A revised version of the Health Data Hosting (HDS) standard has been drawn up by the Agence du Numérique en Santé (ANS) and is currently being examined by the European Commission. The new HDS should come into force by the summer of 2024.
The aim of HDS certification is to strengthen the protection of French healthcare data and build an environment of trust around eHealth and patient monitoring. It applies to all public or private entities that host, use or back up health data. In response to the growing cyber threat, the ANS launched an overhaul of the HDS standards in 2023, calling on users and service providers. The new text introduces more demanding criteria in terms of sovereignty and transparency.
What's new? | What impact will this have on the hosting of health data? |
---|---|
European location | The data will have to be stored on the territory of a member state of the European Economic Area. Organisations processing health data and/or their hosting provider will therefore need to ensure that they comply with this new requirement. If they do not, they will have to consider changing their cloud provider or offering. |
Transfer and remote access | Organisations and/or their hosting provider will have to contractually inform their customers of any transfers or remote access to data from a country that does not comply with the RGPD, specifying the associated risks. They must also detail the technical and legal measures implemented to limit these risks. |
Immunity from the law non-European | If hosting providers are not SecNumCloud-qualified, they will have to be transparent about their vulnerability to non-European laws. If they rely on a third-party hosting provider that is not SecNumCloud-qualified, organisations processing health data will have to ensure that the provider is transparent. |
ISO 27001 | As the ANS requires certain changes to the ISO 27001 standard to be incorporated into the new HDS certification framework, organisations processing health data and/or their hosting provider will have to comply with these changes when renewing their HDS certification. |
"While the new standards do not provide for immediate alignment with the requirements in terms of immunity to extraterritorial laws in the famous article 19.6 of the SecNumCloud standards, this convergence is planned for 2027".
If the organisation hosts the health data itself, it must obtain HDS certification.
On the other hand, if it subcontracts hosting to a third party, it is the host that must be certified.