The Ministry of Solidarity and Health before its program to put in place a support plan supposed to help health facilities in strengthening their cybersecurity.
The latter, it should be noted, are in the process of joining the group of essential service operators (OSE).
Under the new plan, health facilities are obliged to devote 5 to 10% of their IT budget to security if they want any support from the French government. This was announced by Mr Cédric O and Olivier Véran on 22 February. Statements that were made during their trip to inquire about the news of the hospitals of Dax and Villefranche-sur-Saône, establishments affected by ransomware attacks in this case the famous Ryuk.
This article will also interest you: Computer attack on a hospital: where exactly the flaw comes from
As part of the strengthening of the cybersecurity of health facilities, there will be the integration of nearly 135 territorial hospital groups into the famous list of operators of essential services.
Of course, this is a status that requires several very strict cybersecurity rules, not to mention the constraint applied to the information systems of practices that meet the stated requirements.
"The National Information Systems Security Agency (Anssi) will be responsible for monitoring compliance with these rules. Regional health agencies (ARS) will assist institutions in complying with these new obligations," the two government men said in a statement.
As a reminder, it should be pointed out that the law of 26 February 2018 which transposes a European directive 2016/1148 of 6 July 2016 has a list of "services essential to the functioning of society or the economy" must be framed on the aspect of COMPUTER security in a much more demanding way. The May 2018 decree states that services "contribute to prevention, diagnosis or care activities," "reception and regulation of calls" and "mobile emergency and resuscitation service" as part of emergency medical assistance, as well as "pharmaceutical distribution."
"With regard to allocating 5-10% of IT budgets to cyb[informatique]er security, this is going to be a strong commitment. We will develop an accompanying plan to ensure that this cybersecurity component is well integrated by health care institutions on a daily basis, and in particular to deal with the threat that is multiplying by ransomware" explains Caroline Le Gloan, the head of the office "information systems of the actors of the supply of care" at the DGOS
"We are in the process of developing this support plan for the ministry, with the National Information Systems Security Agency and the aim is to relaunch and strengthen the cybersecurity plan, which has been in place since 2019," she said. She adds: "IT budgets are not scalable, they are constrained and we take this into account in the support plan. ».
With regard to the designation of the territory hospital groups, Caroline Le Gloan states: "We are also working on it". "There are already a number of designated ESO health facilities, including the CHUs, which is a model that we will replicate for the 135 GHT. ».
According to the DGOS office manager, there will be several meetings this week to determine how this support plan should be applied.
Emmanuel Le Bohec, the Europe-Middle East and Africa (EMEA) sales manager at Claroty, a company specializing in the security of OT (Operational Technology) environments and industrial systems, says: "Cybersecurity must go beyond office." He adds that "You shouldn't just think about office work. When it comes to cybersecurity, the security of infrastructure and buildings is also important. Beyond office space, you can take control of elevators, defibrillators, connected insulin pumps, etc., during a cyberattack and the hospital environment is not originally thought for cybersecurity. ». "When the office is blocked, you can still access the paper and doctors can still treat it, even if it's more complicated, but when radiotherapy equipment is inaccessible, for example, the impact is much greater," he says.
Now access an unlimited number of passwords: