""

Health Data Hosting (HDS) certification

Health Data Hosting (HDS) certification attests that a hosting provider implements appropriate measures to protect personal health data.in accordance with the national standards published by the Agence du Numérique en Santé (ANS).

Understanding the HDS standard

HDS certification is part of a structured regulatory and methodological framework, designed to ensure a level of security appropriate to the processing of healthcare data. To understand the scope of HDS certification, it is necessary to identify the foundations of the standards that define its requirements.
It is based on an Information Security Management System (ISMS) compliant with ISO/IEC 27001, supplemented by requirements specific to the processing and protection of healthcare data.

Certification can cover six hosting activities:

  1. The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process healthcare data
  2. Provision and maintenance in operational condition of the information system's hardware infrastructure
  3. Provision and maintenance in operational condition of the virtual infrastructure of the information system
  4. Provision and operational maintenance of the information system's application hosting platform
  5. Administration and operation of the information system containing health data
  6. Backup of health data.

Each entity can be certified in one or more of these areas. The scope selected must be included in the scope of the ISO/IEC 27001 certificate, and must be clearly defined in the certificate and reflect the services actually provided.

Legal framework for Health Data Hosting (HDS)

"Any natural or legal person who hosts personal health data collected in the course of preventive, diagnostic, care or medico-social monitoring activities on behalf of natural or legal persons responsible for the production or collection of such data, or on behalf of the patient himself or herself, must be approved or certified for this purpose."

L.1111-8 of the public health code, amended by law no. 2016-41 of January 26, 2016.

The certification procedure is based on an assessment of compliance with the certification reference framework.

The host chooses a certifying body that must be accredited by COFRAC (or equivalent at European level).


Who should apply for HDS certification?

HDS certification applies to any organization - public or private - that hosts, operates or provides hosting services for personal health data.
It is intended in particular for :

  • Hosters of physical or virtual infrastructures
  • Outsourcers of healthcare information systems
  • Organizations responsible for or subcontracting hosting services for health or medico-social establishments or players.

Challenges and objectives of HDS certification

Over and above its regulatory obligations, HDS certification is a lever of operational control and confidence for organizations involved in the hosting of healthcare data. It meets clearly defined objectives, for both hosting providers and data controllers.

HDS certification guarantees that the hosting provider has implemented a coherent, long-term system that meets the following objectives:

  • Guarantee the confidentiality, integrity and availability of health data
  • Meet legal and regulatory obligations (CSP and RGPD)
  • Formalize contractual guarantees (service levels, reversibility, rights of individuals, control of subcontractors)
  • Demonstrate an independently assessed level of security.

Certification process

The HDS certification cycle follows a structured, progressive and recurring approach. Its aim is to assess the initial compliance of the hosting system, and then to guarantee that it will be maintained over time.

  • Initial audit: carried out in two phases - a document review, followed by an on-site or remote audit. The aim is to verify that the hosting system complies with the requirements of the HDS standard.
  • Issuance of certificate: if requirements are met, an HDS certificate is issued for a period of three years.
  • Annual surveillance audits: to ensure continued compliance.
  • Renewal audit: at the end of the three-year cycle, a full audit is carried out to extend certification.

The HDS version 2.0 standard comes into force on November 16, 2024 for new applicants, and on May 16, 2026 at the latest for hosting providers already certified.

 

Find our certification regulations on the Downloads page.

Request a quote

Why choose LSTI?

1

Recognized expertise

With over twenty years' experience, LSTI supports more than 300 organizations in France and Europe as a certification body and benchmark assessment center in the fields of cybersecurity, digital trust and information security.assessment center, working in the fields of cybersecurity, digital trust and information security.
2

Specialized auditors

Our teams of auditors are made up of experienced professionals who are fully conversant with the ANSSI's cybersecurity standards, information security management practices and European digital trust frameworks.curity standards, information security management practices and European digital trust frameworks. Their approach guarantees assessments that are demanding, balanced and adapted to the operational contexts of each organization.
3

Independent third party and dedicated support

Authorized by ANSSI, LSTI guarantees impartiality, transparency and consistency throughout the entire cycle: preparation, audits, monitoring and renewals. A dedicated contact ensures continuity and clarity throughout the certification process.

Discover our news