Aridhia DRE - Trusted Research Environment

Becoming an EHDS Trusted Health Data Holder with the Aridhia DRE

This is the final blog in our series on the European Health Data Space (EHDS)

In the previous blogs we detailed how FAIR Data Services can help Health Data Holders prepare for the implementation of secondary use of health data under EHDS, and how Aridhia Workspaces meet and exceed the existing specifications for a Secure Process Environment (SPE) detailed in the EHDS legislation and TEHDAS2 project documentation. 

This final blog explains how enterprise users of the Aridhia DRE are well positioned to become Trusted Health Data Holders when the legislation on secondary use of data takes effect.

What is a Trusted Health Data Holder?

As detailed under articles 57 and 60 of EHDS, standard Health Data Holders (HDH) retain very little control over their data. They are required to provide their Health Data Access Body (HDAB) with metadata for all datasets covered by the secondary use legislation, and when their HDAB approves access to that data the HDH is required to provision it into a Secure Processing Environment (SPE) that the HDAB has chosen.

What is a Trusted Health Data Holder?

Figure 1: request flow for standard Health Data Holders

Article 72 of the legislation introduces the concept of Trusted Health Data Holders (THDH). These trusted organisations are somewhat exempt from the approval and access flow detailed above, and will therefore retain greater control over their data. 

A THDH gains two key privileges that standard data holders do not have:

  1. They are permitted to review data permit applications for their data, and provide a recommendation to approve or reject to their HDAB.
  2. Where an approval is granted they can provision the data in their own SPE, not one controlled by a third party. 

Request flow for Trusted Health Data Holders

Figure 2: request flow for Trusted Health Data Holders

At present there is only limited detail on how a data holder can gain trusted status, but the legislation does contain three high level criteria:

  1. they are able to provide access to health data through a secure processing environment that complies with Article 73;
  2. they have the necessary expertise to assess health data access applications and health data requests;
  3. they provide the necessary guarantees to ensure compliance with this Regulation.

The Aridhia DRE and Trusted Health Data Holders:

In summary a Trusted Health Data Holder must have an SPE, the means of reviewing and approving data permit applications, and be able to prove they have these capabilities. Given this, we believe that organisations with an enterprise Aridhia DRE will be well placed to act as Trusted Health Data Holders. Looking at the three points above in turn will explain why.

Providing data access via an SPE:

The full EHDS SPE specification will not be available until 2027. However, as detailed in the previous EHDS blog DRE Workspaces are a close match for the current specifications provided in the EHDS legislation and TEHDAS2 project documents. 

For example:

  1. Individual users access their workspace using multi-factor authentication
  2. All data ingress and egress is managed via a secure airlock
  3. Each workspace has its own audit trail which captures all research activity
  4. Researchers have access to wide range of tooling as standard (R, Python, Jupyter Notebook, etc.)

We will continue to monitor the EHDS SPE specification as more detail is provided, but believe the DRE comfortably meets and exceeds the existing public specification. 

Reviewing and approving data permit applications:

The first blog in our series explained how FAIR Data Services could be used to help standard HDHs meet their obligations under EHDS. In addition to the features detailed in that blog, FAIR has a built-in data approval process that allows data owners to review and approve data access requests, and when approved requesters can transfer the data to a secure workspace. 

Additionally, FAIR’s open API allows this approval flow to be integrated with third party systems, meaning that FAIR can receive requests from external platforms and return approval decisions. This means that in principle FAIR could be integrated with an HDAB’s national level permit application system to receive requests and return the HDH’s recommendation. TEHDAS2 deliverable 6.4 envisages this type of integration between national permit application systems and existing HDH approval flows.

Given this, we believe that HDHs using FAIR to manage their data holdings will be well placed to gain trusted status. 

Proving capability: 

The final presently known requirement is that the HDH be able to prove they have the above capabilities.

With the Aridhia DRE this is straightforward, our platform is independently audited on a recurring basis, with ISO 27001, ISO 27701, HITRUST, and Cyber Essentials Plus certifications all publicly available.

Additionally we evaluate our platform against the emerging open standards for TRE/SPE provision. Most notably we score the platform against the UK SATRE standard annually, and publish the outcome in a whitepaper, perhaps more pertinently for EHDS we also recently evaluated the DRE against EOSC-ENTRUST TRE questionnaire and published the result here.

As noted above, EHDS is still evolving and more detailed specifications will be available in 2027. However, as things stand with our current capabilities we believe we are well placed to help European Health Data Holders transition to EHDS.

If you’d like to know how we can help Health Data Holders transition to EHDS contact us here.

What is the European Health Data Space (EHDS)?

The European Health Data Space (EHDS) is a landmark EU regulation governing cross-border health data access for research, policy, and innovation. Our EHDS guide covers what EHDS is, when it applies, and how the Aridhia DRE supports data owners and researchers in meeting its requirements.

EHDS Guide