HDS certification: what's at stake and what are the obligations?

Regulatory certification as a Healthcare Data Hosting (HDS) provider, based on the ISO/IEC 27001 standard, demonstrates the commitment of UltraEdge data centers to the safe storage of personal healthcare data.  Today, HDS (Health Data Hosting) represents a key pillar in the security of sensitive patient data. This French certification provides a strict framework for all players such as hospitals handling medical data. It is part of a national strategy designed to reinforce sovereignty.

What is HDS?

Definition of HDS certification

HDS certification is a regulatory framework required of any organization hosting personal health data in France.

Since 2018, it has replaced the former ministerial approval with a more rigorous, standardized process. In fact, this new system, stemming from Article L.1111-8 of the Public Health Code, is based on a reference framework updated in May 2024, with more advanced obligations, notably on data sovereignty.

There are three fundamental aspects to bear in mind: information confidentiality, integrity and anti-corruption prevention, and permanent availability for the various accredited professionals.

This transparency obligation is all the more strategic for data center operators and hosting providers, particularly when it comes to mapping data transfers.

What it means in a regulated IT environment

According to a 2024 IBM report, the average cost of a data breach in the healthcare sector is in excess of $5 million, and far higher than in other industries.

By adopting this certification, UltraEdge's data centers guarantee that healthcare institutions hosting their data in our data centers are in compliance with regulations. This sets new landmarks for the AI field, bearing in mind that around three-quarters of all uses are unsecured.

For patients, it means effectively protecting their most sensitive information. It enables them to show their compliance with legal obligations, while benefiting from state-of-the-art professional infrastructures.

It also contributes to the structuring of an ecosystem of French hosting providers and national sovereign data centers such as UltraEdge, capable of competing with global hyperscalers such as Amazon and Google.

How HDS certification unfolds

Certification process: step by step

Obtaining HDS certification is a stringent process, requiring meticulous preparation and a strong commitment on the part of the candidate organization. HDS certification is supervised by accredited bodies set up by COFRAC (Comité Français d'Accréditation). The process takes place in several steps over many months.

Putting the application file to shape

To apply for HDS certification, the applicant organization must prepare an application file including ::

- A detailed description of the data center where the data will be stored (details of the technical infrastructure

- The data center's current security processes

- Risk management policies

- The data center's business continuity plan

- Contracts and commitments with any subcontractors

Certification audit

An in-depth two-phase certification audit is performed by the certification authority (often AFNOR or BSI):

- A document review to verify procedures and policies compliance

- An on-site audit to assess the effective implementation of safety measures

Handling non-conformities

In case of non-conformity identified during the audit, the organization will be granted a deadline for corrective action.

HDS certification issued

Certification only takes effect once all requirements have been met.

In addition, surveillance audits are carried out annually to ensure continued compliance throughout the certification period.

Certification requirements cover a wide spectrum of areas that we take into account in our UltraEdge data centers, such as:

- Governance and risk management

- Information systems security

- Access and authorization management

- Physical security of infrastructures

- Incident management and business continuity

- Compliance with data protection regulations

UltraEdge, is a responsible hosting provider in compliance with current standards and recognized benchmarks (ISO 27001 for security, ISO 20000 for IT service management and or the RGPD for personal data protection) in effect for hosting providers.

The certificate issued is valid for three years, and a surveillance audit is carried out annually.

Who is concerned?

Which profiles for certification?

It is aimed at any individual or legal entity hosting personal health data on third-party behalf. The HDS standard encompasses a wide range of profiles.

Infrastructure hosting companies are the first category concerned. These companies operate data centers dedicated to the physical hosting of servers and equipment. They must be certified for the provision and maintenance in operational condition of physical sites (activity 1) and hardware infrastructure (activity 2).

Cloud service providers make up the second major profile. Whether for virtual infrastructures (IaaS), platforms (PaaS) or applications (SaaS), these players must obtain certification for the corresponding activities. Leading companies such as Microsoft and French players offer HDS-certified solutions to meet the needs of the healthcare sector.

Medical software publishers are also concerned when they host the data generated by their applications directly. For example, an electronic patient record publisher offering a SaaS version of its solution must be certified, or rely on a certified hosting provider.

Edge data centers' role in the hosting chain

Edge data centers, of which UltraEdge is one of the leading suppliers, are an important part of the HDS ecosystem. These regional infrastructures offer an alternative to mega data centers concentrated in a few urban centers. The local presence of UltraEdge data centers in France is a major asset for many healthcare establishments, particularly in the regions.

Through a dense network of 250 data centers and 7 IX data centers (based in Courbevoie, Vénissieux, Aubervilliers, Bordeaux, Rennes, Strasbourg and Lille), UltraEdge supports specialized players in reducing latency for critical applications.

In the medical field, where just a few milliseconds can make all the difference when it comes to remote consultations or access to imaging, local proximity becomes a major issue.

