Articles
>
HDS

HDS

In the cyber world, everyone (or almost everyone) has heard of the HDS standard, or Health Data Hosting. And with good reason: this French standard (and its corresponding certification) is a must for companies that process and host health data. Here's an overview.

August 30, 2024
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

The HDS standard: what is it all about?

The HDS standard, created in 2018, is governed bythe French Digital Health Agency (ASIP Santé). It regulates health data hosting providers, whether public or private.

Its objective is to ensure:

  • confidentiality,
  • integrity,
  • the availability of hosted health data.

In a context where cybersecurity is essential for everyone, the HDS standard plays a key role in ensuring the protection of patient health information. Such data is rightly considered particularly sensitive and requires enhanced protection measures.

Within the French legislative and regulatory framework, it complements the General Data Protection Regulation (GDPR). Its role is to specify the specific requirements relating to health data.

HDS certification is mandatory for health data hosts. This reference framework ensures that providers comply with high standards of security and confidentiality.

The 5 key points of the HDS standard
  1. Confidentiality, to ensure that only authorized persons can access patient health data.
  2. Integrity, to ensure that data cannot be modified without authorization.
  3. Availability, to ensure that data is accessible to authorized users when they need it.
  4. Traceability, to monitor and record access and actions performed on data.
  5. Securing infrastructure to protect the hardware and software used to host data.

How to obtain HDS certification?

To obtain HDS certification (and thus comply with the HDS standard), service providers must meet a series of strict requirements.

  • Implement a policy of security, risk management, and continuous monitoring.
  • Establish physical access controls and an effective surveillance system on the premises.
  • Define specific procedures for incident management, service continuity, and system maintenance.
  • Ensure optimal access management through logical access controls and regular audits.
  • Use cryptographic techniques to protect data in transit and at rest.
  • Record and track actions performed on health data.
  • Implement the necessary measures to ensure that data is only accessible to authorized persons.
How does the HDS certification process work?

HDS certification is issued by certification bodies accredited by COFRAC ( French Accreditation Committee). The certification process involves several steps.

  1. Initial audit: the practices and infrastructure of the health data hosting provider are assessed and compared with the requirements of the HDS standard.
  2. Compliance: if discrepancies are found, the service provider must implement corrective measures.
  3. Certification audit: a comprehensive audit is carried out by a certification body to verify compliance with the requirements of the standard.
  4. Issuance of certification: if the audit is conclusive, certification is issued for a period of three years.
  5. Monitoring and follow-up audits: Regular monitoring audits are conducted to ensure that the provider maintains compliance with the HDS standard.
The benefits of HDS compliance

HDS certification is mandatory for all healthcare data hosting and processing providers. But beyond simple compliance, it can be a real asset.

  • Business advantage: gaining the trust of customers and partners, thereby attracting new customers and standing out in the market.
  • Protection advantage: Regular audits and corrective measures contribute to continuous improvement in security practices.

In short

The HDS standard is an essential framework for ensuring the security of health data in France. By providing clear guidelines and strict requirements, it helps to:

  • protect particularly sensitive information;
  • strengthen trust in digital health services.

For healthcare data hosting providers, obtaining HDS certification is a legal obligation —but also a strategic opportunity to demonstrate their commitment to cybersecurity.

The good news is that Tenacy can help you manage your compliance and maintain your certification. Want us to show you how?

‍

Other articles

You may be interested in

PCI-DSS: definition and explanations
Glossary
PCI DSS

The Payment Card Industry Data Security Standard (also known as PCI-DSS for short) is a set of security standards designed to ensure that all companies accepting, processing, storing, or transmitting credit card information maintain a secure environment.

August 30, 2024
SOC 2 standard and certification: definition
Compliance
Glossary
SOC 2

In today's cyber landscape, it is no longer enough to simply implement protection solutions. Compliance with standards and regulations has quickly become an essential factor in ensuring information security—and therefore user confidence.

Among these standards is SOC 2 (Service Organization Control 2). Less well known in France than in the US, it is nevertheless an essential reference framework for companies, including those in France. Let's take a closer look.

August 30, 2024
Military Programming Law (LPM): focus on cybersecurity
Glossary
LPM

The Military Programming Law (or LPM) is becoming increasingly well known in the world of cybersecurity —but not only there. This French legislation defines all of the priorities, objectives, and resources allocated to the armed forces for a given period. These objectives certainly concern the security of information systems, but they also relate to equipment, research efforts, and personnel.

However, it is the "cyber" aspect of this law that interests us here. Here is an overview of the requirements of the LPM in terms of IT security —and how to implement them.

June 7, 2024