The aim of HDS certification is to strengthen the security of French citizens' health data and foster a climate of trust around eHealth and patient medical monitoring. It applies to all organisations, whether public or private, that host, use or store health data. In response to the increase in cyber threats, the Agence du Numérique en Santé launched a revision of the HDS standard in 2023, in collaboration with users and service providers. This new version introduces increased requirements in terms of sovereignty and transparency.
We asked Marguerite Brac de la Perrière, a digital and healthcare lawyer and partner at Numeum, and Giuliano Ippoliti, Director of Cybersecurity at Cloud Temple, to shed some light on the new standards in this interview conducted at SantExpo 2024.
Where does the HDS repository stand in relation to SecNumCloud?
Giuliano HDS compliance is somewhere between ISO 27 001 compliance and SecNumCloud in terms of requirements and complexity, but the step from ISO 27 001 to HDS is smaller than the step from HDS to SecNumCloud.
The main difference between HDS and SecNumCloud is the famous chapter 19.6 of SecNumCloud, which introduces very stringent requirements relating to sovereignty, in particular clauses relating to the shareholding of organisations applying for qualification, which must have a majority in France.
On the other hand, HDS is built on the same compliance foundation as ISO 27001. It is important to bear in mind that ISO 27001 is a security standard inspired by the world of quality, but which does not oblige certified entities to have a level of security that is necessarily state-of-the-art.
In the ISO 27 001 declaration of applicability, it is possible to mention measures that are currently being implemented or that are planned for future implementation. SecNumCloud, on the other hand, raises the bar by requiring compliance with ANSSI technical standards.
I don't get the impression that the HDS repository goes far enough.
Marguerite : It's true that this standard is often criticised for being difficult to interpret by the certifying bodies, who have difficulty in harmonising their assessments. As a result, we end up with hosting providers whose levels of maturity are not necessarily identical.
Giuliano That's exactly the point. ISO 27 001 gives you relatively significant leeway. To comply with ISO 27 001, you have to demonstrate that the level of safety you have achieved is consistent with the safety objectives of the senior management (general management). However, the senior management is sovereign for a level and objective of security that is consistent with its own activity. This level of security will not be the same for a nuclear power plant or a software publisher. ISO 27001 compliance alone does not provide complete reassurance that a very high level of security has been achieved. HDS allows us to go further, thanks in particular to the requirements of transparency, sovereignty and respect for personal data. But clearly, the SecNumCloud requirements are still a long way off.
What about the relationship between French and European regulations?
Marguerite : On the more European side, in France we have always had specific sectoral standards that only we have mastered and know about, but which we impose on the players operating in our territory.
This raises the question of whether we will see an alignment with the EUCS in particular.
Giuliano France is a pioneer in the field of cyber security, particularly in relation to the cloud and the SecNumCloud framework, which is highly ambitious in terms of security and sovereignty requirements.
From the point of view of a cloud provider like Cloud Temple, European harmonisation is extremely desirable. It would give us the opportunity to present ourselves to the European market with security guarantees that speak to all the Member States.
We are following very closely the work on validating the EUCS reference system, which aims to bring about this harmonisation in Europe.We hope that the position defended by France on the need for strong sovereignty will be retained.
It seems that France is in the minority in supporting this very firm position on sovereignty. It is therefore possible that the EUCS reference system will provide for the highest level of security to be consistent with offers from players subject to laws outside Europe but established in Europe.
Marguerite It's true that the subject is complex. Nevertheless, on 10 July 2023 the European Commission issued an adequacy decision on the guarantees presented to it by the United States with regard to data processing, even though history has already invalidated the agreements that may have been drawn up on several occasions.
The issue remains fragile and measures need to be implemented to counter the application of extraterritorial laws in Europe. On the subject of sovereignty, this is a term that comes first and foremost from France and then from Europe. But when we talk about sovereignty, in the United States for example, we don't think about defending European data and players, but more about notions of military defence.
We have retained notions that are a little 'nationalist' or 'Europeanist', for want of a better term. It is interesting to note that we have a form of protectionism in Europe but that this protectionism, by capillary action, affects all the players.
For example, with our Data Protection Act in France, we inspired the RGPD, which came into being after 40 years of reflection (1978 to 2018).
So we can see that, by capillary action, European players are conforming to our standards. Perhaps SecNumCloud will also influence the debate on the adoption of EUCS in one way or another. In any case, we hope so.
On the subject of the RGPD, there has been harmonisation of the information and clauses that must be included in contracts. Can you give us more details?
Giuliano : There is indeed an obligation to mention in the contract the legal basis for data transfers outside Europe. This means ensuring that there are formal contractual clauses with subcontractors established outside the European Union. Then there is the obligation to take into account the rights that have been validated through the RGPD: rights of access to data, the right to correct, rectify, forget, etc. This is certainly linked to the fact that the RGPD has been adopted by the European Union. This is certainly linked to the fact that the old version of the repository dated from before the RGPD came into force. This integration clarifies compliance with the RGPD and effectively fills a gap that was specific to the old repository.
Marguerite The standards have tried to take account of all the subjects and clauses that must be included in contracts. The certification bodies may have found themselves in difficulty in sanctioning the fact that clauses relating to the RGPD were missing from the dossiers submitted to them, even though it is neither up to them, nor to the standards, to determine this, since it is a regulation with European application. So it's an interesting guide for players on how to draw up contracts with their customers.
Can you shed some light on PAMS (Prestataires d'Administration et de Maintenance Sécurisées)?
Giuliano The SecNumCloud standard covers hosting activities, i.e. the provision of IaaS, PaaS or SaaS services. It does not cover outsourcing activities at all. Technically, it is not forbidden to deploy infrastructures on a SecNumCloud-qualified cloud and have them managed by an offshore centre, outside Europe, or with administration practices that fall below general security standards.
The PAMS repository fills this gap. It will be the equivalent of SecNumCloud for outsourcing activities. Combining SecNumCloud with PAMS, which Cloud Temple is targeting, will provide a higher level of confidence in compliance across the entire HDS repository. With the arrival of PAMS, one might wonder whether it will be necessary to maintain the HDS repository, which remains somewhat in the middle between ISO 27 001 and SecNumCloud.
Talks given at the Cloud & Santé Talks organised by Cloud Temple at SantExpo 2024.
Discover the other part of this exchange in this article: what's new in the new HDS standard