Inter­pel­la­ti­on Feri (17.3531): Digi­tizati­on in the heal­th­ca­re sector

Sub­mit­ted text

The­re is not­hing wrong with Swiss Post, SBB, UBS, Swis­s­com, Cre­dit Sui­s­se or other com­pa­nies issuing an e‑ID. They are alre­a­dy doing so, and if the­se com­pa­nies make an effort to impro­ve and stan­dar­di­ze their e‑ID ser­vice, this can only be wel­co­med. Trust in an e‑ID ser­vice is cen­tral and must be ensu­red by the sta­te its­elf (or by a com­mis­sio­ned third par­ty). Final­ly, the E‑ID is about the fun­da­men­tal que­sti­on of how the exi­sting data infras­truc­tures of the sta­te or sta­te-rela­ted com­pa­nies are to be made acce­s­si­ble to the gene­ral public. This is why the que­sti­on of trust in e‑ID is par­ti­cu­lar­ly important in the heal­th­ca­re sector.

I the­r­e­fo­re ask the Fede­ral Coun­cil to ans­wer the fol­lo­wing questions:

1. How can the pati­ent real­ly be sure that data pro­tec­tion is gua­ran­teed even with E‑ID?
2. What is it doing for the inte­gra­ti­on of the sta­te digi­tal iden­ti­ty (E‑ID) as a con­fi­dence-buil­ding mea­su­re and as a basis for secu­ri­ty in the digi­ta­lizati­on of healthcare?
3. Is the­re alre­a­dy an opportunity/risk ana­ly­sis with regard to digi­tizati­on in healthcare?

State­ment of the Fede­ral Coun­cil of August 30, 2017

1. The pro­tec­tion pro­files and ISO stan­dards (e.g., ISO/IEC 27001:2013 and ISO/IEC 29115:2013) curr­ent­ly in force for the cer­ti­fi­ca­ti­on of issuers of means of iden­ti­fi­ca­ti­on attach gre­at importance to data pro­tec­tion and data secu­ri­ty; not only at the tech­ni­cal level, but also with regard to the per­son­nel invol­ved in issuing a means of iden­ti­fi­ca­ti­on and the pro­ce­s­ses to be fol­lo­wed. This ensu­res that the­re is an ade­qua­te respon­se to secu­ri­ty-rele­vant events such as the com­pro­mi­se of the means of iden­ti­fi­ca­ti­on. The­se pro­tec­tion pro­files and stan­dards app­ly equal­ly to pri­va­te and govern­men­tal issuers of means of iden­ti­fi­ca­ti­on. Com­pli­ance with the­se requi­re­ments is alre­a­dy ensu­red today in the Imple­men­ting legis­la­ti­on for the Fede­ral Act on the Elec­tro­nic Pati­ent File (EPDG, SR 816.1) for iden­ti­fi­ca­ti­on meanswhich may be used to access the elec­tro­nic pati­ent dos­sier (Art. 23 of the Ordi­nan­ce on the Elec­tro­nic Pati­ent Dos­sier, EPDV, SR 816.11). The future imple­men­ting pro­vi­si­ons for the Fede­ral Act on Reco­gnized Elec­tro­nic Iden­ti­fi­ca­ti­on Units (E‑ID Act) will respect and reflect the level of pro­tec­tion of the EPDV. This will ensu­re that iden­ti­fi­ca­ti­on means under the E‑ID Act are com­pli­ant with the EPDG and its legal standards.
2. The Fede­ral Coun­cil con­duc­ted the con­sul­ta­ti­on on the E‑ID Act from Febru­ary 22, 2017 to May 29, 2017. This draft pro­vi­des that sui­ta­ble pri­va­te or public issuers of means of iden­ti­fi­ca­ti­on can obtain appr­oval from a reco­gni­ti­on body at fede­ral level to issue sta­te-reco­gnized elec­tro­nic means of iden­ti­fi­ca­ti­on. For exam­p­le, systems that alre­a­dy exist or are being deve­lo­ped, such as the pro­jects of Swiss Post and SBB as well as banks and Swis­s­com, should also be able to be reco­gnized by the fede­ral govern­ment. The means of iden­ti­fi­ca­ti­on reco­gnized in this way will also be able to be used in the heal­th­ca­re sec­tor in due cour­se. Until the e‑ID law is in force, the issuers of the elec­tro­nic iden­ti­fi­ca­ti­on means pre­scri­bed for access to the elec­tro­nic pati­ent dos­sier will have to go through the cer­ti­fi­ca­ti­on pro­ce­du­re defi­ned in the EPDG. This pro­ce­du­re – simi­lar to the E‑ID Act – is ali­gned with the exi­sting regu­la­ti­ons in the area of elec­tro­nic signa­tures, so that syn­er­gies ari­se for reco­gnized issuers of means of iden­ti­fi­ca­ti­on with regard to the requi­red certifications.
3. The Con­fe­de­ra­ti­on and the can­tons have been working for 10 years on the Imple­men­ta­ti­on of the “eHe­alth Switz­er­land Stra­tegy As part of this work, the oppor­tu­ni­ties and risks of digi­tizati­on were also dis­cus­sed at all times, and the results of the­se dis­cus­sions were taken into account in the ongo­ing work. For exam­p­le, spe­cial atten­ti­on was paid to the topics of data pro­tec­tion and data secu­ri­ty when the legal basis for the elec­tro­nic pati­ent dos­sier was being drawn up. Simi­lar­ly, in dra­wing up the recom­men­da­ti­ons of eHe­alth Sui­s­se, the com­pe­tence and coor­di­na­ti­on body of the Con­fe­de­ra­ti­on and the can­tons, on how to deal with mHe­alth appli­ca­ti­ons such as health apps or so-cal­led “weara­bles” such as fit­ness wrist­bands, the dis­cus­sion of the oppor­tu­ni­ties and risks of this new tech­no­lo­gy as well as the issues sur­roun­ding data pro­tec­tion and data secu­ri­ty for­med the basis for for­mu­la­ting the recom­men­da­ti­ons (cf. www.e‑health-suisse.ch > Com­mu­ni­ties & Imple­men­ta­ti­on > eHe­alth Acti­vi­ties > mHealth).

Inci­den­tal­ly, as part of the imple­men­ta­ti­on of the “Digi­tal Switz­er­land” stra­tegy adopted by the Fede­ral Coun­cil in April 2016, the “eHe­alth Switz­er­land 2.0 stra­tegy” is the­r­e­fo­re curr­ent­ly being deve­lo­ped joint­ly by the Con­fe­de­ra­ti­on and the can­tons (cf. inter alia the state­ment of the Fede­ral Coun­cil on 17.3435 Po Heim. Digi­tal health agen­da. Oppor­tu­ni­ties and risks and on 17.3434 Po Graf-Lit­scher. Poten­ti­al and frame­work con­di­ti­ons for digi­tal sus­taina­bi­li­ty in healthcare).
In addi­ti­on, as part of the natio­nal cyber risk stra­tegy (NCS) and the natio­nal cri­ti­cal infras­truc­tu­re pro­tec­tion stra­tegy (CIP), the resi­li­ence of the cri­ti­cal sub­sec­tor “medi­cal care and hos­pi­tals” is being exami­ned with a focus on vul­nerabi­li­ties of infor­ma­ti­on and com­mu­ni­ca­ti­on tech­no­lo­gies and on cyber risks, and mea­su­res are being deve­lo­ped to impro­ve them. This work is regu­lar­ly updated to take account of chan­ging con­di­ti­ons (e.g. deployment and use of new tech­no­lo­gies in the area of iden­ti­fi­ca­ti­on tools).