Understanding HDS certification
We understand that HDS certification can be complex to grasp. Below, we address frequently asked questions about Hosting Healthcare Data and the ISO27001 standard.
The ISO27001 certification is an international standard that demonstrates the establishment of a robust Information Security Management System (ISMS). This standard ensures the confidentiality, availability, integrity, and traceability of information to protect against cyberattacks or other types of risks. Obtaining the ISO27001 certification is a mandatory prerequisite for obtaining the HDS (Healthcare Data Host) certification. HDS is a more stringent overlay of ISO27001, which healthcare actors must comply with.
Companies that handle healthcare data must comply with the HDS regulations, regardless of their size or type of hosting (On-Premise or Cloud). Additionally, many companies outside the healthcare sector (finance, defense, etc.) choose to comply with HDS requirements, even if they are not legally obligated to do so.
The HDS certification is often categorized into different "levels." Here's what they correspond to:
- Levels 1 and 2 apply to physical servers. If you have your own physical servers, you will need to comply with these first two levels.
- Levels 3, 4, 5, and 6 apply to application environments. These levels are mandatory regardless of your hosting type (Cloud or physical).
In summary, if you have your own physical servers, you will be evaluated for levels 1 to 6. If you are on the Cloud, your Cloud provider will handle certification for levels 1 and 2, and you will be evaluated for levels 3 to 6.
If your business requires hosting healthcare data, you have two options. First, you can contact a certification body such as AFNOR, BSI Group, Bureau Veritas, etc., and initiate the certification process. Alternatively, you can engage a certified HDS provider to design, enhance, maintain, and secure your infrastructure in accordance with the regulations. Padok is one of these service providers.
This is a complex question that depends on your company's specific needs. However, there are two key questions you can consider to make your decision. The first question is: Do I have the internal resources (human and financial) to undergo the certification process and maintain it?
To give you an idea, the certification process may cost around €150,000, considering the certification fees and human resources expenses. In the following years, you would need to budget around €20,000 annually to maintain the certification.
The second question is: Do I need to achieve compliance within the next year or in the longer term? Obtaining this certification requires considering the time frame involved.
If you have the resources and a year ahead of you, you can contact the certification bodies mentioned earlier. If not, it is advisable to opt for a certified HDS hosting provider like Padok.
Padok is HDS and ISO27001 certified
Levels 3, 4, 5 and 6
Padok has been accredited for HDS since 2022 by BSI Group. Here is the exact description of our certification: "Design, security, and management of Cloud infrastructure hosting personal health data with coverage of ANS activities numbers 3, 4, 5, and 6 of the HDS reference system version 1.1 (2018) in accordance with the statement of applicability DDA 08/02/22."
We build and manage your cloud infrastructure to securely host your exposed data in compliance with HDS, whether it is related to health or simply sensitive information. We adhere to the most rigorous standards in data security.
Our HDS and ISO27001 offers
We have 3 offers to meet your HDS and ISO27001 compliance needs. We provide guidance for each of these offers to help you understand and interpret these standards.Request your quote
ISO27001 and HDS managed services
Are you looking to maintain your infrastructure and handle your most sensitive data with the highest level of security? As Padok is certified as a "Hosters of Health Data," our experts ensure daily compliance with HDS and ISO27001 standards. We guarantee the implementation of the most demanding data security practices and provide you with complete visibility into our interventions. If you want to learn more about our managed services offer, you can visit our dedicated page.
ISO27001 and HDS audit
Do you want to assess the security level of your data according to the highest requirements? Our experts audit your infrastructure against the criteria of these standards and provide you with actionable and prioritized recommendations to achieve the required level based on your company's needs. It's important to note that an audit does not guarantee HDS compliance. The criteria must be consistently validated to be compliant. Therefore, conducting an HDS audit does not provide the "Certified Hosters of Health Data" stamp.
ISO27001 and HDS infrastrucure build
Are you hosting sensitive data and looking to build or evolve your cloud infrastructure? Our DevOps experts accompany you on all projects involving sensitive data. Whether it's implementing the recommendations from our audit, building a new infrastructure, or evolving it to meet Padok's quality and HDS compliance standards, we ensure that the compliance process does not slow down your developers, allowing for daily production deployments.
OUR COMPLIANCE FRAMEWORK
YAMAS, our compliance frameworkOur engineers have developed a framework called YAMAS, which allows for a rapid evaluation of your security level based on 60 criteria in accordance with ISO27001 and HDS standards. Initially designed for healthcare data, we have extended its protective requirements to all our critical projects. A significant portion of these criteria are automated, providing a clear overview of the tasks at hand at a glance. This tool enables us to offer maximum transparency on these standards at any stage of your project. YAMAS serves as the foundation for our audits and is also utilized for HDS managed services to ensure ongoing compliance. Additionally, it is employed in build projects to verify that the constructed solution meets the required level of standards.
