Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Prepare for HDS Certification

HDS Certification

As the French health data regulation known as “Hébergeur de Données de Santé” (HDS) becomes increasingly important in the healthcare industry, organizations that can benefit must ensure they are prepared to meet its requirements.

Not only that, you’ll want to ensure that your investment in this compliance assessment pays off—after all, sailors wouldn’t set off on a long voyage without double-checking their supplies, route, and weather, and nor should you go into HDS certification blind.

And neither will you—as one of just nine organizations currently authorized to perform HDS certifications, we’re going to provide some key insight. In this blog, we’ll discuss three key steps that will help you prepare for HDS certification, including some details on the significance of having ISO 27001 certification and incorporating the necessary controls into your Information Security Management System (ISMS).

By following these steps, you can enhance your readiness for your HDS compliance assessment and also demonstrate your commitment to data security and privacy in the healthcare realm.

3 Steps to Get Ready for HDS Certification and Compliance

Step 1: Review the HDS Referential and Other Obligations.

Before you can get started adjusting your environment, there are a couple of documents/items you should review to get a full sense of what’s necessary:

  • The HDS referential
    • Available online
    • While the referential is primarily based on control activities that can be found in other standards like ISO 27001, ISO 20000-1, or ISO 27018, it does include some specific requirements that may require additional preparation—we recommend you pay particular attention to the Chapter 4.5 “additional requirements.”
  • Specific Obligations

Step 2: Prepare for ISO 27001 Certification

Once you understand your specific HDS requirements, you’ll move on to a major step—ISO 27001 certification – unless you’re already certified, of course. As an internationally recognized standard for information security, achieving ISO 27001 certification not only demonstrates your organization’s dedication to implementing robust security controls and practices but is also required to pursue HDS certification.

Think of it as similar to layering your clothes against a harsh winter with your ISO 27001 certification playing the role of your sweatshirt—the foundation of your defenses against a general cold that addresses crucial aspects of overall data protection and risk management—whereas HDS certification is like a windbreaker over that top (more specific protection of health data).

To ensure you succeed in this ISO 27001 prerequisite to an HDS certification, consider the following actions to align with ISO 27001 before your HDS assessment:

Conduct a Risk Assessment

To help you prioritize security measures and develop a risk treatment plan, identify and assess potential risks to your information assets, including the handling of health data.

Establish Security Policies and Procedures

Define comprehensive security policies and procedures that encompass access controls, incident response, data encryption, and other relevant areas, and ensure these policies align with ISO 27001 requirements.

Implement Security Controls

Deploy appropriate technical and organizational controls to protect health data, which may include:

  • Network security measures
  • Regular security assessments
  • Data backup and recovery procedures
  • Security awareness training

Undergo a Readiness Assessment

While not required, there is value in performing a readiness assessment before a certification audit, as the process will ensure that your organization is prepared for true certification and increase your chances of success.

 For more detailed guidance on preparing for ISO 27001 certification, check out our other blogs:

Once you feel ready, you’ll need to engage with a certification body to perform an ISO 27001 audit, and while you can opt to just do it prior, these can also instead be performed in tandem with your HDS assessment (assuming your certification body is authorized to perform the latter, as Schellman is).

Step 3: Strengthen Your ISMS for HDS Certification

If you do choose to undergo one before the other, in the time in between and ahead of your HDS certification, it'll be crucial to ensure that your ISMS remains updated and aligned with the stringent requirements.

In addition, achieving HDS certification necessitates making key updates/inclusions to various components of your ISO 27001-certified ISMS, such as your:

  • Statement of Applicability
  • Risk assessment
  • Internal audit
  • Management review
  • Nonconformity and corrective action process

Statement of Applicability (SOA)

Under ISO 27001, the SOA is a crucial document that outlines the controls you have implemented to address information security risks. To prepare for HDS compliance, you’ll need to ensure that your SOA includes the necessary controls related to health data protection—that includes maintaining a version in French. In this, consider the following steps:

Determine Applicable Controls

Review the HDS requirements and identify the applicable controls that need to be included in your SOA. This may include controls related to access management, data encryption, localization, and more.

Align with HDS Guidelines

Ensure that the controls specified in your SOA align with the specific requirements outlined in the HDS framework. This alignment demonstrates your organization's commitment to meeting the regulatory requirements.

Regularly Review and Update the SOA

As your organization evolves and new risks emerge, periodically review and update your SOA to reflect the latest security controls and measures. This ensures ongoing compliance with HDS requirements.

 Risk Assessment

A risk assessment is a general compliance requirement, but a thorough review and enhancement of your risk assessment process are vital to identify and evaluate potential risks associated with health data hosting—that means taking particular care to assess for those related to:

  • Data breaches
  • Unauthorized access
  • Data integrity
  • System vulnerabilities
  • Privacy regulations

By aligning your risk assessment practices with these HDS requirements, you’ll more effectively mitigate risks and demonstrate your commitment to safeguarding sensitive health data during your certification process.

Internal Audit

Conducting regular internal audits is essential for evaluating the effectiveness of your security controls and identifying any gaps or areas for improvement, and it’s required to achieve ISO 27001 certification.

Now, to meet HDS certification requirements, your internal audit process should encompass HDS-specific requirements not already covered by your ISO 27001 certification.

Addressing these elements during your internal audits will not only set you up well for your HDS certification, but you’ll also be able to proactively address any weaknesses in your security framework and ensure ongoing compliance.

Management Review

HDS certification necessitates a robust management review process that must involve regular evaluations of security policies, procedures, and controls, as well as ongoing improvement initiatives.

By integrating HDS requirements into your management review process, you’ll also stay on top of the overall effectiveness and performance of your information security program, establish a culture of accountability, and drive continuous enhancements to your security posture.

Non-Conformity and Corrective Action

A critical aspect of HDS certification is the identification and management of non-conformities, as is the implementation of timely corrective actions. As with ISO 27001, you’ll need to document clear procedures for reporting and addressing security incidents, breaches, or deviations from established security controls particularly where your health data is concerned.

By promptly addressing non-conformities and implementing effective corrective actions, you can minimize the impact of security incidents and demonstrate your commitment to maintaining a robust security environment for your health data.

Make Your HDS Certification Worth the Effort

All this guidance boils down to the necessity of taking a proactive approach to your information security management program ahead of your pursuit of HDS certification. You’ll need to obtain ISO 27001 certification, which will provide the framework for addressing information security risks, and then incorporate these aforementioned additional HDS requirements into your certified ISMS that’ll help you comply with the various legal requirements to protect sensitive health information.

Taking these steps will not only set you up well for your HDS certification process, but you’ll also demonstrate your commitment to protecting health data and position your organization as a trusted partner within the French healthcare ecosystem.

For more information on HDS certification, please feel free to contact us, as our team is ready to answer any questions you may have about this new option that can help secure your healthcare data.

About ROBERT TYLKA

Robert Tylka is a Principal at Schellman. With over 16 years of experience in providing IT attestation and compliance services, Robert currently leads the Midwest practice at Schellman where he specializes in SOC 1, SOC 2, ISO 27001, and HIPAA reporting. In his portfolio, he also oversees engagements that include FedRAMP, HITRUST, PCI, and various Privacy reviews. To date, Robert has provided services to clients in the financial services, information technology, governmental, human resources, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 500 and publicly traded companies, with a strong focus in the technology sector.