Blog of cyber
In the healthcare sector, the security and confidentiality of personal data are essential issues. With this in mind, the Healthcare Data Hosting (HDS) certification was introduced to meet these requirements.
HDS certification aims to strengthen the protection of health data and establish a trusted environment for patients, healthcare professionals, and organizations involved in the hosting and processing of this sensitive information.
Health data hosting is a complex operation requiring a resilient infrastructure, rigorous security measures, and effective governance. HDS certification is proof of quality and compliance with the strictest standards in information system security and personal data protection. This article takes a detailed look at the meaning of HDS certification, the entities involved, the requirements to be met, and the steps to obtain this essential certification for health data hosting.
HDS (Hébergeur de Données de Santé) certification is a security certification specifically designed to guarantee the protection of personal health data in France. It is intended for companies and service providers that host sensitive medical information, such as patient records, medical test results, and other health-related data.
The HADS accreditation, which was initially in force, was replaced in 2018 by HDS certification, introducing a more rigorous framework that is better suited to contemporary security and compliance requirements. A new version of the standard, HDSv2, came into force in May 2024 to respond to technological developments and increased cybersecurity needs.
HDS certification is a regulatory requirement for all public or private organizations that host or operate health information systems or perform backups on behalf of a healthcare institution or third party. It ensures legal compliance with regulations such as the GDPR (General Data Protection Regulation) and French legislation on health data protection.
The Agence du Numérique en Santé (ANS), formerly ASIP Santé, plays a key role in the HDS certification process. The ANS defines the certification requirements and criteria, and also validates the accredited certification bodies that issue HDS certificates.
The primary objective of HDS certification is to ensure that health data is processed securely, confidentially, and in compliance with regulations. It recognizes cloud and hosting service providers that meet regulatory requirements for health data protection, thereby ensuring a framework of trust for patients and healthcare professionals.
The need for HDS certification stems from the Health Act, which regulates the hosting of personal health data. The HDS standard is based on ISO/IEC 27001, which includes compliance with the GDPR. These requirements ensure the implementation of rigorous security and confidentiality measures to ensure the availability, confidentiality, integrity, and traceability of data, in order to prevent unauthorized access or disclosure.
HDS certification is essential for a variety of entities that handle health data. The main players concerned are as follows:
Startups specializing in digital health that develop solutions involving the hosting and processing of health data must obtain HDS certification to ensure their compliance with French regulations and protect the data they manage.
Companies specializing in data hosting or cloud service providers, such as Google Cloud, Amazon Web Services (AWS), and Microsoft, must be HDS certified in order to serve the French market by hosting health data.
SaaS software publishers or cloud platforms offering data storage or processing services for the medical sector must also be HDS certified. They are responsible for the security of the data hosted in their application environment.
IT managers (or managed service providers) may need to access health data as part of infrastructure management, maintenance, or technical support. If they have logical or physical access to this data, HDS certification is mandatory to ensure compliance with security, traceability, and confidentiality standards.
HDS certification is based on the international standard ISO 27001:2022, which defines the requirements for an Information Security Management System (ISMS). It guarantees the confidentiality, integrity, availability, and traceability of information, protecting data against cyber threats and other risks.
HDS certification also imposes specific requirements defined in the HDS reference framework, comprising 31 requirements divided into several categories. These additional requirements concern the protection of personal health data, the transparency of operations, and specific contractual obligations to customers. For example, it is mandatory to host health data collected in France within the European Economic Area (EEA) and to communicate transparently to customers about the activities of third parties involved in hosting health data.
HDS certification can be obtained in six distinct areas of activity, corresponding to different types of health data hosting and processing services. These areas include data hosting, health information system management, data backup and restoration services, and other activities related to health data management and protection.
Obtaining HDS certification requires following a structured and rigorous process. Here are the six key steps:
Internal assessment Conduct an internal assessment of your information system and processes to identify strengths and areas for improvement necessary to comply with the HDS standard. This preliminary assessment prepares the organization for audits and avoids major non-compliance issues.
Document preparation Prepare all documents describing your information system's policies, procedures, and processes, including security policies, incident management procedures, business continuity and disaster recovery plans, as well as standard contracts and contractual clauses (SCCs). An in-depth document review by the certification body is essential to validate document compliance.
Selection of an auditor Select a certification body accredited by COFRAC or a European equivalent. The auditor responsible for the audit and issuance of HDS certification must be competent and experienced, which is essential to the success of the certification process.
