Kénora is working to obtain the certification required for hosting healthcare data. Learn about the security measures that IT providers for the healthcare sector must put in place to protect their customers' data, and how to implement them yourself.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Health Data Hosting (HDS): How Kénora is earning this certification
1.
2. PRESENTEDBY
HEALTHCARE DATA HOSTING (HDS/ french
law): How Kénora is earning this certification
– FROM STRATEGIC CHOICE TO
IMPLEMENTATION
ALEXANDRE LEMAIRE, LINA THAIER, EMMANUEL MEYRIEUX
KÉNORA, BSI, OVH
ROOM 5
4.30 PM
5. KEY BENEFITS OF THE PRIVATE
CLOUD
Stop investment in infrastructure
Your infrastructure is fully scalable
Resources are dedicated to your activity
Industry-standard technology (VMware vSphere)
6. APPROVAL AND CERTIFICATION
OVH will be certified on 24th October 2019
Approval Certification
Status End of life Launch
Delivery Based on documentation Based on an audit
By
Approvals committee of hosting
providers
Accredited body
Scope
Activities described in the
documentation
French decree of 2018-137 +
activities within the scope of the
ISMS
Constant element Contract
Requirements related to the
ISMS
7. A MECHANISM COVERED BY THE
LAW
Article L.1111-8 of the French Public Health Code indicates that:
"Any natural or legal person who hosts personal health information collected in the course
of activities of prevention, diagnosis, care or social welfare/medico-social welfare
monitoring on behalf of the natural or legal persons who produced or collected such
information or on behalf of the patient him or herself, must be authorised or certified to this
effect.”
The obligation to use an approved hosting provider therefore applies to any controller of
personal health data collected in the course of these activities that wishes to entrust the
storage of this data to a third party.
8. AIMS OF THE CERTIFICATION
Guarantee a specific level of protection for personal health
information.
Achieve more reliable monitoring of requirements through
onsite audits.
Enhance the offer of hosting providers that have obtained
certification outside of the national territory and of the health
sector.
9. # Decree of 2018-137 – French Public Health Code article R.1111-9
In other
words…
1
The provision and maintenance in operational condition of physical sites to host the physical
infrastructure of the information system used to process healthcare data.
Housing
2
The provision and maintenance in operational condition of the physical infrastructure of the
information system used to process healthcare data.
Servers, network,
storage
3
The provision and maintenance in operational condition of the virtual infrastructure of the
information system used to process healthcare data.
The IaaS
4
The provision and maintenance in operational condition of the information system application
hosting platform.
The PaaS
5 The administration and operation of the information system containing healthcare data. The SaaS
6 Backing up healthcare data Backup
CERTIFIABLE ACTIVITIES
It is the responsibility of the hosting company’s customer to check that this scope covers their needs.
10. STANDARD AND CERTIFICATION
HDS certification standard published by ASIP
Requirements and checks – Version 1.1, June 2018
2 certificates
1 ISO 27001 certificate – broad scope
1 HDS IT service provider certificate
Issued by a COFRAC-accredited body
Validity: 3 years – initial audit + two follow-up audits
HDS CERTIFICATION IN 3 WORDS
ISO 27001
Protection of
personal data
(27018)
15
specific
requirements
20000-1
11. KÉNORA – SOME BACKGROUND
Occupational health software publisher
software manages health in the workplace and the DMST (French
occupational health medical record)
Developed, distributed and integrated in major French companies
Available for installation on the customer’s premises, or as SaaS
12. A FEW FIGURES
Kénora key facts and figures
Launched in 2011
15 employees
SaaS offer:
▪ With OVH since end of 2016
▪ 50,000 active medical records
▪ Around 200 users
2016 2017 20182016 2017 2018
SaaS: a growing trend
13. Which healthcare data is affected?
Healthcare data is at the heart of
our business.
The data collected is the
information in the DMST – the
French occupational health
medical record – including:
Patient history and current
conditions
Test results
Medical notes
Disabilities
Medical treatments
14. KÉNORA AND HDS CERTIFICATION
Certification is proof of
independence and expertise
Certification of hosting company
and IT service provider
Concerns activities 4 to 6
An ISMS formalisation process
based on ISO 27001 and adapted
to the context of health
#
Decree of 2018-137 – French Public Health Code article
R.1111-9
In other words
1
The provision and maintenance in operational condition of physical sites
to host the physical infrastructure of the information system used to
process healthcare data.
Housing
2
The provision and maintenance in operational condition of the physical
infrastructure of the information system used to process healthcare data.
Servers, network,
storage
3
The provision and maintenance in operational condition of the virtual
infrastructure of the information system used to process healthcare data.
The IaaS
4
The provision and maintenance in operational condition of the information
system application hosting platform.
The PaaS
5
The administration and operation of the information system containing
healthcare data.
The SaaS
6 Backing up healthcare data Backup
15. KEY REASONS TO CHOOSE HDS
CERTIFICATION
Autonomy and control over the technical platform
Flexibility and agility
Improves image of the offer, and is easier for customers to understand
Demonstrates expertise and active involvement in data security