Territorial sovereignty is the second asset. Healthcare institutions are increasingly sensitive to the physical location of their data. As a data center operator, we guarantee that data is hosted in France, with full traceability and a clear chain of responsibility. This meets the new requirements of the HDS standard in May 2024, in terms of sovereignty.

Finally, the third benefit relates to territorial resilience. When facing systemic risks, such as major power cuts or natural disasters, the local distribution of infrastructures has a strategic impact. UltraEdge's implementation of disaster recovery architectures via remote, rapidly accessible sites facilitates physical intervention, if needed.

Who is responsible - host and hosted?

Responsibilities of the certified host

As an HDS-certified host or data center, UltraEdge takes on added responsibilities that go beyond the strict technical framework.

The first obligation concerns the physical security of the infrastructure. These include biometric access control, video surveillance, intrusion detection and protection against environmental risks such as fire and flooding.

Continuity of service is its second critical responsibility. UltraEdge cannot sustain prolonged interruptions that would threaten patient care. We guarantee availability close to 99.99% (less than one hour's interruption per year), and implement redundant architectures for all critical components: power supply, air conditioning, network connectivity and storage.

Personal data protection represents the third pillar of our responsibilities. At UltraEdge we not only ensure compliance with RGPD standards, but also with requirements specific to the healthcare field. In particular, we ensure that data is not transferred outside the European Economic Area without appropriate safeguards and provide full transparency on its location.

Finally, UltraEdge's contractual responsability may be engaged in the service contract. Specific clauses cover data confidentiality, service level guarantees, data return procedures and security policy. This is the legal basis between UltraEdge and its customers!

Obligations of the hosted company

The first obligation is to ensure that your hosting partner is certified. This must be documented and renewed every 3 years for a valid HDS certificate!

A simple contractual mention is not enough; the host must demand a certificate copy.

Data qualification is the host's second responsibility. The host must determine precisely which data falls within the HDS perimeter and requires certified hosting. This analysis must be documented and regularly updated, particularly when data processing changes.

Last but not least, the final obligation concerns data access management. If the infrastructure is outsourced, the host remains responsible for determining who can access the information and under what conditions. It must implement a rigorous identity and access management policy, with periodic reviews of the authorizations issued.

Contractual coordination: best practices

The relationship between UltraEdge and its customers is formalized through a contract that meets specific requirements. A well-structured contract begins with a clear definition of the hosting perimeter: what data is involved, what applications, what volumes, what certification activities are covered.

Service Level Agreements (SLAs) must be clearly established, with measurable metrics: availability, response time, intervention time, incident resolution time. These commitments must be backed up by dissuasive penalties in the event of non-compliance, to ensure that the hosting provider devotes the necessary resources.

Reversibility is a critical point that is often overlooked. The contract must include detailed procedures for the return of data at the end of the service. These procedures need to be tested on a regular basis to ensure that they are working effectively when the service provider changes.

Finally, coordination between UltraEdge's technical teams and those of its customers must be formalized. Regular steering committees, incident escalation procedures, and joint crisis management exercises ensure effective collaboration. This human coordination remains indispensable, even with the most automated infrastructures.

Why are data center operators targeting HDS certification?

Compliance and security obligations

HDS certification is a regulatory requirement. Without this certification, it is difficult to capture the IT spending generated by healthcare players.

This obligation has been reinforced by the accelerated digital transformation of the medical sector, particularly since the health crisis of 2020.

Certification also imposes a security level that exceeds the usual standards. The hosting of healthcare data requires reinforced protection measures: permanent surveillance, strict access controls, redundancy of critical infrastructures, and a rigorous security policy.

Certification also represents a vector for continuous improvement. The regular audit process encourages data center operators to keep their infrastructures up to date and on the edge of AI technologies, while developing intrinsic security throughout the whole organization.

Valuing the management of sensitive data

With concerns about data confidentiality on the increase, HDS certification is an additional argument that reassures healthcare establishments when it comes to managing the most sensitive information.

HDS certification opens up a whole new world of possibilities, enabling strategic partnerships with medical software publishers, among others. It is possible to maximize these targeted associations, by proposing an integrated offer combining specialized apps and an HDS-certified host.

This added value goes beyond simple hosting, and in fact HDS-Ready is a lever for sectors with important regulations.

Certain skills and infrastructures specific to the healthcare sector can be transferred to areas such as finance, the public sector and even defense.

UltraEdge's sector diversification is a major asset in the growth strategy of Edge data centers in France.
‍

UltraEdge: secure Edge data centers

All UltraEdge sites benefit from 24/7 surveillance, biometric access control and secure architecture, with real-time availability.

The geographical approach, with 250 data centers and 7 IX data centers and UltraEdge certifications are a high-performance alternative to the giant hyperscalers.

We are building collaborations with publishers specialized in various strategic fields, and our cybersecurity experts support customers in their compliance efforts and digital transformation. Our goal is to meet HDS certification requirements and offer the highest standards of service, in line with the challenges of target sectors: Healthcare, FinTech and many others.