Health data hosting: towards a new certification standard
Locations
20 years after the Kouchner Law of 2 March 2002 [1] introduced it, the legal regime governing the hosting of health data is about to evolve once again with version V.1.1 of the HDS certification requirements repository.
The draft proposes a number of definitions, particularly concerning the famous activity 5 "Administration and operation of the information system containing health data" in art. R1111-9 of the French Public Health Code, which is defined as comprising:
- "The supervision and management of occasional access by third parties mandated by the organisation's customer (i.e. the hosting provider), for example for audit, expert appraisal, deployment or maintenance purposes, who access the business application via the HDS infrastructure base" (.) ;
- "Maintaining the security of the HDS Infrastructure Foundation [the business application being excluded by the definition of the Infrastructure Foundation] and the Customer support centre" (.);
- "The up-to-date documentation of the consistency and completeness of the security guarantees provided by the various parties contributing to the implementation of the service". (.)
These provisions have the merit of clearly excluding the maintenance and support operations of business application publishers from this activity 5.
The scope of application is defined as covering "organisations that host health data" and that "contribute in particular to the implementation of a digital health service", thus linking the "digital health service" common purpose of the health data hosting regime to that which has given legislative force to the security and interoperability reference frameworks, designed to guarantee the exchange, sharing, security and confidentiality of personal health data [2].
The draft guidelines also contain details of the scope of application, without any changes in this respect, except for clarifications concerning what does not constitute a hosting activity, or the "short period" exception in art. R1111-8-8 of the Public Health Code: the fugitive processing of data when it is in transit over a public network, and the "transcription exception aimed primarily at services for printing letters or entering minutes, whether by operators or voice recognition".
The draft also introduces additional requirements regarding risk assessment, inviting the organisation to consider the risks to the data subject in the event of loss of integrity, confidentiality or availability, including loss of opportunity, reputational risks or discrimination, and to take into account the risks to the persons and organisations providing medical care, including their medical liability and reputational risks. The requirement proposes a minimum list of events to be considered.
The draft standards refer to certain requirements of ISO 27001 and SecNumCloud (with the addition of a correspondence matrix with the SecNumCloud standards), but no longer to ISO 20000 or ISO 27018.
It also introduces a reminder of the contractual requirements, including those mentioned in art. R1111-11 of the French Public Health Code, as well as new ones concerning data sovereignty: the hosting provider must allow the customer to "choose from the list of hosting locations proposed by the hosting provider, the countries in which the data may actually be processed", it being specified that the hosting locations proposed to the Customer by the hosting provider must be located in member countries of the European Economic Area, or in countries providing an equivalent level of adequate protection by virtue of an adequacy decision, to the exclusion of other guarantees (standard contractual clauses or BCR). While the legality of these provisions may be questioned, they do not preclude the use of operators subject to non-EU laws (such as the Cloud Act), provided that the customer and data controller are informed of the non-EU laws to which the hosting provider is subject, and of the measures implemented by the hosting provider to mitigate the risks of personal health data breaches resulting from these laws, and provide a description of the residual risks.
With regard to reversibility, in addition to the commitment to return the data, the contract will now have to include a minimum number of mandatory clauses, including a commitment to destroy copies once the data has been returned, the procedures, costs and timescales for returning and destroying copies, the formats in which the data is returned, which must be readable and usable for health data portability purposes, and, where applicable, the procedures for moving virtual machines (or containers).
Health data hosting contracts will therefore have to be specified and completed with a view to renewing certification as a health data host.
Now at your keyboards.
[2] L1470-5 CSP
Article also published on DSIH.
