Significant developments in certification and accreditation standards for hosting health data (HDS)

The certification of health data hosts (HDS – Decree No. 2018-137 of February 26, 2018 on the hosting of personal health data) makes it possible to guarantee the security of the hosting of health data in France. It is one of the first levers for regulating digital health. The aim is to certify hosts implementing information system security management systems according to the most modern international standards.

This is a great achievement for the trust of patients and professionals.

To date, 284 actors have been certified. These certifications were carried out by nine organizations accredited by the French Accreditation Committee (COFRAC).

Five years after the implementation of this certification, the Digital Health Delegation and the Digital Health Agency started the process of revising the HDS certification framework in early 2022.

This approach involved the National Commission for Information Technology and Freedom (CNIL), the Senior Official for Defense and Security of the Ministry of Health (HFDS), as well as the Federation of Industrialists in the Ecosystem and certification bodies. This new version of the framework was the subject of a public consultation at the end of 2022. ŘLP received more than 250 contributions, which were analyzed and processed.

After several discussions with the CNIL, it issued a positive opinion on the draft certification framework revised on 13 July 2023.

Changes made to the HDS certification framework

This new version of the HDS certification framework, by integrating major contributions, enables:

    • Gradually strengthen data sovereignty with new requirements to strengthen safeguards in terms of protection (see focus below);
    • Clarify the range of types of accommodation activity – especially the so-called “5” activity related to administration and operation, which was the subject of questions and on which a general consensus was found – and strengthen the transparency of hosts regarding the types of activities for which they are certifiedwith;
    • Specify the relationship between HDS certification requirements and SecNumCloud certification requirements proposed by ANSSI.
    • Incorporate certain developments of ISO 27001 into the HDS certification framework.

Focus on adding data sovereignty requirements

The revised HDS framework adds four data sovereignty requirements (requirements 28 to 31):

    • (Requirement 28) Physical hosting of health data must be carried out exclusively on the territory of a country located in the European Economic Area – EEA – (European Union – EU with Norway, Iceland and Liechtenstein), which was not previously required in HDS. Although this localization requirement is not sufficient to fully ensure their security, it provides important safeguards in terms of data protection and helps to strengthen the trust of patients and professionals in digital health;
    • (Requirements 29 and 30) In the case of remote access to data from a non-EU country by the host or one of its subcontractors, or where such subcontractors are subject to non-EU legislation. The European Union does not ensure an adequate level of protection in the sense of Article 45 of the GDPR (see the CNIL map), and thenThe host must inform its customers about this in the contract and specify the related risksas well as the technical and legal measures taken to limit them;
    • (Requirement 31) Require the host to publish on its website, a map of possible data transfers that host to a non-EEA country.

It should be noted that the revised framework to date does not allow alignment with the requirements regarding extraterritorial immunity proposed under SecNumCloud V3.2 (in particular the requirements of paragraph 19.6). This point will be reviewed in particular at the end of the discussions on the future European standards (European Cybersecurity Certification Scheme for Cloud services – EUCS) and at the latest in 2027. The next revision of the standard will also follow the evolution of the maturity of the players on the walk.

Changes made in the accreditation framework of certification bodies

Following on from the HDS standard, the accreditation standard, written in collaboration with COFRAC, describes the accreditation process for certification bodies. In particular, it includes audience feedback that was collected during dedicated workshops.

The main developments relate to updates related to the development of the ISO 27001 standard, harmonization of mirror points of the HDS reference system (definitions, normative references, chapter, etc.) and updates to the duration of the audit.

Schedule of entry into force of new standards

The draft regulation approving the revised version of the two standards has just been notified to the European Commission: it will be published in the Official Journal after the 3-month suspension.

From the publication of the decree endorsing the standards, which should occur during the first quarter of 2024, certification bodies will have a six-month period to adapt their certification process to the new HDS standard.

This new framework will apply to applications for certificates of conformity and renewal applications submitted to certification bodies 6 months after the publication of the order, i.e. beginning of the second half of 2024. At the end of this six-month period, certification bodies will therefore only be able to issue certificates of compliance with the new standard.

Leave a Comment