The Hébergeurs de Données de Santé (HDS) regulation is issued by ASIP Santé which, under the French Ministry of Health, is responsible for promoting electronically based healthcare solutions in France.
HDS requires that service providers implement measures that keep personal health data secure, confidential, and accessible by patients. These measures include strong authentication and authorization procedures, robust backup systems, and powerful encryption methods. HDS also specifies mandatory provisions that must be included in contracts with cloud service providers. These requirements apply no matter where the data is stored.
HDS is relevant for service providers processing personal health data under French law
HDS combines elements from ISO 27001, ISO 20000 and ISO 27018 with five new requirements.
The HDS 1.1 add-on contains:
- Implementation guidelines for 2 existing ISO 27001 clauses (4.3 and 6.1.3)
- Implementation guidelines for 2 existing ISO 27001 controls (A.12.3.1 and A.12.7.1)
- 4 clauses derived from ISO 20000
- 5 new clauses
- References to 24 required ISO 27018 controls (A.6.1.1, A.12.4.1, B.2.1, B.3.1, B.5.1, B.6.1, B.6.2, B.10.1, B.10.2, B.10.3, B.11.1, B.11.2, B.11.3, B.11.4, B.11.5, B.11.6, B.11.7, B.11.8, B.11.9, B.11.10, B.11.11, B.11.12, B.11.13, B.12.1)
- Additional implementation guidelines for 4 existing ISO 27018 controls (B.3.1, B.10.3, B.11.8, A.12.4.1, B.12.1)
- A mapping table, so you can cross reference these requirements against the different roles (physical infrastructure and/or IT managed services providers)
The HDS 1.1 add-on requires the ISO 27018 add-on to function properly.
- HDS 1.1 add-on:
- ISO 27018 add-on (required):
Excluding applicable taxes (read more)