Data storage and risk prevention: HDS certification benefits

Thomas Flachaire, CISO, et Anthony Ambrogi, Information Security Officer, EBRC
By Hospitalia 15/07/2021
Health & Life Sciences
OES - Operators of Essential Services

European Business Reliance Centre (EBRC) is now certified as a Health Data Host (HDS)  for all six activities. This is a further recognition of the expertise and know-how of this European player in data management, as Anthony Ambrogi, Information Security Officer, and Thomas Flachaire, Chief Information Security Officer, explained to us. 

EBRC: the reliability and know-how of a European group

You are both part of the Risk, Information Security and Continuity (RISC) team at EBRC. What exactly are its missions?

Anthony Ambrogi: Our five-person team deals with all issues related to enterprise risk management, information security management and business continuity, for example through the implementation of security checks, assessments, monitoring procedures, etc. One of our objectives is to prevent cyber incidents as much as possible in order to protect and maintain the continuity of our activities and those of our clients.

Thomas Flachaire: Providing a continuous and qualitative service is indeed a major challenge for EBRC, which operates in many strategic areas such as health, energy, banking and finance, space, international institutions, and more. The concept of service continuity is therefore an integral part of our value chain, and is reflected in our offers. Since 2000, we have made the protection and management of sensitive data our strategy and have developed a whole range of services including consulting, cybersecurity, resilience, cloud, managed services and Data Center. For example, we operate our own Data Centers, three of which are Tier IV certified by Uptime Institute. This high level of quality has enabled us to achieve zero seconds of downtime since 2000: a necessity for most of our clients’ critical activities.

HDS certification: definition and key benefits

You are also a certified Health Data Host (HDS), now for activities 1 to 6, for France. Can you tell us more about this certification?

Anthony Ambrogi: France is one of the first countries to require this type of certification, which is in perfect synergy with our own strategy and long-term vision. Obtaining HDS certification was therefore an obvious choice for us. This demanding standard is indeed a token of quality and end-to-end guarantees. The HDS standard covers six activities, two applicable to hosting providers and four to managed services providers. In 2018, EBRC was certified for the first activity, relating to the maintenance of physical sites. Since March 2021, we have been HDS certified for all activities, from Data Center infrastructure, Cloud platforms (IaaS, PaaS, and SaaS), and software to backup management.

Thomas Flachaire: The HDS standard offers another advantage: it greatly facilitates exchanges during calls for tenders and audits carried out by our clients, by offering a clear framework for such exchanges. It is an implementation of our cyber-resilience strategy, to deliver the best guarantees in terms of security, continuity and efficiency. The implementation of this standard represents a further step for us, after GDPR compliance and the certifications we have already obtained with respect to standards ISO 27001 for information security management systems, ISO 22301 for business continuity and ISO 20000 for IT service management.

HDS Certification and GDPR: the main principles of data security in the health sector

How does this strategy respond to the challenges of the healthcare industry?

Anthony Ambrogi: Stakeholders in the healthcare industry, particularly in France, are faced with strong regulatory constraints with respect to guaranteeing data security. These requirements have been reinforced by the GDPR, which has taken precedence over other normative requirements in terms of personal data protection. Any service provider chosen by a healthcare institution must therefore be certified for the services delivered, whether it is the computer server hosting provider or the managed services supplier responsible for maintaining the production systems in operational condition.

Thomas Flachaire: This is all the more necessary in 2021, in the midst of a health crisis, as health establishments have been the target of particularly virulent cyber-attacks. We are convinced that in order to improve the overall security level of a structure, it is necessary to involve its teams and to have them participate as much as possible in the development of plans and procedures. Training and awareness-raising sessions are also a crucial activity for strengthening user involvement, but they are still no match for the ingenuity of hackers. It is therefore essential to work in several areas: risk prevention and identification, reacting to proven threats, continuous improvement of existing processes, etc. Building on its operational experience, EBRC has a team of twenty-five consultants who support organisations all the way up to ISO 27001 (Information Security) and ISO 22301 (Business Continuity) certification.

Guaranteeing data security beyond HDS certification

EBRC offers support in cybersecurity and resilience

Anthony Ambrogi: Security is a sum of strategies and solutions, and it must be thought of as such. The concept of cyber-resilience is therefore at the heart of our business and underpins all the activities of our teams, which work in small, agile groups. This approach allows us to offer high-quality services to the Luxembourg shared healthcare record and the Integrated Biobank of Luxembourg (IBBL), for example, which have been benefiting from our know-how and experience in healthcare issues for several years now.

EBRC is also involved at the European level, notably with the Gaia-X project. Can you tell us more about this involvement?

Thomas Flachaire: Through initiatives such as Gaia-X - which aims to develop an efficient, competitive, secure and reliable data infrastructure for the European Union - there is every reason to believe that a European standard will emerge. This is all the more possible since the advent of the health crisis: the various countries all want to guarantee the health of their population, in order to limit the impact on their economy. To achieve this, it would be ideal to be able to share certain health information, such as vaccination data during the tourist season. However, to do this, we must first guarantee the security of health data, which seems difficult to achieve without a standard applicable at European level. We are therefore convinced that there will eventually be an EU standard for health data management, similar to what has been implemented with the GDPR. And if this trend is confirmed, EBRC must be a major player in this in order to remain the ideal partner for healthcare institutions.