In the context where the digital transformation of the healthcare sector is accelerating, the protection of health data is an increasingly critical issue. In 2021, our article “Health Data Host Certification: Two Years Already!” by Laurent Guille and Alexandra Cuillerdier, provided a promising initial assessment of the HDS framework. Faced with growing concerns related to data sovereignty and cybersecurity, a redesign was necessary. This evolution towards HDS v2, which came into effect in 2024, marks a turning point in the approach to health data hosting in France, strengthening the protection and sovereignty of health data in an ever-evolving digital context. 

HDS v1: a first structuring but perfectible framework 

Since its introduction in 2018, the HDS framework has helped structure and professionalize the health data hosting sector. However, this first version of the framework had certain limitations. In particular, the initial framework presented gray areas regarding data sovereignty, especially concerning the location and control of health data. Additionally, the rapid evolution of cyber threats and technologies required a substantial update of security requirements to maintain a level of protection adapted to current risks. 

Overhaul of the Technical and Security Framework 

On the technical side, the new requirements of the ISO 27001:2023 standard are adopted within the new version of HDS. This update integrates security risk management adapted to new digital contexts, as well as new controls related to cybersecurity. The other normative references are rationalized. References to ISO 20000-1, ISO27017, and ISO27018 standards disappear in the HDS v2 framework, while 31 specific requirements are directly integrated into the framework, which also relies on the ISO/IEC-17021-1:2015 standard to govern conformity assessment. This new version also clarifies the articulation with the requirements of the SecNumCloud framework to facilitate obtaining HDS certification for hosts already qualified with SecNumCloud. 

A Major Strengthening of Digital Sovereignty 

One of the most significant developments in HDS v2 concerns the strengthening of digital sovereignty. The new framework now requires that the physical hosting of health data be carried out exclusively within the territory of the European Economic Area (EEA). This requirement reinforces guarantees in terms of data protection and contributes to the emergence of an ecosystem of European players in the field of digital health. 

This is complemented by enhanced transparency, which also becomes a central issue of the framework, with two major obligations: 

• Hosts must now publish on their website a map of any data transfers to countries outside the EEA, thus allowing data subjects and healthcare actors to have clear visibility on the journey of their data; 

• In the case of remote access to data from a third country or submission to non-European legislation that does not ensure an adequate level of protection within the meaning of Article 45 of the GDPR, the host must inform its clients in the contract. In particular, it must specify the associated risks and detail the technical and legal measures implemented to limit them. 

Strengthening of Contractual Requirements 

Subcontracting supervision receives particular attention in HDS v2. The associated measures are reinforced, and hosts must now: 

• Precisely detail the certified hosting activities in their contracts; 

• Maintain complete transparency regarding their subcontracting chain; 

• Ensure that their subcontractors comply with the same requirements for data security and location; 

• Implement mechanisms to control and audit their subcontractors. 

These new contractual obligations aim to ensure better control of the value chain and greater transparency for data controllers. 

Practical Consequences for the Ecosystem 

For health data hosts, these evolutions of the framework imply an adaptation of their infrastructures to guarantee the location of data within the EEA. They also require an upgrade of their security measures to meet the requirements of the 2023 version of the ISO 27001 standard and the review of contracts, both with their clients and with their subcontractors. 

Perspectives and Implementation 

This new modernized version of the HDS framework addresses the growing challenges of security, sovereignty, and transparency. Its implementation is spread over approximately two years, with immediate application for new certifications from November 16, 2024, and a transition period until May 16, 2026, for hosts already certified under HDS v1. 

In the longer term, several questions arise regarding the evolution of the framework. At a time when the NIS 2 directive already includes healthcare providers and the pharmaceutical industry among its essential sectors of activity, while classifying the manufacturing of medical devices and in vitro diagnostics in its important sectors, the emergence of HDS 2 raises a question: could European cooperation lead to an even more integrated framework for health data protection and harmonize practices across the continent? 

Cet article Evolution of the HDS Framework – Towards Enhanced Security and Sovereignty  est apparu en premier sur RiskInsight.

A NEW LEGAL FRAMEWORK IN 2018 FOR HEALTH DATA HOSTING

The Health Data Hosting Decree was published in the French Official Journal on February 28, 2018. This decree confirms the developments announced in the Order of January 12, 2017, relating to the hosting of personal health data, which is itself an instrument of the act to modernize the health system of January 26, 2016.

This new decree makes Health Data Host certification mandatory for any public or private organization that hosts “personal health data collected during prevention, diagnosis, care, and social or medical follow-up activities, on behalf of natural or legal persons who are the source of the production or collection of this data, or on behalf of patients themselves”.

Health Data Host certification must be overseen by an independent body, which has been accredited by the French Accreditation Committee (COFRAC) or one of its European equivalents. Achieving certification confirms the conformity of the service with all the relevant requirements. Health Data Host certification remains valid for three years but is subject to annual monitoring.

APPROVAL OR CERTIFICATION: WHAT’S THE DIFFERENCE?

As part of the approval process, the candidate organization had to compile a (large!) application file which included a set of completed forms and supporting documents, as well as a compliance audit report prepared by a company of its choosing.

Rather than starting from scratch every time, Health Data Hosting certification now relies almost exclusively on recognized international standards: ISO 27001 in its entirety—and parts of ISO 27017, ISO 27018, and ISO 20000-1. Some specific requirements are added too; these mainly focus on two aspects:

• The protection of health data: protection of outsourced backups, prohibition of the use of health data for purposes other than the provision of hosting services, the traceability (including names) of the use of generic accounts, and other provisions;
• The transparency of the service: the option for the customer to carry out audits, a mandatory revocation policy, including the methods that will be used to return data, provision of the certification audit report at the client’s request, etc.

