2023-09-26 06:33:08
Cédric Cartau, TUESDAY SEPTEMBER 26, 2023
“Whatever I see or hear in society during, or even outside the exercise of my profession, I will keep silent regarding what never needs to be divulged, regarding discretion as a duty in such cases. » All doctors who have taken the oath know this passage from the Hippocratic Oath, which very clearly addresses the – absolute – confidentiality of medical data of which the practitioner becomes aware. Article 32 of the GDPR does not say anything else (« […] means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services)which is good since the vision of personal data and the medical vision come together.
Overall, a good part of the work on the confidentiality of medical data in a healthcare team (see the Apssis publication[1] and in particular the Cyber-resilience guide, opus 3) strives to find the right balance between working as a care team (unknown at the time of Hippocrates), the notions of loss of medical opportunity and the sacrosanct confidentiality of patient data. In addition to the imposing body of law (GDPR, Public Health Code, etc.), there are internal provisions within health establishments: authorization policy, IAM with authorization/deletion of accounts upon departure of agents, control of traces, sanction policies, all aimed at moving towards zero defects in terms of confidentiality, as much as possible given the medical issues in often tense contexts of medical emergencies, turnover of replacement staff, etc. In short, we are moving forward.
Do you like the story? It’s all beautiful, all sweet and very appropriate. Yes, because in fact there is another version, slightly different, see instead.
Concerning the confidentiality of medical data, the constraints of modern organizations involve quite a few adjustments. In a large establishment, dozens of professions have access to all or part of the GAM/PGD software, most of the time without any link to care, and yet with entirely valid reasons: admissions, secretariats, billing staff, vaguemestres (you have to take patients’ mail to their room, so you know which UF they are in, hello confidentiality when a woman is in an abortion unit), lawyers, IT specialists ( who see everything regarding everything), the kitchen staff (like the vaguemestres, but for the meal trays), the auditors, the quality engineers, certain dircom staff, the clinical research associates (a good part of whom are external at the establishment), researchers (who are not all from the medical profession), suppliers (for remote maintenance, some of which is done from countries off shore), certain control bodies, certain non-maintenance editors (for AI training). In short, it will be quicker to detail who does not access any total or partial medical data.
But confidentiality – or rather its overweighting – unwittingly invites itself into the benefits/risks debate. In his joyous apocalypse, Jean-Baptise Fressoz describes an episode of medical history that is insufficiently taught: the fight once morest smallpox in the 18th century (which is estimated to have killed one in seven humans all the same). The vaccination techniques of the time (we spoke more of inoculation) were rudimentary and killed a significant proportion of patients, but the mortality of patients not protected once morest smallpox was much higher. The author describes the Homeric debates of the time on this benefit/risk approach, and it took several decades to emerge from this serious health situation. The delays caused by these debates are certainly the cause of a considerable number of deaths which might have been entirely avoided.
This debate arises in every era, and any change in organization or paradigm, any technical innovation brings it back to the forefront. In the continual chain of health innovations that will follow one another, how will our concerns regarding the confidentiality of medical data without distinction appear to health historians in 200 years? Not making the difference between appendicitis and cancer (the data has the same level of confidentiality with regard to the texts) will have what implication in the benefit/risk debate and in this chain of innovations, in the delays in AI , Big Data, genomics, personalized medicine, in short, in all the largely predictable innovations? What delay in the chain of innovations will have been taken, as historians of the future will point out, because the debate on this benefit/risk pair will have remained confined to the local level (a clinical study, a research project, a Cloud platform) without being extended to the societal level?
It’s up to you to choose the version you prefer, or one of its variations.
[1] https://www.apssis.com/nos-actions/publication/
The author
Head of Information Systems Security and IT and Liberties correspondent at Nantes University Hospital, Cédric Cartau is also a lecturer at the School of Advanced Studies in Public Health (EHESP). We also owe him several specialized works published by the Presses de l’EHESP, including The Security of the Information System of Health Establishments.
1695711388
#Confidentiality #medical #data #versions
