The subject of data privacy and security is a hot topic, and for good reason: Personal health data is considered sensitive.
The world of e-health therefore requires an increased level of security because the consequences of a data leak or corruption can be major.
Thus, to protect the privacy of patients, it is essential for a company to comply with the regulations in force to adapt their information security system and guarantee the trust of users.
It is in this context that the Health Data Hosting (HDS) certification comes into play. HDS certification allows companies to access trusted hosting providers that comply with the security guidelines established by the certification.
HDS and its framework may seem complex at first, and the importance of choosing a hosting provider is sometimes not sufficiently emphasized for projects concerned with hosting health data.
But don't worry! In this article, you will discover the particularities of HDS certification and understand the reasons why it is relevant to use an HDS-certified hosting provider for your project.
Before understanding why it may be appropriate to use an HDS provider, it is essential to understand what certification is and what it entails.
HDS or Health Data Hosting is a French certification established by the Agence du Numérique en Santé (ANS), and it is required for platforms wishing to host personal health data. HDS certification is based on a set of guidelines that define all the duties and obligations of platforms with regard to the hosting of health data and define their certification perimeter, i.e. the type of activity that a host can perform.
To learn more about the HDS certification, its procedure for obtaining it and to deepen your understanding of the certification perimeters, we invite you to consult our detailed article on the subject of the HDS certification procedure.
It is also important to note that the hosting of health data is regulated by law (c.f. L.1111-8 of the French Public Health Code) and that actors working with personal health data must therefore comply with it.
The CNIL (Commission Nationale de l'Informatique et des Libertés) and more precisely the European regulation on the protection of personal data (RGPD) defines health data as "personal data concerning health are data relating to the physical or mental health, past, present or future, of a natural person (including the provision of health care services) which reveal information about the state of health of that person. "
This then implies all measurement data from which it is possible to infer information about the health status of the individual.
The notion of health data proposed by the RGPD is intentionally broad, as its assessment must be made on a case-by-case basis, depending on the nature of the data collected.
Indeed, the CNIL established in the regulation three categories of data:
However, it is important to note that data from which no consequences can be drawn with respect to the health status of the data subject does not fall within the notion of health data established by the GDPR.
An assessment of the nature of the data and its impact can then be carried out to qualify this data as health data or not. For this purpose, it may be relevant to conduct a data protection impact assessment (DPIA).
Now that you know the ins and outs of HDS certification and the concept of health data, you may be wondering what an HDS host can actually do for you, depending on your situation.
Follow the guide!
If you are a professional in the e-health field, you are probably directly affected by HDS certification.
Indeed, if you process personal health data, then you are legally obliged to use an HDS-certified hosting provider as we mentioned earlier in the article.
As you may have understood, the sensitivity of health data implies higher confidentiality and security measures and the certification guarantees that the hosting company complies with the HDS standard requirements
These different requirements will be translated into practice in different ways, particularly for those related to service continuity for example.
HDS involves ensuring a high level of service continuity and availability of resources and health data. We invite you to consult our service level agreements for our availability rates if you are interested.
This level of service continuity is both essential in a medical setting where uninterrupted access to health data is crucial, but also to allow the hosted service to offer a quality level of service to their users.
One can imagine a case where a healthcare professional needs immediate access to a patient's data in an emergency situation, ensuring a high level of service continuity is critical.
Even beyond the rarest situations, we can talk about more likely events such as those that involve a "loss of chance" for the end user of the service.
The loss of chance is a legal concept that can be presented as a situation of prejudice that implies a deprivation of a probable gain, or the occurrence of a loss that could have been avoided.
In other words, and in the context of e-health, it would be an unfortunate situation that deprives the end user of an end result that would be beneficial to him.
A concrete example would be a patient who wants to make an appointment with a health professional, but loses the opportunity to book the closest slot due to a technical problem with the service. As a result, the patient will have to choose a more distant slot, which could have more or less serious consequences on his health.
