2024-06-18 09:59:07
and new repository Info on HDS certification was printed within the official gazette in mid-Might. The doc incorporates in depth redactions of outsourced internet hosting actions for private well being information…and touches on, amongst different issues, the controversial concern of sovereignty. Clarification of the textual content by Alexandre Fievée, affiliate lawyer at Derriennic Associés and Alice Robert, lawyer marketing consultant at La Veille Acteurs de Santé.
HDS certification necessities
Any pure or authorized individual, or affected person, who generates or collects private well being information throughout preventive, diagnostic, care or social and medical social surveillance actions, or a affected person, should, even when essential, name the service supplier holding the info Licensed “HDS” When s/he outsources the internet hosting of such materials1.
This certification is designed to make sure that ” Well being information internet hosting implements an info system safety administration system that complies with probably the most superior worldwide requirements. ».
This certification relies on a conformity evaluation of the above-mentioned service suppliers, the “HDS Certification Baseline”, the newest model of which was permitted by decree of June 11, 2018. Together with compliance with a sure variety of guidelines and requirements, together with ISO requirements. Particularly, the certification physique chosen by the organizer should be acknowledged by the organizer. COFRAC (or any European equal), to audit compliance with the requirements. Any HDS certificates of conformity is issued for a interval of three years and supplies for an annual surveillance audit.
Repository must be up to date
After 5 years of suggestions, the Digital Well being Bureau, with the help of a delegation of digital well being ministers, launched a mission to revise the HDS accreditation framework.
Some factors within the framework really need clarification, or at the very least additions and changes, to attain three objectives:
Enhance the readability of the ensures supplied by licensed hosts Providers supplied to particular shoppers (medical professionals, sufferers, and so forth.);
Make clear the organizer’s contractual obligations It’s outlined within the Public Well being Code 2;
Strengthen private information safety necessities Relating to transfers outdoors the EU.
It’s towards this background {that a} New HDS certification framework developed in collaboration with CNILthen permitted by decree of April 26, 2024, and printed on Might 16.
Focus: Exercise “5”, Contractual Compliance, Information Sovereignty and Safety
In contrast with the 2018 framework, the brand new HDS framework incorporates numerous revised and clarified necessities. Among the many new options launched, 4 factors deserve particular consideration.
Level 1 – The primary level entails exercise 5, referred to as “Administration and Operation of Info Methods Functions Containing Well being Information”, One of many six lodging actions concerned in certification just isn’t with out its evaluation difficulties.
The brand new framework supplies detailed definitions as follows: Exercise 5″ Together with management intervention on the assets accessible to the host shopper. Additionally, she “Contains all extra actions under”:
“Definition of the method for granting and annual evaluate of nominal, cheap and essential entry rights”;
“Protected entry procedures”;
“Assortment and preservation of traces of visits carried out and their causes”;
“Preliminary verification of intervention measures (intervention plan, intervention course of)”.
“Verification of interventions contains making certain that they don’t scale back the safety of knowledge hosted by the client in query or the host’s different clients. This verification can happen within the following circumstances: » (I) “A priori, for interventions that shoppers can carry out independently” (two) “When requesting intervention, when requesting moderator”.
The reference system recollects these operations” is intrinsic and obligatory » Actions 1 to 4, so the host should be licensed for exercise 5 provided that it solely performs these operations.
Level 2 – The second level pertains to contractual compliance necessities. Actually, the brand new customary requires organizers to supply contract fashions that adjust to the necessities set out in the usual, which basically duplicates the necessities set out in Code 2 of the Public Well being Code.
Hosts should even be extra clear in regards to the ensures they supply immediately or these supplied by subcontractors and, in some instances, should full a requirements matrix and incorporate it into their contracts.
Level 3 – The third level entails information sovereignty necessities.
The repository now successfully requires that bodily custody of non-public well being information can solely happen within the European Financial Space (EEA). Moreover, if the host or its subcontractors (i) entry information remotely from a 3rd nation within the European Financial Space, or (ii) are topic to the legal guidelines of a 3rd nation which don’t present an satisfactory stage of safety inside the which means of: GDPR , then the host” The related dangers should be knowledgeable and made clear to the client within the contract, in addition to the technical and authorized measures taken to restrict the dangers “. As well as, the organizer is obliged to publish the map on its web site” Might switch information hosted on it to international locations outdoors the European Financial Space ».
Level 4 – The fourth and remaining level considerations security necessities, the reference specifies ” HDS certification necessities and SecNumCloud certification supplied by ANSSI » and incorporate modifications to the ISO 27001 customary.
Efficient November 16, 2024
The brand new customary will take impact on November 16, 2024. For hosts which might be already licensed, they’ve till Might 16, 2026 to adjust to this new customary.
Due to this fact, outsourced well being information internet hosting actions must be audited now in order that compliance applications will be outlined and carried out on time.
notes
(1) Article L.1111-8 of the Public Well being Code.
(2) Public Well being Code R.1111-11.
for additional
1719027341
#Well being #information #internet hosting #authentication #framework #relevant #November
