Only 3% of AI pilots in healthcare actually scale.

I see this statistic come up constantly in conversations with hospital CIOs — and I've watched it frustrate people who are genuinely trying to do the right thing. They're not running bad pilots. They're not making wrong choices about use cases. The problem is almost always the same: the data foundation underneath those pilots isn't solid enough to build on.

After years of building at OASYS NOW and dozens of conversations with hospital IT teams, I've come to believe that most hospitals are one step away from being ready for AI at scale. That step is pseudonymisation.

The data problem no one wants to talk about

Healthcare has more data than it has ever had. Electronic patient records, clinical notes, referral letters, lab results, scanned PDFs. The information exists. The challenge is using it — safely, compliantly, and at scale.

80% of that data is unstructured. It lives in free text, in letters dictated by clinicians, in handwritten notes, in documents that were never designed to be machine-readable. Most AI tools simply can't touch it. And the tools that can often require you to move that data, clean it, harmonise it, and reformat it before analysis can even begin.

That process takes months. Sometimes years. And by the time the data is "ready," the clinical context it was captured in has changed.

There is a better approach — but it starts with getting pseudonymisation right.

Why pseudonymisation is the foundation, not an afterthought

Pseudonymisation is not a compliance checkbox. It is the single infrastructure layer that makes everything else possible.

When you pseudonymise correctly — across every data format, including unstructured text, notes, and scanned PDFs — you create the foundation for:

• Downstream AI use cases that can actually be deployed

• EHDS compliance without rebuilding your systems

• Clinical trial patient recruitment from your full EHR, not just the structured fields

• Secondary use of data for research, without exposing patient identity

The problem is that most hospitals approach pseudonymisation as a project — something that gets done once, for a specific use case, in a specific system. Then the next use case comes along and the work starts again. Costs compound. Governance gets fragmented. And still only 3% of pilots scale.

What hospitals need is pseudonymisation as infrastructure. One implementation. Every format covered. Every downstream use case enabled.

Pseudonymisation is not a compliance checkbox. It is the single infrastructure layer that makes everything else possible.

What we built at OASYS NOW: De-ID

This is exactly what De-ID does.

De-ID is our on-premise pseudonymisation module, built specifically for the complexity of real hospital data. It connects directly to your existing EHR infrastructure — no data migration, no mandatory harmonisation — and pseudonymises every data format in your system: structured records, free text, clinical notes, scanned PDFs, referral letters.

We've validated it against the hardest identifiers in Dutch healthcare: BSN, names, dates, addresses, and other direct and indirect identifiers across multiple EPD systems. Our F1-scores are 0.99+ on critical identifier categories, meaning we achieve near-perfect accuracy in identifying and protecting sensitive data while minimizing false positives.

One implementation. Every format. Every downstream use case unlocked.

Because De-ID works with your data exactly as it is — on your own infrastructure — sensitive information never leaves your institution. Control stays with the hospital. Privacy is not a constraint on top of the system; it is the system.

Privacy is not a constraint on top of the system; it is the system.

The EHDS deadline is closer than it feels

The European Health Data Space is not a future problem. The first EHDS milestones are set for 2027, with obligations extending through 2031. Hospitals across the Netherlands are already receiving data access requests they need to fulfil compliantly. That volume will only grow.

Meeting EHDS requirements without a proper pseudonymisation layer is not just technically difficult — it is legally exposed. Every data access request, every secondary use case, every AI application that touches patient data needs to be built on a governance foundation that demonstrates control, traceability, and privacy by design.

De-ID is that foundation.

From problem to perspective

The title of the FD article I was featured in recently was "Health Data: from problem to perspective." I like that framing — but I want to be specific about what the perspective is.

The perspective is not that AI will solve everything. It is not that data will magically become accessible. The perspective is that the hospitals which invest in the right infrastructure layer now will be the ones running real AI at scale in 2027 — while others are still cleaning data and restarting projects.

That infrastructure layer is not glamorous. Pseudonymisation doesn't make headlines. But it is what separates the 3% who scale from the 97% who don't.

Where to go from here

If you're a hospital CIO or IT architect thinking about your AI roadmap or EHDS readiness, I'd genuinely like to talk. Not to pitch — to compare notes on where the real bottlenecks are and whether De-ID could be the foundation layer you're missing.

We're offering scoping conversations and a technical validation session for hospitals currently assessing their pseudonymisation needs.

Reach out directly, or request a demo via oasysnow.com.

Let's stop prepping data and start discovering insights.

— Sara Okhuijsen, Co-founder & CTO, OASYS NOW

OASYS NOW is a Health Data Intelligence company helping health data holders — hospitals, clinics, and life sciences organisations — unlock the full value of their clinical data, on their own infrastructure, without requiring harmonisation as a prerequisite. oasysnow.com