Rigorous security standards to protect sensitive health data | ResMed

Security: end-to-end systems to protect data

ResMed is committed to excellence in information security. Our expert teams take a proactive approach to managing the complex challenges of end-to-end information security, strengthening our defences against threats and mitigating and managing risks. Our processes and protocols meet regulatory requirements and best practices, so you and your patients benefit from reliable confidentiality and data integrity.

Why trust ResMed for security?

Security is central to ResMed’s activities. As an organisation that provides sensitive healthcare services via remote solutions and cloud-connected devices, we need our security systems to be robust, wide-reaching, responsive and compliant. We view security as a strategic advantage and invest in it accordingly. Our global security team has expertise in security engineering, security architecture, cloud security and security governance. They work closely with our digital health technology teams to ensure our infrastructure, applications, systems and processes have security built in from the ground up.

Protect sensitive health data

ResMed’s advanced security systems and protocols prevent data theft and unauthorised access. Our end-to-end approach helps you to meet your health data security obligations and ensure the confidentiality of your patients’ personal data.

Access accurate data

With ResMed, you can feel confident about health data integrity. Our secure processing and storage systems prevent data loss and corruption. Robust security protocols optimise service availability and protect against outages.

Benefit from relevant services

Optimise patient management by working with a partner whose secure systems protect data from unauthorised access but ensure rapid, remote availability of the information and analytics you need. We’re proud that our security systems create a firm foundation for relevant, real-life services that remove barriers to interaction and enable you to work more easily.

Security certification

When it comes to operational excellence in data security, we choose to go further. We sought and obtained dual HDS/ISO 27001 certification for AirView and myAir to demonstrate our commitment to secure data processing and hosting and to ensure our teams and systems were operating at the highest standards, as verified by independent auditors.

ISO 27001


ISO 27001 is a well-known international standard for information security management systems. It details requirements for establishing, implementing, maintaining and continually improving an organisation’s information security management system in order to protect the data and information assets it contains. In August 2020, ResMed received ISO 27001 certification for its AirView and myAir solutions and its Lyon site following a rigorous independent audit, so health professionals, partners and patients who use our services can feel confident that their sensitive data is securely managed. Every year, an independent team of auditors will check that ResMed is continuing to comply with ISO 27001 standards.


HDS (Hébergement de Données de Santé)


HDS is a demanding French certification standard for entities that host personal health data. It combines the requirements of ISO 27001 and the French ASIP standard with additional elements from ISO 27018 and ISO 20000. ResMed is one of the few medical equipment and digital solutions companies that meets this strict standard for storing and processing health data. Our ongoing compliance with HDS will be rigorously and independently audited every year.


HDS is a demanding French certification standard for entities that host personal health data. It combines the requirements of ISO 27001 and the French ASIP standard with additional elements from ISO 27018 and ISO 20000. Like the internationally recognised ISO standards on which it is based, HDS is a continuous improvement framework. As such, ResMed’s ongoing compliance with HDS will be rigorously and independently audited every year.

HDS is designed to keep personal health data secure and protected. During a tough independent audit, certified companies must demonstrate that they have comprehensive, robust and appropriate security systems and processes that maintain data confidentiality, integrity and availability for customers and partners.

ResMed, like other companies that host personal health data in France, needs to have HDS certification. Meeting HDS standards improves the quality of the end-to-end services that ResMed provides to all our European customers. It also increases visibility and transparency for customers with regard to ResMed’s information security management.

ISO 27001 is an internal standard for information security management systems. It can be applied to any process by any organisation and it is voluntary, not mandatory.

HDS is a French standard that is mandatory for organisations that process French patient data. As ISO 27001 is the main pillar of HDS, organisations must obtain ISO27001 certification in order to receive HDS certification.

HDS has a broad scope. Although information security lies at the core of the certification, HDS assesses security in all its forms. For example, it reduces the risk of cyberattacks and maintains information availability by ensuring that applications are resistant to outages. It protects privacy by securing access to sensitive data. It covers supplier management, with regular audits for suppliers who have a direct impact on IT systems. HDS even covers physical access to buildings to reduce the risk that unauthorised third parties will gain entry.

ResMed’s HDS / ISO 27001 certification covers the management of the AirView and myAir platforms in Europe as well as its site at Lyon in France.

ResMed is certified on all six HDS levels, including the infrastructure levels, even though we do not own the data centre where our data are hosted. We chose to obtain HDS certification for all six levels for two reasons: first, to reassure our customers that we secure their data at every level, and second, because we are accountable for choosing the best physical hosting provider for our customers. We have chosen a supplier that is certified under HDS to host health data and we monitor its performance to ensure it provides the best security and privacy levels.

The full text of the HDS standard is available in French on the website of the French government agency, the Agence du numérique en santé.


ResMed’s Cloud Computing with AWS

ResMed’s goal is to deliver products and solutions that improve quality of life and reduce the burden of chronic disease on healthcare systems. New digital technologies using data from connected devices are key to achieving that goal. At ResMed, we use them to target ongoing improvements in patient care, product quality and performance and drive value to our customers. To leverage these technologies securely, quickly, efficiently and at scale, we’ve chosen to work with the world-class cloud computing infrastructure and data centre capabilities of AWS (Amazon Web Services) in Frankfurt, Germany and in Paris, France.


ResMed vulnerability disclosure

  1. Send an encrypted email, using the ResMed PGP Key, to Security Reports
  2. Provide as much information as possible, including steps to reproduce the issue and any logs or scripts used (e.g. text, screenshots)
  3. If you would like follow up, please use a valid email address

  • ResMed will contact you with an incident number, and may request additional information
  • ResMed will verify the vulnerability, and will coordinate internally to plan for remediation, if verified
  • ResMed will coordinate a disclosure timeline with you
  • ResMed will notify you when the issue has been resolved
  • ResMed will make an effort to respond to status inquiries within 10 business days

  • Social engineering and phishing
  • Physical attacks against ResMed-owned systems or sites
  • Actions that may disrupt service (e.g. denial of service, brute force)
  • Sending identifiable customer, patient, employee or user data
  • Premature public disclosure of a cybersecurity vulnerability
  • Testing of non-ResMed systems, such as 3rd-party suppliers