Why choose Padok
An external perspective on your infrastructure
Actionable recommendations tailored to your challenges
Compliance with HDS and ISO27001 standards
Integration of best practices within your teams
"Padok rose to the challenges we gave them in record time, but above all, they did it in a highly professional manner! Beyond their remarkable technical skills, they are at the heart of our strategic thinking throughout the projects, advising us and helping us make the right decisions."
Chief Digital Officer
"Padok immediately stood out thanks to their technical expertise. You can feel that the team is in complete control!"
"Padok was able to increase the robustness of our infrastructure with an organized, competent, supportive, and highly involved team!"
"The team understands our challenges, adapts to our constraints, and their methodology allows us to stay focused on delivery. Our project together was 100% successful!"
Stéphane El Mabrouk
Head of Digital Services
"The team has been incredible and 100% up to all our challenges!"
CTO Online Banking
Each intervention follows the following process
The project begins with a sensitivity/criticality qualification phase. It is at this stage that we can confirm whether you need to comply with HDS and ISO27001 standards for healthcare data or any other sensitive data. Based on the evaluation, we will recommend whether or not compliance is strongly advisable.
If it is determined that the project needs to comply with these standards, the next step is to sign the contract and the HDS appendix. These documents ensure compliance with HDS and ISO27001 standards and are signed by both parties. We then collaboratively establish a RACI matrix to define the responsibilities and roles of each stakeholder in the project.
Our cybersecurity experts conduct a risk analysis to identify all security risks. They propose an action plan that will be included in the project's roadmap. The team also analyzes the infrastructure's quality and compliance with HDS and ISO27001 standards to gain a comprehensive view of the necessary tasks. The HDS and ISO27001 standards provide a framework in which our team defines the success criteria. This definition of success leverages existing infrastructure to reinforce what you already have without adding unnecessary constraints.
Our DevOps experts follow the roadmap established during the technical challenge phase. One of our SecOps experts supervises the tasks that involve "functional security specifications," which encompass all the tasks related to the risk analysis. The SecOps expert ensures their proper implementation. Toward the end of the build project, a member of the Information Security Management System (ISMS) conducts an audit to assess the quality and compliance with the standards.
HDS managed services
After the project's completion, the HDS infogérance phase begins, ensuring ongoing compliance with HDS and ISO27001 standards. Please refer to our dedicated page for more details about our infogérance methodology.
If you have chosen not to have us manage your infrastructure, this phase replaces the previous one. During this stage, we establish a plan to withdraw access and ensure a smooth exit from the project in compliance with the standards.
Here are some deliverables that our team provides to our clients based on the chosen HDS and ISO27001 compliance offers.
Target architecture diagram
At the beginning of the project, you will be provided with a target architecture diagram. It allows us to present what we plan to implement and ensure that we address all your requirements and constraints.
ROSE quality score
Padok's DevOps experts calculate the ROSE quality score of your infrastructure using our ROSE framework. This enables us to prioritize technical tasks at each sprint, ensuring a Resilient, Operable, and Secure infrastructure. By doing so, we ensure that HDS compliance does not hinder the work of developers and operations teams.
Our DevSecOps experts list all risk scenarios, assign a criticality score to each, and attach an action plan with expected results for closure. This report is provided at the beginning of the project and serves as a reference throughout the entire project.
YAMAS compliance report
Throughout the project, we provide you with access to your YAMAS compliance score. This tool allows us to make HDS and ISO27001 compliance elements transparent and accessible. You can easily identify where your infrastructure stands in relation to these standards.
Ensuring your HDS compliance
Your success is our top priority. That's why it's essential for us to provide our expertise on these complex subjects. But our support goes even further:
Total transparency on standard requirements
High-level cloud and cybersecurity expertise to deliver quality infrastructure rapidly
Compliance implementation that does not slow down your developers
Rapid deployment as in any industry
HDS build for a healthcare actor
Our client is a healthcare company launching a new application to enhance medical monitoring of specific pathologies. They are required to comply with HDS standards, but they also have a challenge regarding data accessibility from their users to ensure ease of data exploitation for learning purposes. The architecture must be highly decoupled to reduce compliance checks required for each production release. These constraints were hindering the deployment of their application.
- Infrastructure is divided into Terraform SAMD and non-SAMD bricks
- Construction of a compliant production deployment process (Release process) according to standards
- Infrastructure subjected to load testing
- Fine-grained IAM (Identity and Access Management) to manage access to sensitive patient data, especially in the Data Scientist environment
- Reduced exposure through a Tooling environment (monitoring, CI/CD, security analysis)
- Creation of a secure environment for the analysis and exploitation of healthcare data
- Weekly meetings to ensure compliance with HDS standards
- Uptime of 99.99% over the last 6 months
- HDS-certified platform
- Deployment of +10 data ingestion and processing microservices for Data Engineers based on standardized templates
- Weekly production releases