Article 50, Secure processing environment, Articles of the European Health Data Space (EHDS), (Proposal_3.5.2022)
1. The health data access bodies shall provide access to electronic health data only through a secure processing environment, with technical and organisational measures and security and interoperability requirements. In particular, they shall take the following security measures:
(a) restrict access to the secure processing environment to authorised persons listed in the respective data permit;
(b) minimise the risk of the unauthorised reading, copying, modification or removal of electronic health data hosted in the secure processing environment through state-of-the-art technological means;
(c) limit the input of electronic health data and the inspection, modification or deletion of electronic health data hosted in the secure processing environment to a limited number of authorised identifiable individuals;
(d) ensure that data users have access only to the electronic health data covered by their data permit, by means of individual and unique user identities and confidential access modes only;
(e) keep identifiable logs of access to the secure processing environment for the period of time necessary to verify and audit all processing operations in that environment;
(f) ensure compliance and monitor the security measures referred to in this Article to mitigate potential security threats.
2. The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non-personal electronic health data from the secure processing environment.
3. The health data access bodies shall ensure regular audits of the secure processing environments.
4. The Commission shall, by means of implementing acts, provide for the technical, information security and interoperability requirements for the secure processing environments. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 68(2).