Beyond the “usual” gains provided by ISO 27001 certification, which are discussed at length in some of our previous articles, these additional requirements aim to professionalize the hosting of services, improve transparency between the hosting provider and its customers, strengthen health-data security, and reaffirm the rights of those whose personal data is being processed in accordance with the General Data Protection Regulation (GDPR).

HEALTH DATA CERTIFICATION REALLY MEANS TWO CERTIFICATES

Health Data Host certification now includes two separate certificates, each tailored to a specific type of activity that the host may choose to carry out:

• A “Data Management Host” certificate;
• A “Physical Infrastructure Host” certificate

The diagram below, taken from requirements for Health Data Hosting, provides the relevant detail on the certificate required for the type of health data hosting activity to be carried out.

Activities requiring Health Data Host certification (diagram from accreditation requirements reference material v1.0, accessed on 04/04/2018)

A certificate is required if at least one activity within the scope of the certification type is to be carried out. For example, a hosting provider offering the outsourced backup of health data (Activity 6) will need to have a “Data Management Host” certificate; it will therefore have to comply with for requirements of the Health Data Host certification for this form of certification. Similarly, a p  rovider supplying premises (Activity 1) must have a “Physical Infrastructure Host” certificate and comply with the requirements applying to that type of certification.

Every hosting provider will have to acquire one or both certificates, depending on the health data hosting services it plans to offer to its clients.

FUTURE CERTIFICATION FOR APPROVED HEALTH DATA HOSTS…

Health Data Hosting approvals remain valid until they expire (withdrawal or suspension notwithstanding, as was the case when this was the regime in force). The period of validity will be extended by six months for approvals due to expire before March 31, 2019. After this date, all Health Data Hosts will have to obtain Health Data Host certification.

The mandatory nature of certification will boost the French market for ISO 27001 certifications, which is currently sluggish, according to ISO’s most recent study: in 2016, only 209 valid ISO 27001 certificates were awarded, compared with 227 in 2015.

120 Health Data Hosts have already been approved and logged on ASIP Santé’s (the French government’s digital health agency) website . Although some are already ISO 27001 certified (and assuming that the scope of the Information Security Management System includes the hosting of health data), additional certification will be required to become a certified Health Data Host. For the rest, certification covering all requirements will be needed, and this development should, in itself, lead to growth in the market for ISO 27001 certifications in future years.

… AND SOME FACILITIES THAT ARE PART OF AREA HOSPITAL GROUPS (GHTs)

Another consequence of the act to modernize the French health system is that public health facilities are currently coming together as Area Hospital Groups (GHTs) to share aspects of their work. Each of the 135 GHTs is organized around a support facility, which provides a range of services to the GHT, including “Strategy, optimization, and joint management of a combined hospital information system” (Article 107 of the act). This provision requires the implementation of unique applications for all GHT facilities and each functional area (computerized patient files, medication circuits, biology, imaging, etc.).

GHTs have two main (though not exclusive) options:

• Contract a certified third-party Health Data Host to host their data; or
• Host their data within one of the GHT’s facilities (for example, the support facility).

In the latter case, the host establishment will need to be a certified Health Data Host. While the majority of GHTs are still considering whether to outsource all, or part, of their combined information system, in late 2017, 57% of them were still planning to outsource hosting. Nevertheless, large numbers of GHTs may well, in the end, choose to maintain their health information system within the GHT and certify the host facility, in order to maintain full control of the information system and health data. This choice is likely to be seen mainly among GHTs that have large support facilities (a large central hospital, for example). This, then, will also drive strong growth in the number of ISO 27001 certificates issued in France.

FINANCIAL HELP TO SUPPORT THE TRANSFORMATION OF GHTs

To support the creation of their combined ISs, GHTs can draw on various forms of financial support. €20m has already been invested through Regional Health Agencies (ARSs), and a call for projects, with a scope of €25m, was announced at the end of 2017 by the French government agency, DGOS. The scope of the e-Hôp 2.0 Program , the successor to the 2012-2017 Digital Hospitals Program, should have seen funding, to a level of €400m, to support the development of health-care facilities to 2021. Given that it has been recently replaced by the Hop’EN Program, the eventual level of funding remains unknown at present.

Part of this funding may be used by GHTs to configure their combined information systems, for example by financing an outsourcing program with a certified hosting provider, or by financing the Health Data Host certification of one of the GHT’s facilities.

By changing the regulations related to the health data hosting at a time when the GHTs are configuring their combined ISs, the government is seizing the opportunity to strengthen the data security of patients treated by the public health service. Indirectly, this provides a dual driver for growth in the French market for ISO 27001 certification, which will result in the standardization, and dissemination of good practice, in information-security management across the healthcare sector.

Although the result of long-awaited developments, this growth is likely to lead to an explosion of applications for ISO 27001 certification and health data hosting in the coming years: will COFRAC, and the companies that will be accredited to deliver Health Data Host certification, be able to meet demand? …There could be a bottleneck on the horizon.

Cet article “HEALTH DATA HOSTS”: HEALTH PROVIDES A SHOT IN THE ARM FOR THE FRENCH ISO 27001 CERTIFICATION MARKET est apparu en premier sur RiskInsight.