The medical-social establishments of the DomusVi network manage significant volumes of health data daily via the Netsoins platform. Care files, prescriptions, dependency assessments, medical histories: this information falls under the strictest legal regime of the GDPR.
The CNIL framework specifically targeting organizations that host or accommodate elderly and disabled individuals sets the stage. The question is no longer whether this data should be protected, but how each link in the chain, from caregiver to host, concretely applies the obligations.
See also : How to Easily Choose and Change the Marley Platinum Diamond
HDS certification of service providers: a technical prerequisite often underestimated
Even before configuring Netsoins, a structural point often goes under the radar of establishment management: the Health Data Host certification. Following reminders from the CNIL and the cloud doctrine from the Ministry of Health, any provider that stores, backs up, or maintains data from the computerized user file must be HDS certified.
This requirement covers broader scopes than one might imagine. It does not only concern the main host of the platform. An application maintenance provider, a business continuity plan provider, or an external backup service also falls under this obligation as soon as they handle health data.
Related reading : The definition of be to see and the best marketing strategies to adopt
For a nursing home in the DomusVi network, this means auditing all of its technical subcontractors. A guide detailing the best practices for Netsoins DomusVi emphasizes this need for documentary verification before any contractualization.
Field feedback varies on this point: some establishments believe that the certification of the main supplier is sufficient, while the subcontracting chain may involve several non-certified actors. Each non-certified link constitutes a regulatory breach.
Management of authorizations in the Netsoins software: the nerve of daily security
The protection of health data in a nursing home is not only played at the server level. It first occurs in the management of access rights within the care software. Netsoins allows for the configuration of authorization profiles by function: nursing assistant, nurse, coordinating physician, administrative staff.
The CNIL framework is explicit on this point. The collected data should only be accessible to authorized individuals due to their missions. A receptionist does not need to consult medication prescriptions. An administrative manager does not need access to detailed geriatric assessments.
Three principles for rigorous configuration
- The principle of least privilege: each user profile should only see the data strictly necessary for their function, and nothing more. This is the foundation of the CNIL framework for the medical-social sector.
- Periodic review of active accounts: staff departures, job changes, or temporary replacements generate obsolete accounts. An inactive account remains an open door.
- Access traceability: Netsoins records logins and file consultations. Utilizing these logs allows for the detection of abnormal accesses, such as the repeated consultation of a resident’s file by a professional without a care relationship.
In practice, the difficulty arises from the high turnover in the sector. Teams are constantly replacing one another, and the updating of authorizations lags behind. A quarterly audit of Netsoins accounts reduces this risk.
Impact analysis and algorithms: what the CNIL now expects from nursing homes
A more recent aspect concerns the increasing use of algorithmic features in care software. Automatic alerts, fall risk scores, prioritization of interventions: these processes are no longer marginal in establishments equipped with solutions like Netsoins.
The CNIL has published specific recommendations on artificial intelligence applied to medical-social data. As soon as an algorithmic process can influence the care of a resident, a data protection impact assessment (DPIA) becomes mandatory. This assessment must document the purposes of the processing, the datasets used, and the decision-making criteria.
The available data do not allow for conclusions about the degree of adoption of these impact assessments within the DomusVi network. The CNIL recommendations are clear, but their operational translation in each residence depends on internal resources and support from the group’s DPO.
What the DPIA must cover in a Netsoins context
The analysis is not limited to a documentary formality. It must assess the proportionality of the processing concerning the purpose of care, identify risks for residents (inappropriate profiling, biases in alerts), and foresee corrective measures. A resident or their legal representative must be informed of the existence of these algorithmic processes.
Training of care teams on health data security
Technical configuration protects nothing if users circumvent the rules due to ignorance. Sharing passwords among colleagues, consulting Netsoins on an unsecured personal device, or sending health data via unencrypted messaging remain documented practices in the sector.
The CNIL framework recommends regular awareness-raising actions, tailored to different staff profiles. Training should focus on concrete actions, not abstract principles. Locking the session when leaving the workstation, never transmitting a login identifier, reporting any suspicion of unauthorized access.
Professionals in nursing homes are increasingly using Netsoins on mobile devices, which adds a risk vector. Connecting from a public Wi-Fi network, losing or having a device stolen that contains access to the computerized user file: these are scenarios that training must explicitly cover.
The protection of residents’ data in a DomusVi establishment relies on the interplay between three levels: the compliance of hosting providers, the fine-tuning of the Netsoins software, and the security culture of teams on a daily basis. None of these three levels compensates for the shortcomings of another. The regulatory framework exists, as do the technical tools. The decisive link remains the rigorous application, file by file, access by access.