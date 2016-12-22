On October 14, 2016, France's Ministry of Social Affairs and
Health issued an instruction notice (document in French) providing for the
implementation of the "information systems security plan"
for the health care sector. The plan is intended to ensure a
harmonized minimum baseline level of cybersecurity for information
systems of health care facilities, such as hospitals, biomedical
laboratories, radiation therapy centers, and imaging and radiology
public and private centers.
The instruction notice states that, in the second quarter of
2016, almost 90 percent of the ransomware cyberattacks worldwide
targeted health care institutions and that such computer intrusions
can have a significant impact on the provision of medical care and,
more generally, result in material economic consequences.
The information notice sets forth the specific instructions and
related implementation timeline for the Health Regional
Agency's directors who are in charge of the implementation of
these security measures. The measures are divided into three levels
and will be implemented in the next six, 12, and 18 months
respectively. Measures listed in level 1 provide for the
installation of an antivirus program, the use of strong passwords,
and their frequent renewal, as well as a backup carried out on a
regular basis. This level sets a minimal security framework for the
health institutions. The measures provided in levels 2 and 3 aim to
ensure the security of users' accounts, the security of access
to the wireless internet, segregation of the information systems,
and an audit of the risks of information systems.
This plan completes the existing health information systems
security policy, known as PGSSI-S, which sets the security
principles for the health and medical sector (i.e., availability,
confidentiality, integrity, and tracking of the health data). Such
measures follow the framework set forth by two ministerial orders
issued respectively on October 1, 2015 (PSSI-MCAS) and on July 17,
2014 (PSSIE), which set a general security policy for the French
state information systems.
Private health care professionals active in France should take
this opportunity and the related standards to reassess their own
cybersecurity levels.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
