Health Data Hosting: Standards, Compliance, and Certification Challenges 2024

Introduction

Faced with a surge in cyberattacks, including 30 French hospitals falling victim to ransomware between 2022 and 2023, securing health data has become a national priority.

However, the evolution of threats to health data alone does not explain the emergence of HDS certification. It is merely the consequence of a changing context surrounding health data. We are seeing increasing complexity in information systems in general (Cloud in IaaS, PaaS, SaaS, AI integration, etc.), which will include data that is particularly sensitive within the meaning of Article 9 of the GDPR. There has also been growth in health-related digital services (mobile health applications, telemedicine platforms, connected objects, which will generate massive flows of sensitive data). Finally, this has also resulted in an increasing volume of health data with the integration of Big Data, requiring enormous and scalable storage capacities.

With this background in mind, it is easier to understand the emergence of Health Data Hosting (HDS) certification.

HDS certification is part of this approach, setting rigorous standards to ensure the security of sensitive health data and the resilience of critical systems. The 2024 version of HDS certification introduces significant changes, based on ISO 27001:2022, to better respond to current challenges.

Health Data Hosting (HDS) Certification and its intertwining with ISO27 standards and the GDPR

HDS certification is a French regulatory standard that applies to companies that host and process personal health data. Defined by the Public Health Code and guided by the principles of the General Data Protection Regulation (GDPR), it imposes strict criteria for the protection of sensitive data.

HDS certification is also based on the prerequisites of ISO 27001, as it requires a robust Information Security Management System (ISMS). For this reason, ISO 27001 is an essential prerequisite for obtaining HDS certification.

Consequently, part of the HDS audit will consist of checking the technical and organizational resources to meet security requirements in terms of confidentiality, integrity, and availability. In addition to the principles and objectives set out in ISO 27001 and the criteria set out in Annex A, there will be criteria specific to HDS certification.

Personal scope of application: which "hosting providers" are affected by HDS certification?

Three conditions must be met for an actor to be subject to HDS certification:

1. Any natural or legal person who hosts personal health data;
2. Collected during preventive diagnosis, treatment, or medical follow-up activities;
3. On behalf of individuals or legal entities responsible for producing or collecting this data, or on behalf of the patient themselves.

As an exception, a hospital that hosts its own data is not subject to HDS certification because the third criterion is not met. However, if it hosts data for another hospital, the condition will be met, and certification must therefore be obtained.

HDS certification is part of a tripartite distribution of roles to which third-party service providers may be added:

1. Primary PII (the patient or "data subject") originating from personal health data.
2. PII Controller (or personal data controller): Generally, healthcare professionals (hospitals, clinics, medical practices) collect data on behalf of patients.
3. PII Processor (or personal data processor): These are the hosting providers who store and manage the data. Only they must be HDS certified.
4. Third-party service providers: Some service providers, such as software publishers or maintenance companies, may intervene without directly accessing the data. They must comply with the HDS security constraints imposed by their customers.

The material scope: services subject to HDS certification.

HDS certification applies to all infrastructure necessary for the storage, administration, and transmission of health data. This includes:

1. The HDS infrastructure foundation:

• Physical infrastructure: Data centers and other physical facilities where data is hosted.
• Software infrastructure: Virtual infrastructure, software platform (OS, middleware, and databases), and data backup.

2. The administration and operation of information systems containing health data:

• Application outsourcing: supervision and management of non-HDS third parties who need to access the business application via the HDS infrastructure platform. End users (primary PII) and data controllers (PII controllers) are not affected.
• Technical outsourcing: maintaining the security of the HDS infrastructure base and the customer support center.

For more details, please refer to the six levels of accommodation services on the ANS website.

These elements are subject to strict standards, with specific requirements to ensure their physical and logical security. The HDS reference framework, updated in 2024, specifies that each component of the infrastructure must be assessed for security and compliance.

