Health Data Hosting: what is it and how does it work?

HDS? Health data hosting? HDS Certification? What is it and why does it matter?

If you are asking yourself these questions, you should know that we at Scalingo also had to go through this step before becoming the first French and European PaaS to be ISO 27001 and HDS certified!

In this article, we will explain everything you need to know about the Health Data Hosting (HDS) certification, and share with you our experience about the process that led to Scalingo obtaining this certification.

HDS - Health Data Hosting, what is it?

What is health data?

First of all, it is essential to understand what we are talking about when we talk about health data.

For this, we can refer to the CNIL (Commission Nationale de l'Informatique et des Libertés), and more specifically to the General Data Protection Regulation (GDPR), which came into force on May 25, 2018.

In this regulation, it is defined that personal data concerning health is a type of data that relates to the physical or mental health, past, present or future, of a natural person that reveals information about that person's health status.

In other words, it includes measurement data from which it is possible to infer information about the health status of the individual.

This could be the results of a medical examination, information about a person's illness or health status, etc.

What is HDS certification?

HDS, an acronym for "Health Data Hosting", is a French certification established by the Agence du Numérique en Santé (ANS), on the protection of the confidentiality of personal data, particularly health data.

Health data is considered as sensitive data and requires special attention from the organizations that process it. Its hosting therefore implies considerable responsibilities, and it is necessary for these organizations to take this into account when choosing their provider.

With this in mind, the Agence du Numérique en Santé (ANS) has set up the HDS certification to ensure the reinforcement of the protection of personal health data.

"Any natural or legal person who hosts personal health data collected in the course of preventive, diagnostic, care or medico-social monitoring activities on behalf of natural or legal persons at the origin of the production or collection of such data or on behalf of the patient himself, must be approved or certified for this purpose."

L.1111-8 of the Public Health Code, amended by Law 2016-41 of January 26, 2016

The hosting of this data is therefore regulated by law (c.f. L.1111-8 of the public health code). HDS certification legally authorizes the hosting of health data, and thus guarantees that the hosting platform maintains a sufficiently high quality and continuity of service for this activity.

In this sense, obtaining the Health Data Hosting certification for Scalingo was an important objective that will allow many companies to access HDS hosting while taking advantage of the PaaS format that facilitates their daily work.

This certification allows Scalingo to offer a PaaS hosting adapted for e-health actors, which ensures an optimized security for health data, and all this on datacenters located in France.

In the following section, we will explain how Scalingo became the first French HDS certified PaaS, and detail the procedure to obtain it.

What is the HDS certification process?

The process for obtaining HDS certification can be summarized by the steps mentioned in the following chart

1st step: certification standards and submission of the file

First, a file is submitted to an organization accredited by the COFRAC (Comité Français d'Accréditation) or an equivalent.

The COFRAC is an association whose role is to issue the necessary accreditations to organizations involved in conformity assessment in France.

This procedure is based on an evaluation by the organization of the conformity to the certification standard, in this case we went through the COFRAC accreditation of the LNE (National Laboratory of Metrology and Tests).

The health data hosting standard is therefore a document that defines all the requirements for obtaining certification, one of the prerequisites being obtaining ISO 27001 certification or an equivalent.

2nd step: Audits

Once the application has been submitted, the accreditation body carries out an audit phase which is divided into two main stages.

The first is the documentary audit, which consists of a detailed analysis by the certifying body of the information system set up by the hosting company to ensure its compliance with the HDS standard.

In other words, the candidate must have an Information Security Management System (ISMS) within its organization, and this system must comply with the requirements established by the HDS standard.

The role of the accreditation body in this document audit is to ensure that the information system complies with the HDS standard.

Then, the second part of the audit phase is triggered, and it will consist of an on-site audit related to the HDS standard requirements.

This audit is conducted directly on the work site by the auditor, and its objective is to verify that the company and its practices comply with the standard.

At the end of the audit, a period of 3 months is granted to the hosting company for the correction of any non-conformities and to have these corrections audited.

The scope of HDS certification

HDS certification includes a notion of scope that will be defined according to the type of activity that the host conducts.

Within the framework of the certification, there are two types of health data hosts: Physical infrastructure hosts, and Infrastructure hosts.

In the case of Scalingo, it is the category of hosting providers.

What are the differences?

The category of physical infrastructure host will be determined by two main activities:

• The provision or maintenance in operational condition of premises to host the physical infrastructure of the health information system
• The provision or maintenance in operational condition of the physical infrastructure of the health information system

While the hosting companies are determined by the following activities:

• The provision or maintenance in operational condition of the software platform (operating systems, middleware, database) of the health information system
• The provision or maintenance in operational condition of the virtual infrastructure of the health information system
• Outsourcing the operation of the health information system
• Outsourced backup of health data

Thus, depending on the type of host, the scope of certification will vary, and the HDS certification may only cover a specific area.

It should be noted that the certificate issued is valid for three years, and that an annual surveillance audit is carried out by the certification body.

What is the scope of Scalingo's HDS certification?

Within the framework of Scalingo, the PaaS is HDS certified for all the activities (thus the 6 levels/perimeters of the Health Data Hosting certification mentioned above) and is therefore an exception in the French Cloud landscape.

The Scalingo PaaS is certified for all the activities of a Health Data Hosting company (levels 1 to 6):

1. Provision and maintenance in operational condition of physical sites allowing to host the material infrastructure of the information system used for the processing of health data;
2. Provision and maintenance in operational condition of the physical infrastructure of the information system used for processing health data;
3. Provision and maintenance in operational condition of the application hosting platform of the information system;
4. Provision and maintenance in operational condition of the virtual infrastructure of the information system used for processing health data;
5. Administration and operation of the information system containing the health data;
6. Outsourced backups of health data.

How Scalingo became HDS and ISO 27001 certified

At Scalingo, the certification process has been part of our strategy for several years, and we are proud to have become the first French and European PaaS to obtain ISO 27001 and HDS certifications.

To achieve this, we obviously went through the certification process mentioned in this article. This required a long preparation and a considerable human and financial investment over several years.

This preparation was done by assimilating the whole HDS and ISO 27001 referential, but also by setting up the necessary actions to comply with it.

The mobilization of all the teams was necessary to achieve this compliance. As a structure, we have made changes in our internal functioning.

Yannick Jost, our "Security and Compliance Manager" and part of our InfoSec team, was the project leader. He joined the company in 2020, and was responsible for obtaining these certifications.

To learn more about the HDS and ISO 27001 certification process at Scalingo, we invite you to read the article written by our CISO, in which he testifies about the adventure lived towards compliance and what it was necessary to put in place to accomplish this mission.

In conclusion

As you can see from this article, HDS certification attests to a level of information security that enables the hosting and processing of health data considered to be sensitive information.

Certification therefore ensures that a hosting company complies with the security requirements of the HDS standard established by the French Digital Health Agency. The certification bodies accredited by the COFRAC deliver the certification and ensure that the hosting companies continue to take the necessary measures to comply with this standard.

Scalingo has obtained the ISO 27001 and HDS certifications in September 2022, becoming the first Platform-as-a-Service certified Health Data Hosting company in France!

Curious about discovering Scalingo and want to know more? Schedule a demo with us!