The Difficult Task of Protecting Health Data

Chronic underinvestment, highly open information systems, limited cybersecurity training for healthcare professionals… In January 2025, four experts gathered in Paris for a breakfast discussion to debate the pressing challenges of protecting health data.

In 2023, 10% of ransomware victims in France were hospitals, public or private, according to data from the French National Cybersecurity Agency (ANSSI). Due to the vulnerability of hospital IT systems and their increasing interconnection with external systems, the healthcare sector now ranks third among the most targeted, just after local authorities and businesses.

The French Court of Auditors noted in a report published in early January 2025: hospital IT systems are particularly fragile due to their growing complexity — measured by the number of applications, unmatched in any other sector (up to 1,000 applications in large university hospitals) — and due to chronic underinvestment in digital infrastructure (an average of 1.7% of operating budgets, compared to 9% in banking and 2% in consumer goods). This is compounded by the obsolescence of over 20% of equipment (workstations and servers running unsupported operating systems, network equipment and business software that can no longer be maintained), and the insufficient integration of cybersecurity issues by hospital staff.

Health data is omnipresent and difficult to protect

According to estimates from hospitals that have fallen victim to cyberattacks, the cost for a single hospital can reach €10 million for crisis management and remediation, and up to €20 million in lost operating revenue, according to the Court of Auditors. These figures do not account for the potential financial fallout from the theft and publication of massive amounts of both medical and non-medical data belonging to patients and healthcare professionals.

Health data is not just any data. Many people think only of the patient file. But in reality, health data covers a much broader spectrum. Data generated by a diagnostic imaging device is also health data. Today, the challenge is significant because data exchanges go well beyond the hospital: health data circulates between hospitals, private practitioners, local governments, associations, occupational health services… Health data is practically everywhere.

Dr. Xavier Alacoque, Head of Information Systems Security and Director of Data and AI at IUCT-Oncopole, adds: health data is something everyone wants to process and manipulate. Major players like Google, Microsoft, and IBM are all working on it, but health data—siloed and lacking interoperability—is captive to the care system. And because we haven’t achieved the necessary maturity, and the required investments haven’t been made, data exchanges are rushed and inconsistent.

He continues: when I started practicing, I took an oath to keep all patient information confidential. Later, I moved into cybersecurity because everything was becoming digital. But it was a rough experience: I was confronted with health IT systems that had been neglected for far too long. Hospital directors preferred to invest in faster scanners to improve quality and accessibility, rather than in cybersecurity systems.

Another obstacle to effective health data protection is the very low level of cybersecurity training among healthcare staff. Healthcare professionals are not trained in digital tools — it’s simply not part of their job. So we need to implement “airbag-style” security systems, meaning they work invisibly in the background. If these systems become cumbersome, staff will bypass them, leading to all kinds of undesirable behavior.

A jungle of regulations complicates the work of CISOs

According to Vincent TRELY, President and Founder of APSSIS, another major challenge for CISOs in healthcare is the overwhelming number of applicable regulations. CISOs must reconcile numerous regulatory frameworks and texts that, in the end, all say more or less the same thing. For example: healthcare institutions are subject to the GDPR and must secure the processing of personal data. The NIS 1 and 2 directives add about twenty more rules. At the same time, CISOs must apply the 43 measures outlined in the Ministry of Health’s “Priority Security Measures for Information Systems” reference framework. And then there are broader regulatory texts like the AI Act and the Digital Services Act.

If a CISO aims to build a private cloud infrastructure, they must also obtain HDS (Health Data Hosting) certification, which includes ISO 27001, plus the General Policy for the Security of Health Information Systems, not to mention the French Public Health Code and CNIL requirements… With so many overlapping texts, many experts are asking whether adopting a single international certification like ISO 27001 could help simplify and standardize regulatory compliance.

You also have to consider the number of mandatory reports a healthcare facility must produce within 72 hours of a cyber incident. There are over ten. Now imagine managing a crisis with ten stakeholders asking for updates every half hour because of intense media pressure. It’s simply unmanageable.

Notable State-led initiatives in recent years

In this context, France has gradually organized its response to cyberattacks and started reinforcing the information systems of healthcare institutions. One milestone was the creation of CERT Santé in 2017 by the Ministry of Health. This specialized unit, responsible for handling cybersecurity incident reports for healthcare structures, supports all health and medico-social establishments in their incident response.

The CERT Santé collects incident data and uncovers hidden vulnerabilities — for example, discovering that a biomedical device supplier uses the same password for all its equipment across all French hospitals, and that the password is publicly available online.

In 2023, 581 incidents were reported. These were not all cyberattacks, but the data allows for year-over-year comparisons and helps analyze incident typologies. Some major incidents draw significant media attention because they directly impact patient care. These high-profile cases also generate public fear.

In 2022, high-profile cyberattacks affected the Sud Francilien Hospital in Corbeil-Essonnes (CHSF) and the Versailles Hospital Center. In response, the government launched the CaRE program (Cybersecurity Acceleration and Resilience of Healthcare Institutions), which included the 2023–2027 Digital Health Roadmap. This roadmap aims to quickly raise the security level and, more importantly, ensure it is sustained across the ecosystem.

The Digital Health Roadmap 2023–2027 is structured around four main pillars. The first is governance — making sure hospital and medico-social directors address cybersecurity at the right level. New certification criteria are being added by the Haute Autorité de Santé to cover digital and cybersecurity issues, so that these topics become institution-wide priorities and not just concerns for IT departments. The roadmap also includes a mandate for crisis exercises, which help raise awareness and highlight the importance of business continuity.

The second pillar focuses on resource pooling. Since healthcare is less attractive than the private sector, institutions need to join forces — especially within regional hospital groups — to standardize IT systems and share teams. Smaller medico-social structures are also encouraged to join regional health cooperation groups. GRADeS (Regional e-Health Support Groups) are expected to offer cybersecurity solutions and shared support for institutions that can’t afford them alone.

The third pillar is training and awareness. Digital technology and cybersecurity are not core competencies for most healthcare professionals or executives. Now, training programs must include digital and cybersecurity content, both for initial and ongoing education. Awareness campaigns help integrate these topics progressively into professional practices.

The final pillar focuses on operational security. Based on incident feedback from CERT Santé, several key vulnerabilities have been identified, including Active Directory security, internet exposure, backup management, remote access for professionals and vendors, and strong authentication.

Another notable initiative from the French authorities is the HospiConnect call for projects, which aims to simplify and secure access to sensitive digital services. This initiative is part of the “Operational Security” axis of the CaRE program and aims to reduce risks like digital identity theft among healthcare professionals.

HospiConnect involves deploying an SSO with two-factor authentication (2FA), centralized identity and access management (IAM), and improved Active Directory security. Once a digital identity is created for healthcare workers, it can be semi-automatically transferred to Pro Santé Connect, enabling access to state-run apps. However, this raises structural, organizational, and ethical concerns. For example, when healthcare workers are asked to log in repeatedly using shared terminals or keyboards, hospital hygiene committees push back, citing infection control concerns since these devices are not disinfected regularly.

Hospital cybersecurity remains a major challenge, exacerbated by complex IT environments, chronic underinvestment, and low staff awareness. In response to growing threats, the French government has implemented ambitious programs like CaRE and HospiConnect to strengthen resilience. However, sustained effort and widespread awareness are needed to ensure these measures are fully effective.

Watch the full breakfast discussion: https://www.youtube.com/watch?v=k9-U85prGsk&list=PLsaypbHfNQumSqkl2F1e_3bVvM4q91VZK