On April 1, 2018, the Health Data Host approval procedure, in force since January 2006, was replaced by a Health Data Host certification procedure . This new system includes ISO 27001 certification. While the number of ISO 27001 certifications seems to be stagnating in France, this change makes it likely that there will be a shift to strong growth in the coming years.
A NEW LEGAL FRAMEWORK IN 2018 FOR HEALTH DATA HOSTING
The Health Data Hosting Decree was published in the French Official Journal on February 28, 2018. This decree confirms the developments announced in the Order of January 12, 2017, relating to the hosting of personal health data, which is itself an instrument of the act to modernize the health system of January 26, 2016.
This new decree makes Health Data Host certification mandatory for any public or private organization that hosts “personal health data collected during prevention, diagnosis, care, and social or medical follow-up activities, on behalf of natural or legal persons who are the source of the production or collection of this data, or on behalf of patients themselves”.
Health Data Host certification must be overseen by an independent body, which has been accredited by the French Accreditation Committee (COFRAC) or one of its European equivalents. Achieving certification confirms the conformity of the service with all the relevant requirements. Health Data Host certification remains valid for three years but is subject to annual monitoring.
APPROVAL OR CERTIFICATION: WHAT’S THE DIFFERENCE?
As part of the approval process, the candidate organization had to compile a (large!) application file which included a set of completed forms and supporting documents, as well as a compliance audit report prepared by a company of its choosing.
Rather than starting from scratch every time, Health Data Hosting certification now relies almost exclusively on recognized international standards: ISO 27001 in its entirety—and parts of ISO 27017, ISO 27018, and ISO 20000-1. Some specific requirements are added too; these mainly focus on two aspects:
- The protection of health data: protection of outsourced backups, prohibition of the use of health data for purposes other than the provision of hosting services, the traceability (including names) of the use of generic accounts, and other provisions;
- The transparency of the service: the option for the customer to carry out audits, a mandatory revocation policy, including the methods that will be used to return data, provision of the certification audit report at the client’s request, etc.
Beyond the “usual” gains provided by ISO 27001 certification, which are discussed at length in some of our previous articles, these additional requirements aim to professionalize the hosting of services, improve transparency between the hosting provider and its customers, strengthen health-data security, and reaffirm the rights of those whose personal data is being processed in accordance with the General Data Protection Regulation (GDPR).
HEALTH DATA CERTIFICATION REALLY MEANS TWO CERTIFICATES
Health Data Host certification now includes two separate certificates, each tailored to a specific type of activity that the host may choose to carry out:
- A “Data Management Host” certificate;
- A “Physical Infrastructure Host” certificate
The diagram below, taken from requirements for Health Data Hosting, provides the relevant detail on the certificate required for the type of health data hosting activity to be carried out.
Activities requiring Health Data Host certification (diagram from accreditation requirements reference material v1.0, accessed on 04/04/2018)
A certificate is required if at least one activity within the scope of the certification type is to be carried out. For example, a hosting provider offering the outsourced backup of health data (Activity 6) will need to have a “Data Management Host” certificate; it will therefore have to comply with for requirements of the Health Data Host certification for this form of certification. Similarly, a p rovider supplying premises (Activity 1) must have a “Physical Infrastructure Host” certificate and comply with the requirements applying to that type of certification.
Every hosting provider will have to acquire one or both certificates, depending on the health data hosting services it plans to offer to its clients.
FUTURE CERTIFICATION FOR APPROVED HEALTH DATA HOSTS…
Health Data Hosting approvals remain valid until they expire (withdrawal or suspension notwithstanding, as was the case when this was the regime in force). The period of validity will be extended by six months for approvals due to expire before March 31, 2019. After this date, all Health Data Hosts will have to obtain Health Data Host certification.
The mandatory nature of certification will boost the French market for ISO 27001 certifications, which is currently sluggish, according to ISO’s most recent study: in 2016, only 209 valid ISO 27001 certificates were awarded, compared with 227 in 2015.
120 Health Data Hosts have already been approved and logged on ASIP Santé’s (the French government’s digital health agency) website . Although some are already ISO 27001 certified (and assuming that the scope of the Information Security Management System includes the hosting of health data), additional certification will be required to become a certified Health Data Host. For the rest, certification covering all requirements will be needed, and this development should, in itself, lead to growth in the market for ISO 27001 certifications in future years.
… AND SOME FACILITIES THAT ARE PART OF AREA HOSPITAL GROUPS (GHTs)
Another consequence of the act to modernize the French health system is that public health facilities are currently coming together as Area Hospital Groups (GHTs) to share aspects of their work. Each of the 135 GHTs is organized around a support facility, which provides a range of services to the GHT, including “Strategy, optimization, and joint management of a combined hospital information system” (Article 107 of the act). This provision requires the implementation of unique applications for all GHT facilities and each functional area (computerized patient files, medication circuits, biology, imaging, etc.).
GHTs have two main (though not exclusive) options:
- Contract a certified third-party Health Data Host to host their data; or
- Host their data within one of the GHT’s facilities (for example, the support facility).
In the latter case, the host establishment will need to be a certified Health Data Host. While the majority of GHTs are still considering whether to outsource all, or part, of their combined information system, in late 2017, 57% of them were still planning to outsource hosting. Nevertheless, large numbers of GHTs may well, in the end, choose to maintain their health information system within the GHT and certify the host facility, in order to maintain full control of the information system and health data. This choice is likely to be seen mainly among GHTs that have large support facilities (a large central hospital, for example). This, then, will also drive strong growth in the number of ISO 27001 certificates issued in France.
FINANCIAL HELP TO SUPPORT THE TRANSFORMATION OF GHTs
To support the creation of their combined ISs, GHTs can draw on various forms of financial support. €20m has already been invested through Regional Health Agencies (ARSs), and a call for projects, with a scope of €25m, was announced at the end of 2017 by the French government agency, DGOS. The scope of the e-Hôp 2.0 Program , the successor to the 2012-2017 Digital Hospitals Program, should have seen funding, to a level of €400m, to support the development of health-care facilities to 2021. Given that it has been recently replaced by the Hop’EN Program, the eventual level of funding remains unknown at present.
Part of this funding may be used by GHTs to configure their combined information systems, for example by financing an outsourcing program with a certified hosting provider, or by financing the Health Data Host certification of one of the GHT’s facilities.
By changing the regulations related to the health data hosting at a time when the GHTs are configuring their combined ISs, the government is seizing the opportunity to strengthen the data security of patients treated by the public health service. Indirectly, this provides a dual driver for growth in the French market for ISO 27001 certification, which will result in the standardization, and dissemination of good practice, in information-security management across the healthcare sector.
Although the result of long-awaited developments, this growth is likely to lead to an explosion of applications for ISO 27001 certification and health data hosting in the coming years: will COFRAC, and the companies that will be accredited to deliver Health Data Host certification, be able to meet demand? …There could be a bottleneck on the horizon.
