Cybersecurity and health: €750 million for speed and resilience

The French DNS (Délégation au Numérique en Santé) and ANS (Agence du Numérique en Santé) gathered all the stakeholders responsible for cybersecurity in the healthcare and medico-social sectors. The aim was to respond to the issues in priority 15 of category 4 of the 2023-2027 roadmap for digital technology in healthcare and massively reinforce healthcare establishments’ cybersecurity. €230 million has been allocated for 2024. With the designation of over 2,000 public and private hospitals as OSEs (essential service operators) scheduled for the end of 2024, this program comes at just the right time.

The CaRE program comes with four categories and 20 objectives:

The « Governance and Resilience » category aims to incorporate digital security and CaRE‘s objectives into the core of organizations’ strategic decision making, from the highest levels (ministries and agencies) down to establishments’ executive committees. It seeks to disseminate a culture of cybersecurity at all levels of decision making and among all healthcare professionals. For this, establishments must constantly evaluate themselves while following suitable roadmaps, and they must undergo cyber-crisis drills and simulations to bolster their disaster recovery procedures.

The « Resources and Pooling » category seeks to map specialized resources, whether these cover technical, organizational or regulatory aspects, and to assess the possibilities for mutualization and how this approach may be strengthened. Hospitals are hiring; spread the word. Contrary to what you might think, the recently revised pay scales for engineers and senior technicians can be attractive, with exciting assignments.

Regional e-health deployment support groups will be put to work, with regional health agencies providing them with funding to produce a range of services and set up cyber resource centers. Establishments will need to dedicate and defend budgets for cybersecurity operations.

The « Awareness-raising » category is ambitious but necessary. The entire ecosystem is exceptionally broad, and it needs to be brought on board. Medical, nursing and medico-technical roles, executives, managers, administrative staff, engineers, technicians, partners: everyone is concerned. And the level of cybersecurity awareness needs to be stepped up considerably. Phishing tests, video campaigns, specialized conferences, training courses, e-learning modules… Everything must be done to ensure that the 1.7 million people working in the healthcare system have the necessary skills.

« Operational security » covers the main areas of « technical » security: control and proactive supervision of asset security and the security of interconnections, operation and maintenance of a cybersecurity base that includes directories (including the AD), backup and restoration technologies, system and network supervision, disaster recovery plans, and the security of exposed services, all of which will have their own, regularly measured security sub-objectives.

These four categories will lead to a number of projects in public hospitals – which are organized into 135 regional groups – private structures and the medico-social sector. The findings have long been widely known. A technical debt crammed with security flaws, poorly or inadequately protected core systems – some of which were hardened as a result of cyberattacks – complex, quasi-dynamic authorization policies, cumbersome identity and rights management, weak authentication mechanisms, many of which are still based on usernames and passwords, hidden and unhidden misuse at all levels due to convenience or a lack of control over users, and large numbers of professionals that need to be educated and, in some cases, trained.

IT systems in healthcare are uniquely complex. There are several hundred critical applications, some of which are interconnected, some not, some through EAIs, some not. Hundreds of medical devices and software packages need to be linked to suppliers, while data needs to be shared between multiple regional players. Meanwhile, users are increasingly mobile, always in a hurry, constantly under pressure, and patients expect seamless interaction within an ultra-available, secure continuum of care.

Let’s bet that the system will make progress—it must!—and that CaRE’s objectives will be fulfilled, boosted by this unprecedented investment and by resources in the field that should be supported as never before.