The security foundation of HDS certification

HDS certification imposes security requirements based on ISO 27001:2022, incorporating specific controls for the healthcare sector. The following requirements form this security foundation:

1. Compartmentalization

• Separation of environments: Health data must be strictly separated from other types of data, with isolated development, testing, and production environments.
• Access control: Access to data must be restricted by a rights management system, with clear roles and responsibilities for each employee or service provider involved.

2. Least privilege

The principle of least privilege requires that each user only has access to the information strictly necessary for the performance of their tasks:

• Limitation of administrative rights: Accounts with high privileges must be limited and their use controlled.
• Periodic review of access: Access privileges should be regularly reevaluated to ensure that they remain appropriate for users' roles.

3. Change management

Change management is essential for adapting infrastructure without compromising security:

• Change control: Every change, whether technical or organizational, must be assessed for its potential impact on security.
• Change tracking: A tracking system is in place to ensure that updates and changes do not introduce new vulnerabilities.

4. Security by design

The concept of security by design requires that security measures be integrated into the design of systems rather than added after the fact:

• Built-in security: Security measures must be planned and integrated into every stage of the development of new systems or infrastructure.
• Adaptability to change: The system must be designed to easily integrate security updates, ensuring its long-term resilience.

5. Traceability and non-repudiation

Every action must be traceable, and it must be impossible for a user to deny having performed an operation:

• Access logging: All access attempts, whether successful or unsuccessful, are recorded.
• Auditability: HDS certification requires regular audits to verify that traceability logs are complete and intact.
• Management of administrative access via a bastion: Administrative access to critical systems must be centralized and secured via a bastion.

6. Strong authentication

Strong authentication aims to ensure that only authorized individuals can access health data systems:

• Strong passwords: Password complexity and renewal should be standardized to reduce the risks associated with compromised passwords.
• Multi-factor authentication (MFA): Certification often requires the use of additional verification methods to validate user identities.
• Detection of access anomalies: Systems must be able to detect and report unusual or suspicious behavior.

What's new in the 2024 version of the certification:

Here are the main changes introduced by the new HDS 2024 certification, based on the webinar transcript:

1. Alignment with ISO 27001:2022: The new HDS certification is based on the updated version of ISO 27001 (2022), thereby strengthening the integration between the two standards. This means that HDS-certified organizations will need to have an Information Security Management System (ISMS) aligned with ISO 27001 requirements. This HDS ISMS must incorporate processes for continuous improvement, maintenance, and monitoring of the effectiveness of security measures, which marks a significant change from previous versions of the standard.
2. Inclusion of stakeholders and specific requirements for health data: The new version requires organizations to identify all stakeholders, including not only customers but also all subcontractors, suppliers, and partners who play a role in or influence the security of health data. This is particularly relevant for supply chain management, which is becoming a key focus of certification. In addition, security objectives must now explicitly include the protection of health data, and management must demonstrate a commitment in terms of the resources allocated to these objectives.
3. Subcontractor control: HDS 2024 certification requires hosting providers to monitor changes made to security measures by their subcontractors, including control of interventions, compliance with certifications, and incident management. Organizations must be able to demonstrate that they have processes in place to control their subcontractors in order to ensure secure supply chain management.
4. New contractual requirements: Contracts between hosting providers and their customers must now include specific clauses to ensure data traceability, processing security, and transparency in data location. Contracts must also explicitly mention the requirements for encrypting health data (at rest or in transit) to mitigate the risks of unauthorized access, particularly in the event of transfer or access from third countries.
5. Data sovereignty: The new version reinforces data localization requirements within the European Economic Area (EEA). Hosting providers must specify precisely where data is hosted and ensure that any data transfers to countries outside the EEA comply with the GDPR. The new certification requires that all information on data transfers to third countries be documented and brought to the customer's attention.
6. Enhanced risk management: The new HDS 2024 introduces risk management criteria that include loss of control over storage media and data compromise. Organizations must incorporate specific crisis management processes to prevent and mitigate the impact of security incidents.
7. Monitoring and continuous improvement: The 2024 certification emphasizes the need for organizations to continuously monitor and manage their security objectives, with systematic evaluation of process effectiveness. Transition audits will require verification of management system updates to ensure that defined processes are actually working and comply with the new requirements.
8. Need for internal training and skills: Finally, the new certification highlights the importance of training internal teams and strengthening skills in ISMS and HDS. Internal auditors will need to be trained in the new standard to ensure that organizations are able to maintain a high level of information security.

