General Security Policy for Health Information Systems (PGSSI-S)

The General Security Policy for Health Information Systems (PGSSI-S) sets out the security standards for eHealth services.

Politique générale de sécurité d’information de santé

Since 2012, the General Security Policy for Health Information Systems (PGSSI-S) has been setting out the relevant standards and good practices as well as a common framework for Information System security in the health sector. 

It informs all those working in the health and social care sectors of the regulations in force and the good practices to follow.

The PGSSI-S is a project of great strategic importance and is being supported by the both the Ministry of Health and the Agence du Numérique en Santé, who are consulting widely on these issues.

Elaboration of the general security policy for health information systems (PGSSI-S)

For several years, the French government has been elaborating a PGSSI-S in consultation with the eHealth sector in order to deal with the risks posed to Information Systems. 
The PGSSI-S is a collection of reference documents that complies with the eHealth legal framework and the IT security policy of Ministry of Health (FR MoH). 

It sets out a framework to which project leaders can refer to when setting the required standards, enabling industrial companies to specify the security levels contained in their products and helping healthcare facilities to define and implement their own Information System security policies.

The documents contained in the PGSSI-S are the fruit of working groups consisting of representatives from institutions, healthcare establishments and industrial companies as well as healthcare professionals. A steering committee comprised of representatives from the Ministry of Health (FR MoH), French National Health Insurance Fund (CNAM), French National Solidarity and Autonomy Fund (CNSA), French Data Protection Authority (CNIL) and French National Cybersecurity Agency (ANSSI) have been overseeing and monitoring the discussions. 

All documents are submitted by the Agence du Numérique en Santé for consultation to industrial companies, healthcare establishments and professionals, and members of the general public. Once their comments have been taken into account, an approved version is posted on ANS official website on a dedicated space (in French).
It is regularly updated to take into account of industrial, technological and regulatory developments as well as adapting to new use cases.

The structuring of the PGSSI-S reference documents

The PGSSI-S is based on the core principles that underpin the overarching strategy on IT health systems security. New standards (which will ultimately become legally enforceable) are progressively added to it, as are practical and organisational guides.

The PGSSI-S is intended to be a pragmatic tool, and to this end the standards and practical guides are classified into levels – a minimal level and progressively ascending levels – that will help project leaders to progressively improve the security component of their projects until they reach their target level (defined according to the nature of their project).