HDS (health data hosting) standard: key requirements and compliance

HDS Standard: Definition and Objectives

The HDS (Health Data Host) Standard is based on the Public Health Code and sets the rules that organizations hosting health data must follow.

Its main objective is to ensure the confidentiality of health data, its integrity, its availability, but also its traceability and access control.

HDS certification is therefore a guarantee of trust for healthcare institutions, professionals, digital solution publishers and patients. It guarantees that the host applies a set of security measures that comply with the requirements of French regulations.

The 6 levels of the HDS standard

The HDS repository is structured in six levels, each of which corresponds to a type of activity related to the hosting or management of health data.

• Level 1: Hosting of physical infrastructure

Level 1 concerns data centers and service providers who provide the necessary premises, equipment and material conditions (physical security, electricity, air conditioning, etc.).

• Level 2: Virtual Infrastructure Hosting

This tier covers virtualized environments: virtual machines, storage, networking, and cloud resources.

• Level 3: Application Platform Hosting

It includes the provision and maintenance of application platforms that support healthcare software.

• Level 4: Health data management

This includes activities involving the direct manipulation of data on behalf of customers (logical hosting, processing, restitution, etc.).

• Level 5: Outsourced backup

Level 5 is for solutions for backup, recovery, and archiving of data in a separate secure environment.

• Level 6: Administration and Supervision

Finally, level 6 covers technical management: monitoring, updates, logging, access management and security supervision.

The key requirements to be HDS certified

To be HDS certified, a hosting provider must really protect its information systems with the help of strict access control, recording of actions (logs)) and active supervision. It must also be supported by strong governance, up-to-date documentation and clear incident management.

 

In addition, business continuity must be guaranteed through an operational DRP (Disaster Recovery Plan) and a BCP (Business Continuity Plan), ready to be activated in the event of an incident.

 

The entire system must also remain consistent with the GDPR (General Data Protection Regulation). Finally, compliance is validated by an initial audit upon certification and then by annual checks that ensure compliance with all key requirements.

How to achieve HDS compliance? Steps to follow

Compliance with the HDS standard is done in several key steps, which make it possible to secure health data while effectively preparing for certification.

1- HDS diagnosis and definition of the scope

The first step in this compliance is to analyze existing practices and identify deviations from HDS requirements. It is also a question of defining the exact scope to be certified (physical and virtual infrastructures, application platforms, data management, etc.).

2- Technical and organisational compliance

This second phase aims to adapt information systems, internal processes and organizational practices, in order to better meet HDS requirements:

• Access security,
• Supervision,
• Incident management,
• Business continuity,
• …

3- Writing and updating documentation

All documentation, including procedures, security policies, continuity plans, and all documents attesting to the best practices implemented, must be complete and up-to-date.

4- Passing the audit

Once the measures are applied and the documentation is ready, the organization can pass the initial audit. This audit, carried out by an accredited certifier, is an essential step in obtaining an HDS certification.

5- Maintaining compliance

Once HDS certification has been obtained, regular follow-up with internal reviews, continuous training and updates to systems and procedures must be ensured to ensure compliance over time.

→ Good to know: the ANS (Digital Health Agency) provides the official list of HDS-certified service providers.

HDS compliance: why call on an interim manager?

Calling on an interim manager can greatly facilitate an HDS compliance process, especially for organizations that do not have the in-house skills to manage such a project.

At Wayden, we can mobilize, even in an emergency, an interim manager specialized in HDS compliance. With a career spanning 15 to 25 years, the interim manager is experienced in managing complex projects with major challenges. He works in your company for a period of 6 to 18 months, and takes charge of your HDS compliance project from start to finish.