CaRE, the government’s action plan in response to the cyber threat in healthcare
Over the past 12 months, several French healthcare institutions have been victims of cyberattacks. This is the case, for example, of the Bourg-en-Bresse hospital in April and that of Versailles at the end of 2022.
According to Anssi, the state security agency, the health sector is the third sector most affected by cyber attacks, after local authorities and SMEs. And according to the government, the state of the threat is not weakening.
An action plan developed by a group of field experts
To respond to this threat, the executive is setting up a program: CaRE, for accelerated cybersecurity and resilience of institutions. On December 18, the Ministers of Health and Digital presented their action plan.
Its objective is to implement measures to protect healthcare facilities from the cyber threat. The actions of the program have been the subject of discussions for several months within a “working group bringing together field experts.”
According to the ministries concerned, their reflections aimed at building an “unprecedented action plan to strengthen the cyber security of health institutions and medico-social structures.”
A 1st call for projects on cyber remediation
CaRE thus aims to accelerate the upgrade of hospital information systems and to sustainably strengthen the resilience of healthcare structures. To achieve this ambition, the program is endowed with a budget of 250 million euros until 2025.
By the end of 2027, the total investment in cybersecurity for the French healthcare sector will reach 750 million euros. Two objectives are pursued: to prevent the attacks from succeeding and to allow the establishments to recover from them as quickly as possible.
As part of CaRE, a first call for projects with 60 million euros was launched at the end of December. This envelope will finance so-called cyber remediation plans for health facilities.
These plans are intended to “respond to vulnerabilities exploitable by attackers and thus reduce the risk of intrusion and the spread of malicious software in the information system of the establishment.”