-to-end' encryption ('healthcare provider-to-care provider') in the Netherlands is is not feasible for the time being. The cause? The LSP cannot. And neither can the NCPeH-NL soon, for exactly the same reason. Yet the minister argues that the NCPeH-NL this can. How is that possible?

The LSP and NCPeH-NL merge medical data from different sources into a single message, which is sent to the requesting side. Between the NCPeHs, data is encrypted, but that is therefore not 'end-to-end'. Our proposal is that the NCPeH should be the locations of the data sent, so that the requesting side can retrieve and process the data itself. Then you can do 'end-to-end' encryption. See the model below.

Fortunately, the officials we spoke to are skilled, understand the problem and the proposed solution. Pushing it through is still going to require attention from Privacy First for sure.

EHDS - National eHealth Contact Point end-to-end encryption
EHDS - National eHealth Contact Point end-to-end encryption | photo: Privacy First

Emergency code

Another solution we have put forward is the concept of a 'rush code'. This stores your BSN encrypted in the index. This makes your data only retrievable with the secret code you carry with you. Incidentally, this is already possible within the current legal framework, but that is a side issue. It works!

For the ministry, this is something new. They want to verify it before ruling on this.

Chat facility

A real solution is only going to emerge if MyHealth@EU starts supporting secure one-to-one communication between healthcare providers, a kind of chat facility in other words.

Then your doctor abroad can make enquiries with your own GP, for example. It also paves the way for your healthcare providers to, at your request, targeted make data available to a doctor abroad, even if you have opted out of the NCPeH-NL.

Combining this chat facility, the 'rush code' and end-to-end encryption, a secure and privacy-friendly solution comes into view.

Doctors can then enter data within the treatment relationship, without using the NCPeH-NL targeted share with other doctors. When you go on holiday, you temporarily register for the NCPeH-NL (for case of 'emergency'), in which you exist only under a pseudonym and the 'emergency code' is the guarantee of your privacy.

Final word

We commend the VWS officials for their open attitude and motivation to develop the EHDS in such a way that we can have confidence in it. There is still quite some work to be done before that is the case.