HDS is a demanding French certification standard for entities that host personal health data. It combines the requirements of ISO 27001 and the French ASIP standard with additional elements from ISO 27018 and ISO 20000. Like the internationally recognised ISO standards on which it is based, HDS is a continuous improvement framework. As such, Resmed’s ongoing compliance with HDS will be rigorously and independently audited every year.

HDS is designed to keep personal health data secure and protected. During a tough independent audit, certified companies must demonstrate that they have comprehensive, robust and appropriate security systems and processes that maintain data confidentiality, integrity and availability for customers and partners.

Resmed, like other companies that host personal health data in France, needs to have HDS certification. Meeting HDS standards improves the quality of the end-to-end services that Resmed provides to all our European customers. It also increases visibility and transparency for customers with regard to Resmed’s information security management.

ISO 27001 is an internal standard for information security management systems. It can be applied to any process by any organisation and it is voluntary, not mandatory.

HDS is a French standard that is mandatory for organisations that process French patient data. As ISO 27001 is the main pillar of HDS, organisations must obtain ISO27001 certification in order to receive HDS certification.

HDS has a broad scope. Although information security lies at the core of the certification, HDS assesses security in all its forms. For example, it reduces the risk of cyberattacks and maintains information availability by ensuring that applications are resistant to outages. It protects privacy by securing access to sensitive data. It covers supplier management, with regular audits for suppliers who have a direct impact on IT systems. HDS even covers physical access to buildings to reduce the risk that unauthorised third parties will gain entry.

Resmed’s HDS / ISO 27001 certification covers the management of the AirView and myAir platforms in Europe as well as its site at Lyon in France.

Yes. A copy of our HDS certification can be downloaded here.

Resmed is certified on all six HDS levels, including the infrastructure levels, even though we do not own the data centre where our data are hosted. We chose to obtain HDS certification for all six levels for two reasons: first, to reassure our customers that we secure their data at every level, and second, because we are accountable for choosing the best physical hosting provider for our customers. We have chosen a supplier that is certified under HDS to host health data and we monitor its performance to ensure it provides the best security and privacy levels.

The full text of the HDS standard is available in French on the website of the French government agency, the Agence du numérique en santé.

1. Send an encrypted email, using the Resmed PGP Key, to Security Reports
2. Provide as much information as possible, including steps to reproduce the issue and any logs or scripts used (e.g. text, screenshots)
3. If you would like follow up, please use a valid email address

• Resmed will contact you with an incident number, and may request additional information
• Resmed will verify the vulnerability, and will coordinate internally to plan for remediation, if verified
• Resmed will coordinate a disclosure timeline with you
• Resmed will notify you when the issue has been resolved
• Resmed will make an effort to respond to status inquiries within 10 business days

• Social engineering and phishing
• Physical attacks against Resmed-owned systems or sites
• Actions that may disrupt service (e.g. denial of service, brute force)
• Sending identifiable customer, patient, employee or user data
• Premature public disclosure of a cybersecurity vulnerability
• Testing of non-Resmed systems, such as 3rd-party suppliers