HDS (Health Data Hosting) certification is mandatory for the hosting and outsourcing of services and applications containing identifiable and personal health data. It was introduced in 2018 by the French governmental health agency the “Agence du Numérique en Santé” (ANS) to improve the security and privacy of personal health data.
Read on for further information about the HDS certification.
Which organizations are required to gain Health Data Hosts accreditation?
All public or private organizations involved with healthcare and storing patients’ medical data need to be HDS certified. This includes companies who carry out backups on behalf of a healthcare establishment or third party.
Health facilities that manage their own Health Information Systems do not need to be HDS certified.
Any publisher or operator of the HDS-certified health information system that uses outsourcing for hosting must be able to guarantee data security. However, there are two ways to ensure the security of the subcontractor’s information:
- Use an HDS-certified subcontractor
- Set up a process for managing and auditing the information security of its subcontractor.
Different Types of HDS Certification
There are also two types of certificates depending on the activity:
Physical infrastructure host certification:
The provision, the maintenance in operational condition of the material infrastructure of the information system used for the processing of health data
The provision, the maintenance in operational condition of the physical sites allowing to host the material infrastructure of the IT system used for the treatment of the health data
Outsourcer host certification:
- The operational provision and maintenance of the virtual infrastructure of the health information system
- The operative provision and maintenance of the information system application hosting platform
- The operational administration of the IT system containing health data
Outsourced backup of health data
How is the HDS certification carried out?
Once you have implemented your management system and ensured that you meet the various requirements of the standard, the process is as follows:
The HDS audit and certification process
- Submission of a file to the certifying body (which must be COFRAC accredited)
- After a month, a pre-audit day to familiarize yourself with the system from a documentary point of view and check the suitability.
- After the first year, the on-site certification audit on the technical and organizational levels will be carried out.
- A committee will examine the report.
- Approximately one month after the examination, the response on the certification will be given (favorable or non-compliant).
- Generally, organizations issue you an ISO 27001 and an HDS certificate.
If you already have ISO 27001 certification, you will receive a simplified audit.
What strategy is best to adopt for HDS certification?
In most cases, it is helpful to initiate a certification process 27001: 2013 reference, which includes a large part of the requirements of the HDS reference. In addition, ISO 27001 certification is internationally recognized in all sectors of activity.
Then it is necessary to carry out a study to identify the exact scope and the specific activities that will be certified and answer the following questions:
- Physical infrastructure hosting certification (40 requirements / 45) OR Outsourcing hosting certification (45 requirements)?
- What additional certifications? (27001, 20000-1, 9001, SecNumCloud, …)
- How to integrate with GDPR?
- What is my current compliance level?