On October 14, 2016, France's Ministry of Social Affairs and Health issued an instruction notice (document in French) providing for the implementation of the "information systems security plan" for the health care sector. The plan is intended to ensure a harmonized minimum baseline level of cybersecurity for information systems of health care facilities, such as hospitals, biomedical laboratories, radiation therapy centers, and imaging and radiology public and private centers.
The instruction notice states that, in the second quarter of 2016, almost 90 percent of the ransomware cyberattacks worldwide targeted health care institutions and that such computer intrusions can have a significant impact on the provision of medical care and, more generally, result in material economic consequences.
The information notice sets forth the specific instructions and related implementation timeline for the Health Regional Agency's directors who are in charge of the implementation of these security measures. The measures are divided into three levels and will be implemented in the next six, 12, and 18 months respectively. Measures listed in level 1 provide for the installation of an antivirus program, the use of strong passwords, and their frequent renewal, as well as a backup carried out on a regular basis. This level sets a minimal security framework for the health institutions. The measures provided in levels 2 and 3 aim to ensure the security of users' accounts, the security of access to the wireless internet, segregation of the information systems, and an audit of the risks of information systems.
This plan completes the existing health information systems security policy, known as PGSSI-S, which sets the security principles for the health and medical sector (i.e., availability, confidentiality, integrity, and tracking of the health data). Such measures follow the framework set forth by two ministerial orders issued respectively on October 1, 2015 (PSSI-MCAS) and on July 17, 2014 (PSSIE), which set a general security policy for the French state information systems.
Private health care professionals active in France should take this opportunity and the related standards to reassess their own cybersecurity levels.