CaRE (Cybersecurity Acceleration and Resilience for Establishments): Understanding the Challenges and Ensuring Compliance

The CaRE program, with a budget of over 230 million euros, marks a decisive turning point for the cybersecurity of healthcare establishments in France. It aims to overhaul how these institutions defend themselves against cyber threats. The objective is clear: to move away from a reactive approach and build true resilience against cyber threats. With a surge in attacks (+100% since 2020), outdated infrastructures, and fragmented responsibilities, structuring and accelerating the sector’s security has become imperative.

The program extends until 2027 and seeks to transform cybersecurity in french healthcare establishments by focusing on four main pillars: governance and resilience, resources and mutualization, awareness, and operational security.

By enforcing a unified governance structure, the initiative aims to integrate security into the very DNA of healthcare operations. However, governance must yield tangible, pragmatic, and operational results, which is where the strength of the CaRE program lies.

A Funding Dynamic to Secure Healthcare Establishments

The program, launched by the Ministry of Health and led by the Digital Health Agency (ANS), was made possible thanks to significant mobilization from sectoral and field actors (DNS, ANSSI, ARS, GRADeS, etc.).

In 2024, two initial funding mechanisms were implemented to support establishments in improving their cybersecurity maturity. The first, launched in March 2024, was allocated 65 million euros and targeted critical vulnerabilities in hospital information systems. These included internet exposure -one of the most common attack vectors- and the technical directory (Active Directory), often neglected and exploited by hackers to extend their presence within networks and maximize cyberattack impacts.

The success of this first funding phase was undeniable: 85% of eligible establishments applied, demonstrating the hospital sector’s strong commitment to enhancing cybersecurity. This high level of participation reflects a collective awareness of the urgency to secure its critical infrastructures. However, access to funding is contingent on meeting an initial level of security, validated through a prior assessment. This ensures that investments contribute to continuous improvement and deliver concrete results.

CaRE Program: Launch of the Second Phase (DNS/2025/12 Directive of January 22, 2025)

The government directive DNS/2025/12, issued on January 22, 2025, aligns with the CaRE program and the NIS 1 Directive and now imposes precise cybersecurity requirements on healthcare establishments. Cybersecurity can no longer be a secondary concern managed by overstretched IT teams; it must be integrated into governance, continuity strategies, and quality systems. This transformation is built on seven priority actions that provide a structured framework for achieving digital resilience.

Ensuring Compliance: Essential Actions

1.Conducting cybersecurity crisis exercises

To instill a culture of preparedness, the CaRE program mandates regular cyber crisis simulations. The goal is for 80% of healthcare establishments to conduct a crisis exercise by the second half of 2024. Transforming cybersecurity from a reactive necessity into a proactive pillar of operational resilience.

Each institution must organize at least one cybersecurity crisis exercise per year and document its execution on the national health information systems monitoring platform. Lessons learned must be analyzed and incorporated into the Quality Improvement Plan (PAQ) in order to enhance incident response capabilities continuously.

2. Annual self-assessment of cyber maturity

Improving security posture relies on regular practice evaluations. Each establishment must measure its compliance with key cybersecurity frameworks and report its score annually on the IS national monitoring platform. This process helps identify critical gaps and effectively guide security efforts.

3.Strengthening security audits and access monitoring

Establishments must enhance the control of their critical infrastructures by:

• Mandatory registration with the ANSSI’s cybersecurity club and the SILENE service to access national resources and expertise.
• Conducting quarterly Active Directory (ADS) audits to detect and correct vulnerabilities that facilitate lateral hackers movements.

This approach enables the adoption of proactive security strategies and helps reduce the attack surface of healthcare establishments.

4. Deploying a Business Continuity and Disaster Recovery Plan (BCP/DRP)

Rapidly restoring critical services after a cyberattack is a major challenge. Each establishment must:

• Formalize a BCP/DRP by June 2025 to ensure quick operational recovery.

• By June 2026, conduct a Business Impact Analysis (BIA) for critical services (Emergency, Surgery, etc.) and medical-technical units (pharmacy, imaging, laboratory).

• Expand these BIAs to all healthcare and administrative services by June 2027, integrating a global crisis recovery plan (BCP/DRP).

These measures ensure operational resilience even in the event of a major attack.

5. Integrating cybersecurity into risk and quality management

Cybersecurity actions must no longer be isolated initiatives. They should be integrated into the institution’s Quality Improvement Plan (PAQ) and systematically monitored. This requirement ensures effective risk management and durably embeds cybersecurity into hospital culture.

Awareness is another critical pillar of the program, and for good reasons. Phishing remains one of the primary attack vectors, and hospitals have long been easy targets due to a lack of consistent training in terms of security. The CaRE program mandates that all healthcare personnel, from frontline medical staff to administrative employees, undergo cybersecurity training as part of their initial education and continuous professional development.

6. Securing authentication and information system access

Hospitals must implement a security trajectory for healthcare professionals’ Electronic Identification Means (MIE), including :

• Mandatory use of strong two-factor authentication (2FA).
• Adoption of solutions like Pro Santé Connect and eIDAS standards to secure sensitive access.

The goal is to eliminate unsecured access and ensure rigorous identity and privilege management.

7. Declaring the budget share allocated to digital and cybersecurity

At the heart of this initiative is a focus on resource allocation and technological modernization. Healthcare establishments are now required to dedicate at least 2% of their total budget to cybersecurity and digital infrastructure. This directive aims to modernize infrastructure, upgrade outdated systems, and strengthen defenses through advanced threat detection capabilities, such as continuous monitoring and “Zero Trust” architectures.

This requirement ensures stable funding and prevents cybersecurity from being sidelined in budget decisions.

Towards successful compliance

The CaRE program leaves no room for improvisation or ad hoc measures. Cybersecurity is now a central pillar of hospital governance, and compliance is a strategic lever for ensuring resilience against cyberattacks.

CISOs and IT directors now have a clear roadmap to structure their efforts. This transformation should not be seen as an additional regulatory burden but as an opportunity to strengthen the sector’s robustness against increasingly sophisticated threats. The protection of patients, continuity of care, and security of digital infrastructures are at stake—and implementing the CaRE program is the key to achieving these goals.