Initial audit The initial audit consists of two phases: the document audit and the on-site audit. The document audit verifies the compliance of the documents with the requirements of the HDS standard, while the on-site audit collects evidence of technical and organizational compliance. In the event of non-compliance, a three-month period is granted to correct the issues. Once the audits have been successfully completed, HDS certification is issued for three years, with annual surveillance audits ensuring continued compliance.
Report and correction After the audit, the certification body provides a report detailing any non-conformities and recommendations for correcting them. The organization must implement the necessary corrections and have these adjustments audited to obtain final certification. This process is essential to ensure that all requirements are fully met.
Certification and monitoring Once HDS certification has been obtained, it is essential to maintain compliance through annual surveillance audits, ensuring that the requirements of the HDS standard are continuously met and that health data security and management processes remain effective. A renewal audit is also required every three years to extend the certification.
Since April 1, 2018, HADS accreditation has been replaced by HDS certification, marking the transition to a certification with significantly enhanced security requirements. HDS certification is now the only regulatory requirement for all personal health data hosting providers in France.
When planning an HDS project, it is essential to select an HDS-certified hosting provider. Check the certification by consulting the list of HDS-certified hosting providers published by the Agence du Numérique en Santé (ANS) or by directly checking the certificates issued by COFRAC-accredited certification bodies.
When designing your IT infrastructure, anticipate the constraints and requirements of HDS certification, including the implementation of robust security measures, the definition of health data management policies, and the integration of continuity and disaster recovery processes.
This anticipation minimizes the costs and delays associated with changes during the project.
Before submitting your certification application, conduct an internal HDS compliance audit using a dedicated checklist. This audit assesses your information system and identifies any non-compliance with the HDS standard.
This preliminary step ensures that your organization is ready for the official audit and reduces the risk of major non-compliance issues.
Integrate HDS certification into your existing Information Security Management System (ISMS) and Information Security Policy (ISSP), ensuring that health data security and management requirements are aligned with your current risk management and information security practices.
Rigorously manage relationships with your suppliers and subcontractors by establishing a clear chain of responsibility. Define contracts and standard contractual clauses (SCCs) specifying the security and confidentiality obligations for all parties involved in the hosting and processing of health data.
Obtaining HDS certification can be a complex and demanding process, but with the help of Board of Cyber, you can simplify and optimize your path to compliance. Here's how our expertise and tools can support you.
Board of Cyber offers compliance management tools, such as Trust HQ, specifically designed to help organizations navigate the requirements of the HDS framework. This tool facilitates the management and monitoring of the various stages of the certification process, ensuring that all regulatory obligations are met and that any discrepancies are identified and corrected in a timely manner.
Our solutions integrate HDS, ISO 27001, GDPR, and other relevant standards, simplifying the implementation of the controls and processes required for certification. This allows you to align your security and healthcare data management practices with the specific requirements of the HDS standard without having to manage multiple separate frameworks.
Board of Cyber assists you in identifying and correcting discrepancies with HDS certification requirements. Our tracking tool detects potential non-compliance and implements corrective action plans to ensure ongoing compliance, reducing the risk of major non-compliance during audits and simplifying the correction process.
Our solutions automate many of the audits and verifications required for HDS certification, including security tests, compliance audits, and policy and procedure checks. Automating these processes reduces the time and resources required, while increasing the accuracy and efficiency of audits. With the help of Board of Cyber, you can navigate the HDS certification process with confidence, ensuring that all requirements are met and that your organization is ready for audits and certification. Contact us to find out how we can support you in your HDS certification journey.
HDS certification is both a regulatory requirement and a mark of trust for healthcare organizations. To successfully complete this process, it is essential to adopt key best practices.
Select an HDS-certified hosting provider and verify its certification with the Agence du Numérique en Santé (ANS). Anticipate HDS constraints when designing your IT infrastructure and conduct an internal HDS compliance audit to identify and correct any discrepancies.
Integrate HDS requirements into your existing Information Security Management System (ISMS) and Information Systems Security Policy (ISSP). Manage relationships with suppliers and subcontractors rigorously by establishing a clear chain of responsibility.
Don't wait any longer to take the necessary steps to obtain HDS certification, which is essential for protecting health data and strengthening trust within your organization.
Article verified by Alexandre RENDOUR—GRC (Governance, Risk, and Compliance) Consultant—Almond
