What mechanisms does Ventio deploy to ensure the quality of its cloud and biomedical imaging data processing services?
At Ventio, we pay the greatest attention to the quality of our services and the satisfaction of our customers and partners. Due to the specificity of our activities, we wish to comply with a complex network of standards that we have identified to ensure the sustainability and development of the company. Our approach towards the application of a normative framework is voluntary, demonstrating our commitment to a process of continuous improvement oriented towards clear objectives.
What is the regulatory context for Ventio’s activities?
As a structure organizing the processing of imaging data considered as health and sensitive data, our first obligation is to comply with the General Data Protection Regulation (GDPR). Following on from the French Data Protection Act of 1978 , which came into force on 25 May 2018, this text has come to frame the processing of data in an equal manner throughout the EU by setting the conditions under which such data may be legally collected, stored and used by organizations.
| The 8 golden rules of the GDPR : | |
| – Lawful – Fair and Specific for its purpose – Adequate and only for what it is needed – Special protection of sensitive data | – Not kept longer than needed – Kept safe and secure – Transparency – Take into account people’s rights |
It defines personal data as any information relating to a natural person who is identified or likely to be identified, directly or indirectly. Among them, sensitive data, which includes health data, form a special category and are therefore subject to enhanced protection.
When health data is anonymized (an irreversible operation that consists of using a set of techniques in such a way as to make it impossible, in practice, to re-identify the person by any means), it falls outside the scope of the GDPR. This is not easily achievable for images from biomedical imaging, especially brain imaging. Representing the brain with all its specificities, it cannot be permanently anonymized and must therefore be subject to all the protection required by the GDPR.
Another rule is the minimization of data, i.e. ensuring that only data that is strictly necessary for the processing is obtained. For example, in research, the precise date of birth is often useless as well as the name of the person for which a pseudonym will be sufficient, which leads us to develop solutions integrating the principle of “privacy by design (protecting personal data by design).
Throughout the entire health data processing chain, Ventio must strictly comply with the European regulatory framework and remains on the lookout for changes and interpretations for its activity, particularly for the secondary use of health data.
Despite the complexity of this framework, we wish to go further and commit ourselves to a voluntary quality and security management approach.
Ensuring quality and safety through standards
Doing things right to provide robust and reproducible digital biomedical image processing services is one of our core values. A major effort has been made in training staff to integrate a standards-based approach.
In order to comply with European requirements, we anticipate the conformity of our solutions from the design phase. Because, even if the evaluation procedure to obtain marketing authorizations varies according to the purpose of the processing, “I must undoubtedly prove what I am claiming” – according to the principle of “accountability”. This is in line with our approach to setting up a Quality Management System according to ISO 9001, which could be summarized as “Write what you do and do what you write”. Thanks to a management by process, the conduct of our activities is oriented towards the satisfaction of the customer, in a dynamic of continuous improvement. By defining concrete objectives to meet these expectations, we improve the safety and quality of our services.
To improve the security of our digital services in the context of the RGPD, to prevent risks as much as possible, we have undertaken to integrate the ISO 27001 – Information Security Management as well as its ISO 27701 extension relating to privacy protection. This last series commits us to a security improvement process. This framework is ideal because it sets the guidelines for compliance with the RGPD by aiming to ensure the availability of information and services, secure the integrity of critical data, and guarantee the confidentiality of sensitive data or customer data. For our cloud services, for which it is therefore essential to provide maximum security, the guides and guidelines of the ANSSI are excellent supports for adopting the right reflexes and practices for the development and management of our information system; we integrate these guides into our security policy.
Although Ventio does not yet offer medical devices, and thus the associated regulatory framework (REGULATION (EU) 2017/745) is not strictly necessary at this time, we are early on in our commitment to the ISO 13485 standard, which sets out the requirements for a quality management system when an organization needs to demonstrate its ability to regularly provide medical devices, and associated services. Thus we pursue the objective of making our solutions compliant with both our customers’ requirements and the applicable medical device regulatory requirements, thus ensuring the control and safety of our software.
On the image processing software aspect, the standard IEC 62304 – Medical device software, software life cycle process, addressing the development of medical device software and its life cycle, will serve as a guideline. It introduces software safety classes, with the objective of indexing the control of the software life cycle to the risk to the patient in case of failure or anomaly. In this way, we improve the reproductibility and the reliability of our services, sensitive data passing through ours software are processed in a secure, appropriate and documented manner and we therefore confirm our intention to offer our services with a medical purpose in mind.
What quality of our devices and services for tomorrow?
These steps have been taken with the aim, in the longer term, of obtaining recognition of our software as medical devices, the marketing of which is conditional upon obtaining the CE mark . The latter translates the conformity of the medical device to the health and safety requirements set out in European legislation, in particular the Medical Devices Directive 93/42/EEC and the EU Regulation 2017/745 on medical devices.
Thus we would have the possibility to intervene, not only in a research purpose, but also in the subsequent stages: diagnosis, therapeutic follow-up and patient follow-up.
Finally, we are constantly monitoring regulations, which is essential given the expected changes, while the various authorities in the health sector are still building the normative base of tomorrow. For example, the French National Authority for Health is working on an evaluation grid, a guide intended to help practitioners choose their software. Because even if the CE mark authorizes the marketing of medical devices, nothing yet measures the clinical relevance of software using artificial intelligence.
Conclusion
The work on quality allows us to orient our strategy according to the customer’s expectations, reinforces the relationship of trust with our partners, and gives credibility to our structure in the face of increased competition. To engage in a quality approach is to continuously improve our operations and our know-how by regularly reviewing our system.
As far as the processing of personal data is concerned, we remain vigilant in the face of the multiplication of standards, given the permanent technological evolution. On March 27, 2023, France ratified the Protocol amending Convention 108 (Convention 108+), which modernizes the Convention by taking into account the new challenges in the area of personal data protection. If enough signatures are obtained, this Convention should enter into force at the end of 2023.
