Backend for AI Data in Healthcare

The legal layer is real but simple to state. AI systems that are or support medical devices are automatically high-risk under the EU AI Act (Annex III / Article 6), with obligations phasing in through 2026–2027. The GDPR treats health data as a special category and holds the hospital — the controller — liable even when a processor causes the breach. The European Health Data Space Regulation (EU 2025/327), in force since March 2025, keeps patients' records stored and processed inside national healthcare infrastructure. And under NIS2, hospitals are "essential entities" with hard security obligations. That's the rule. The rest of this is why local deployment is the right engineering answer to it — not just the compliant one.

Why does local deployment matter more than the AI itself?

Because the model is rarely what leaks. The data path is. Every time patient data is sent to an external AI API or a third-party-hosted system, you add a processor to your breach surface, a jurisdiction to your legal exposure, and a dependency to your clinical uptime. Local or EU-resident deployment — on-premise, in a hospital-controlled data center, or in a genuinely sovereign EU cloud — collapses all three:

• Attack surface. Data the AI never sends outside the hospital cannot be stolen from a vendor that gets breached. Given that third-party vendors were the source of the majority of 2025 healthcare record theft, removing that hop is the single highest-leverage control available.
• Jurisdictional control. Data physically held in the EU under EU operators is shielded from foreign legal access (e.g. extraterritorial demands under non-EU law). This is the core of what regulators now mean by sovereignty.
• Clinical continuity. When the AI runs on infrastructure you control, a vendor outage doesn't take diagnostic or triage support offline. Availability becomes a property you own, not one you rent.
• Latency and determinism. Inference next to the data is faster and more predictable — which matters when AI sits in a clinical workflow rather than a back-office report.

Open-weight models now make this practical: a hospital can run capable models on its own GPUs or in a sovereign EU cloud without shipping a single record to a foreign API.

What recent breaches teach and which were a residency problem

These are 2025 cases where the data was exposed because it sat in a centralized third-party system, not inside the hospital. Local processing would have removed the exact vector that failed.

Cegedim Santé (France, late 2025). Attackers extracted roughly 15.8 million administrative files, including sensitive medical notes on around 169,000 patients — some revealing HIV status and sexual orientation — from the vendor's centralized medical-software platform used by thousands of doctors. The data was concentrated in one external system. That concentration was the breach.

Belgian, German, and French hospitals (2025). Patient portals and clinical record systems across multiple hospitals, including those relying on Dutch clinical-software vendor ChipSoft, were knocked offline by attacks on the technology providers, not the hospitals. Records and appointment systems were inaccessible for days. A dependency the hospitals didn't host took the care path down.

The pattern, in numbers. Roughly 30% of 2025 breaches involved third-party suppliers, and over 80% of stolen PHI records originated outside hospital walls (vendors, business associates, software services). Breaches that originate in a third-party system cost on average ~$4.8M to remediate (IBM, 2025).

None of this means on-premise is a magic shield against phishing or ransomware on your own network. It means the dominant 2025 failure mode — data lost through an external processor — is the one local deployment actually eliminates.

What does it cost to deploy locally, and not?

The honest comparison is local capex versus breach-and-fine exposure, not local versus "free" cloud.

Self-managed infrastructure gives the most control and carries the largest upfront and maintenance cost; a sovereign EU cloud lowers the capex at the price of some provider constraints; hybrid splits the difference with added operational complexity. The point is not that local is cheap — it's that the alternative carries a multi-million-euro tail risk that lands on the hospital regardless of which vendor failed.

What are the consequences of non-compliance?

A single incident involving AI on patient data can trigger several regimes at once, each with an independent legal basis:

• GDPR: up to €20M or 4% of global annual turnover for serious violations; the hospital as controller is liable even when the breach originates with a processor.
• EU AI Act: up to €15M or 3% of turnover for high-risk non-compliance, and €35M or 7% for prohibited practices.
• NIS2: up to €10M or 2% of turnover for essential entities, which hospitals are.

Beyond fines: care disruption, breach-notification obligations, the longest detection-to-containment window of any sector, and reputational damage with patients who cannot opt out of trusting you with the most sensitive data they have.

Other factors worth weighing

EHDS secondary use is coming. From 2029, hospitals must make datasets available for secondary use through secure processing environments under permits from national access bodies. Architecting for local control now makes that future obligation a configuration change, not a re-platforming.

Availability is a clinical safety property. If an AI assists triage, diagnosis, or documentation, its uptime is part of patient safety. Owning the deployment means owning the SLA.

Sovereignty is also a selling point. Being able to tell regulators, referrers, and patients that data stays under EU jurisdiction and never leaves the hospital's control is increasingly a differentiator, not just a checkbox.