The aim of HDS certification is to strengthen the protection of French healthcare data and build an environment of trust around eHealth and patient monitoring. It applies to all public or private entities that host, use or back up health data. In response to the growing cyber threat, the French Digital Health Agency (Agence du Numérique en Santé) launched an overhaul of the HDS standard in 2023, calling on users and service providers to contribute. The new text introduces more demanding criteria in terms of sovereignty and transparency.
Marguerite Brac de la Perrière, a digital and healthcare lawyer and partner at Numeum, and Giuliano Ippoliti, Director of Cybersecurity at Cloud Temple, shed light on the changes brought about by the new standards in this joint interview.
Why was it time to implement a new version of the HDS repository?
Marguerite : The previous HDS standard dated from 2018. It was a little outdated, in particular because the ISO 27 001 standard had been updated in the meantime.
There were also a number of issues that posed difficulties for the players, particularly in relation to the application of extraterritorial laws and with the definition of activity 5 of the repository, defined by the 2018 decree relating to the administration and operation of health information systems.
This activity was therefore somewhat on the borderline between the activities of a hosting provider and a publisher. This can give rise to difficulties of interpretation, such as knowing who should be certified, depending on the activities carried out in concrete terms. One of the aims of the new standards was to clarify these different elements.
What are the main differences between the old standards and this new version?
Marguerite : What's interesting about the new reference framework is the clarifications, even if they are still imperfect, on the famous activity 5.
There are also new guarantees and transparency obligations relating to the application of extraterritorial laws. This makes it possible to find out what obligations hosting providers have to properly inform their customers about the possible risks of applying extraterritorial laws, and in particular about the obligation to host data in the European Economic Area (EEA), which is slightly wider than the EU.
Giuliano : This is in fact the most significant change in the standards: transparency. The introduction of the new standards is not a revolution. Some things remain the same. For example, ISO 27001 remains the foundation of the standard, even though the new 2022 version is now the reference version. The six activities of the standard have been retained, but their wording has been improved. In particular, there has been a inversion between activities 3 and 4. There are new requirements that revolve around three axes: sovereignty, transparency and compliance with the RGPD.
As far as sovereignty is concerned, there is an obligation to take into account the risks associated with exposure to extraterritorial laws. There is a requirement to host data in the European Economic Area.
What's also interesting is that this new standard really pushes the envelope on transparency and obliges HDS-certified service providers to publish the list of their subcontractors, which is really important, particularly for those who may be subject to legislation. with territorial protection established outside the European Economic Area.
What do you find interesting about activity 5 of the HDS standards?
As a reminder, there are six. The first concerns physical hosting. The second covers infrastructure management, the third virtualisation infrastructure management. The fourth focuses on OS and middleware management, and the fifth on facilities management and administration. Finally, the sixth covers outsourced backup.
Marguerite We're dealing with a subject that has been an ongoing debate since 2017. From the moment we learned of a draft decree on the hosting of health data in 2018, it generated a lot of reaction.
Activity 5, which is the administration and operation of a health information system, straddles the line between the activities of a hosting provider and a publisher. He therefore wondered whether publishers should also be certified for this activity.
Since then, many publishers have decided to seek this certification.
On the other hand, publishers and hosting providers have been certified even though they were not supposed to be involved in the business application side of information systems, but only in the hosting infrastructure side.
The definition of the respective perimeters of intervention of publishers and hosting providers made it difficult to circumscribe the scope of this activity 5.
For a while there was talk of abolishing it by decree. In the end, this was not adopted as a solution. The new standards provide clarification and enable stakeholders to determine who needs to be certified for different activities.
We note that the contractual chains are sometimes so complex that it is difficult to determine whether it is only the resources or interventions on these resources provided by the hosting provider that require level 5 certification. In reality, it may also be resources made available by other hosting providers or even certain activities carried out by publishers. These elements can constitute security flaws in hosted environments, which means that they should also be certified.
One frequent complaint is that a certain number of healthcare establishments are required by hosting providers to be certified for activity 5, without which the hosting provider refuses to provide its services. In the end, we end up with excesses that are not in line with the spirit of the text. The ANS (Agence du Numérique en Santé - Digital Health Agency) therefore received feedback from the field, which led to the introduction of a FAQ. This makes it easier to identify discriminatory actions, particularly in relation to the management of access to environments and health data, whether on the part of the publisher or the host.
Giuliano This is perhaps a good opportunity to recall how Cloud Temple approached this complexity. Cloud Temple began by being certified for hosting and backup activities, i.e. activities 1, 2, 3, 4 and 6. At the outset, we excluded activity 5.
Secondly, we have extended the scope of our ISO 27 001 certification to our managed services (outsourcing). Once this expression of scope at ISO 27001 level had been validated, we submitted activity 5 to the HDS certification audit.
For Cloud Temple, it was relatively easy to distinguish between hosting and facilities management activities. But for software publishers who are in a more complex position, with the need to implement access control and encryption activities, this is not necessarily the case.
Talks given at the Cloud & Santé Talks organised by Cloud Temple at SantExpo 2024
Discover the other part of this exchange in this article: where do the HDS standards fit in with other regulations?