  The different stages of the HDS certification process

Health Data Hosting (HDS) certification follows a structured process consisting of at leastfour main stages:

1. Risk framing and analysis

The first step is to define the scope of certification. This includes:

• Identification of critical assets: The systems, applications, and infrastructure affected by certification.
• Risk analysis: According to the methodology defined by ISO 27005, this involves assessing potential threats, their impact on health data, and system vulnerabilities. For example, risks related to cyberattacks, infrastructure failures, or human error are identified.
• Definition of responsibilities: Each actor involved in the certification process, from system administrators to security managers (RSSI), is assigned clear roles.

Framing is essential for focusing security efforts on critical elements and ensuring effective auditing.

2. Implementation

Once the risks have been identified, the organization moves on to implementing the necessary measures to meet the requirements of the HDS standard. This includes:

• Implementation of security processes: Deployment of the General Information Systems Security Policy (PGSSI), compartmentalization policies, privilege limitation, and incident management processes.
• Documentation drafting: Preparation of the Statement of Applicability (SOA), which lists the security controls implemented and the necessary operational procedures.
• Deployment of technical solutions: Implementation of tools such as logging systems, data encryption solutions, and multi-factor authentication (MFA) platforms.

This phase requires close coordination between the technical teams and those responsible for the information security management system (ISMS).

3. Internal audit

Before proceeding to official certification, an internal audit is conducted to ensure that all requirements are met. This step allows:

• Identify non-conformities: Verify any discrepancies between the implemented processes and the HDS certification requirements.
• Testing the procedures put in place: Incident simulation, business continuity testing, and data access validation.
• Improve processes: Any non-conformities detected during this audit are corrected before the official audit.

An effective internal audit prepares the organization and limits the risk of failure during the certification audit.

4. Certification audit

The certification audit is conducted by an approved body accredited by COFRAC. The purpose of this audit is to validate the organization's compliance with HDS requirements. It includes:

• Documentation review: Validation of the applicability statement and security policies.
• On-site inspection: The auditor examines the infrastructure, verifies the physical security of the data centers, and analyzes the information systems.
• Interviews: Technical and administrative managers are interviewed to assess their understanding and mastery of the measures put in place.

If successful, an HDS certificate is issued for a period of three years, with annual surveillance audits to verify the sustainability of the measures.

Conclusion: HDS certification, a strategic asset for healthcare companies

HDS certification is not limited to simple regulatory compliance: it constitutes a genuine strategy for companies in the healthcare sector. By structuring and strengthening their overall security, certified organizations demonstrate their ability to effectively prevent and manage cyber threats, thereby protecting the sensitive data entrusted to them. This proactive approach also allows them to anticipate tougher legislation and increasingly strict controls, strengthening their resilience in the face of growing regulatory requirements.

Finally, HDS certification confers a significant commercial advantage. It inspires confidence among patients, healthcare professionals, and institutional partners, while enabling companies to position themselves favorably in demanding markets, particularly during calls for tenders. In a context where securing health data has become a national and European priority, HDS certification is establishing itself as a real lever for competitiveness and an essential pillar of digital trust.

 Sources:

Press:

https://www.lesechos.fr/economie-france/social/trente-hopitaux-francais-victimes-dune-cyberattaque-en-deux-ans-2130193

Articles of the Public Health Code defining the scope of application of the HDS standard: L.1111-8, R.1111-8-8, and R.1111-9 of the Public Health Code.

• HDS Accreditation Reference Framework

https://esante.gouv.fr/sites/default/files/media_entity/documents/referentiel_accreditation_hds---fr---v2.pdf

• Health Data Host (HDS) certification framework:

https://esante.gouv.fr/sites/default/files/media_entity/documents/referentiel_certification_hds---fr--v2.pdf

Florian COULON
GRC Consultant