Being able to trust your hosting provider to ensure continuity of service is therefore essential.
Beyond the accessibility of data, there are other processes that ensure their confidentiality while emphasizing their security, and this process is data anonymization.
For the CNIL, data anonymization can be defined as the treatment that allows, through the use of a set of techniques, to make impossible the identification of the person associated with the data by any means, and irreversibly.
In the General Data Protection Regulation (GDPR), anonymization is not mandatory, but it is presented as a solution that allows the use of personal data while respecting the rights and freedoms of the persons concerned.
Thus, anonymous data is data that makes it impossible to trace back to the individual to whom it is attached.
It is important not to confuse anonymization and pseudonymization because they are two different concepts with different stakes.
Similar to anonymization, pseudonymization is a data processing that aims to make the individual attached to it unidentifiable.
On the other hand, and contrary to anonymization, it is still possible in practice to find the identity of individuals within the framework of pseudonymization thanks to a cross-referencing with third party data. This makes the practice less viable from a data cybersecurity point of view.
We note, however, that under HDS certification, data that has been completely anonymized is no longer personal health data, and therefore no longer subject to HDS legislation.
One of the indirect effects of HDS certification on your organization, and more specifically the perception of it among your patients/end users, is the reinforcement of confidence in the use of your product or services.
A certification such as HDS acts as a third party validation that the hosting company's information security practices are up to the required standards.
The use of an HDS-certified hosting provider becomes, beyond a guarantee of good security practices, an added value for employees and end users.
This can represent a support for the security, confidence and transparency of your company in the e-health market.
Scalingo is the first ISO 27001 and HDS certified PaaS in France and in Europe and we are happy to bring the magic of PaaS to the healthcare sector.
Our PaaS is certified on all six levels of perimeters defined by the HDS standard that you can consult on our page dedicated to the HDS certification at Scalingo
The evolution of our security processes is a necessary step to become compliant with the security requirements of the certification, and this progression is done on a continuous basis.
This means, among other things, that our team members are regularly made aware of good practices in terms of security, which allows us to be attentive to risks related to cybersecurity.
Our role today is to make the PaaS hosting model accessible to all e-healthcare professionals, and to simplify their day-to-day development.
From quick one-click deployments to dedicated and knowledgeable support services, we strive to bring a state-of-the-art PaaS experience to our users with a focus on security and data privacy.
Obtaining the HDS certification for the Scalingo PaaS represents for us the opportunity to offer our services to the concerned actors while adapting to your needs.
If you are not directly concerned by the HDS certification or if you are not an e-health actor, you should know that the choice of an HDS certified host can be beneficial to you.
First of all, we think it is relevant to mention that all Scalingo PaaS is HDS certified, which means that all our users are impacted by the benefits of the certification, even if they do not host any health data.
This represents the opportunity to operate on a platform with security measures adapted to a requirement such as healthcare, and this without any additional cost and with the same level of service.
Moreover, the choice of an HDS certified host can represent a potential opportunity for your business to extend your reach to the e-healthcare industry, and to make collaborations with them accessible.
Finally, Scalingo as a company is also certified ISO 27001, which ensures compliance with the information management system requirements defined by the standard.
This certification is recognized worldwide in the field of information security management system (ISMS).
The subject of information security and confidentiality is a pivotal issue for any type of organization, and it is even more so in the healthcare field where data is considered the most sensitive.
To establish a standard and implement security requirements for e-health actors, there are solutions such as HDS certification, which ensures the compliance of hosting companies with their users.
For those companies directly concerned by the certification, the certified hosting provider can bring a set of crucial benefits for their business, especially regarding service continuity and data security.
However, the strengthening of these parameters related to certification can even affect users who are not directly subject to HDS legislation.
Since September 2022, Scalingo has become the first French and European PaaS to become ISO 27001 and HDS certified and we are proud to bring the power of rapid application deployment to the healthcare domain.