France Unveils its Information System Security Plan in the Health Care Sector

France Unveils its Information System Security Plan in the Health Care Sector

On October 14, 2016, France's Ministry of Social Affairs and Health issued an instruction notice (document in French) providing for the implementation of the "information systems security plan" for the health care sector. The plan is intended to ensure a harmonized minimum baseline level of cybersecurity for information systems of health care facilities, such as hospitals, biomedical laboratories, radiation therapy centers, and imaging and radiology public and private centers.

The instruction notice states that, in the second quarter of 2016, almost 90 percent of the ransomware cyberattacks worldwide targeted health care institutions and that such computer intrusions can have a significant impact on the provision of medical care and, more generally, result in material economic consequences.

The information notice sets forth the specific instructions and related implementation timeline for the Health Regional Agency's directors who are in charge of the implementation of these security measures. The measures are divided into three levels and will be implemented in the next six, 12, and 18 months respectively. Measures listed in level 1 provide for the installation of an antivirus program, the use of strong passwords, and their frequent renewal, as well as a backup carried out on a regular basis. This level sets a minimal security framework for the health institutions. The measures provided in levels 2 and 3 aim to ensure the security of users' accounts, the security of access to the wireless internet, segregation of the information systems, and an audit of the risks of information systems.

This plan completes the existing health information systems security policy, known as PGSSI-S, which sets the security principles for the health and medical sector (i.e., availability, confidentiality, integrity, and tracking of the health data). Such measures follow the framework set forth by two ministerial orders issued respectively on October 1, 2015 (PSSI-MCAS) and on July 17, 2014 (PSSIE), which set a general security policy for the French state information systems.

Private health care professionals active in France should take this opportunity and the related standards to reassess their own cybersecurity levels.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at

Olivier Haas

Cristiana Spontoni

Daniel J. McLoon
Los Angeles

Mauricio F. Paez
New York

Hatziri Minaudier, an associate in the Paris Office, assisted in the preparation of this Alert.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.