The Health Data Host (HDS) certification is a French regulatory framework that governs the hosting of personal health data. Established by Decree No. 2018-137 of February 26, 2018, it is mandatory for any entity hosting health data to comply with the certification. It aims to ensure a high level of protection for this particularly sensitive data by imposing strict requirements regarding security, availability, and confidentiality.
In the context where the digital transformation of the healthcare sector is accelerating, the protection of health data is an increasingly critical issue. In 2021, our article “Health Data Host Certification: Two Years Already!” by Laurent Guille and Alexandra Cuillerdier, provided a promising initial assessment of the HDS framework. Faced with growing concerns related to data sovereignty and cybersecurity, a redesign was necessary. This evolution towards HDS v2, which came into effect in 2024, marks a turning point in the approach to health data hosting in France, strengthening the protection and sovereignty of health data in an ever-evolving digital context.
HDS v1: a first structuring but perfectible framework
Since its introduction in 2018, the HDS framework has helped structure and professionalize the health data hosting sector. However, this first version of the framework had certain limitations. In particular, the initial framework presented gray areas regarding data sovereignty, especially concerning the location and control of health data. Additionally, the rapid evolution of cyber threats and technologies required a substantial update of security requirements to maintain a level of protection adapted to current risks.
Overhaul of the Technical and Security Framework
On the technical side, the new requirements of the ISO 27001:2023 standard are adopted within the new version of HDS. This update integrates security risk management adapted to new digital contexts, as well as new controls related to cybersecurity. The other normative references are rationalized. References to ISO 20000-1, ISO27017, and ISO27018 standards disappear in the HDS v2 framework, while 31 specific requirements are directly integrated into the framework, which also relies on the ISO/IEC-17021-1:2015 standard to govern conformity assessment. This new version also clarifies the articulation with the requirements of the SecNumCloud framework to facilitate obtaining HDS certification for hosts already qualified with SecNumCloud.
A Major Strengthening of Digital Sovereignty
One of the most significant developments in HDS v2 concerns the strengthening of digital sovereignty. The new framework now requires that the physical hosting of health data be carried out exclusively within the territory of the European Economic Area (EEA). This requirement reinforces guarantees in terms of data protection and contributes to the emergence of an ecosystem of European players in the field of digital health.
This is complemented by enhanced transparency, which also becomes a central issue of the framework, with two major obligations:
- Hosts must now publish on their website a map of any data transfers to countries outside the EEA, thus allowing data subjects and healthcare actors to have clear visibility on the journey of their data;
- In the case of remote access to data from a third country or submission to non-European legislation that does not ensure an adequate level of protection within the meaning of Article 45 of the GDPR, the host must inform its clients in the contract. In particular, it must specify the associated risks and detail the technical and legal measures implemented to limit them.
Strengthening of Contractual Requirements
Subcontracting supervision receives particular attention in HDS v2. The associated measures are reinforced, and hosts must now:
- Precisely detail the certified hosting activities in their contracts;
- Maintain complete transparency regarding their subcontracting chain;
- Ensure that their subcontractors comply with the same requirements for data security and location;
- Implement mechanisms to control and audit their subcontractors.
These new contractual obligations aim to ensure better control of the value chain and greater transparency for data controllers.
Practical Consequences for the Ecosystem
For health data hosts, these evolutions of the framework imply an adaptation of their infrastructures to guarantee the location of data within the EEA. They also require an upgrade of their security measures to meet the requirements of the 2023 version of the ISO 27001 standard and the review of contracts, both with their clients and with their subcontractors.
Perspectives and Implementation
This new modernized version of the HDS framework addresses the growing challenges of security, sovereignty, and transparency. Its implementation is spread over approximately two years, with immediate application for new certifications from November 16, 2024, and a transition period until May 16, 2026, for hosts already certified under HDS v1.
In the longer term, several questions arise regarding the evolution of the framework. At a time when the NIS 2 directive already includes healthcare providers and the pharmaceutical industry among its essential sectors of activity, while classifying the manufacturing of medical devices and in vitro diagnostics in its important sectors, the emergence of HDS 2 raises a question: could European cooperation lead to an even more integrated framework for health data protection and harmonize practices across the continent?
