ANS obligations for ENS

Digital health companies (ENS) are essential players in the French health system. They develop and provide digital products and services that improve the quality of care, the efficiency of organizations and patient participation.

To guarantee the security and proper functioning of these products and services, the ANS, the Digital Health Agency, imposes a certain number of obligations on ENS.

These obligations are defined by the General Data Protection Regulation (GDPR), by the National Digital Health Strategy and by standards and technical guides published by the ANS.

Perform a Pentest

Data security obligations

Data security is the top priority of ENS. They must put in place appropriate technical and organizational measures to protect the personal health data they collect, process or store.

These measures must be designed to prevent the risks of destruction, loss, alteration, unauthorized, accidental or illicit disclosure or access. Here are some examples of measures:

Examples of security measures that ENS can put in place

Strong user authentication, for example via one-time password (OTP) or biometric authentication.
Encryption of data in transit and at rest.
Data segmentation, in order to limit access to sensitive data.
The establishment of an access management policy, in order to control access to data by users.
Implementation of a business recovery plan, in order to guarantee the continuity of data processing in the event of an incident.
Carry out security audits and pentests, in order to identify the vulnerabilities of a computer system as hackers would do

Examples of security measures specific to health data

The use of pseudonymization or homomorphic encryption, in order to make health data unidentifiable.
Implementation of security measures specific to connected medical devices, such as protection against electromagnetic interference or protection against cyberattacks.

Interoperability obligations

Interoperability is the ability of two or more systems or applications to communicate and exchange data efficiently and securely. It is essential to guarantee the fluidity of data exchanges between the different players in the health system.

ENS must ensure that their products and services are interoperable with other health systems and services. To do this, they can use standards and technical guides published by the ANS.

Examples of standards & technical guides

The simplified health information systems interoperability standard (SDIS).
The health application interoperability technical guide (GTIAS).
The technical guide for interoperability of connected medical devices (GTIDMC).

Standards Compliance Obligations

ENS must respect the standards applicable to their products and services. These standards can be defined by the legislator, by standardization organizations or by health professionals.

The ANS may impose standards compliance requirements on ENS as part of its missions.

Examples of standards applicable to ENS

The ISO/IEC 27001 standard, relating to the security of information systems.
The ISO/IEC 17088 standard, relating to health data security management systems.
The EN 13942 standard, relating to connected medical devices.

Other obligations for ENS

In addition to the obligations mentioned above, ENS may also be subject to other obligations, depending on the nature of their activities.

For example, ENS that develop digital medical devices must obtain a marketing authorization (AMM) from the ANSM.

Sanctions for non-compliance with obligations

ENS which do not respect their obligations may be subject to sanctions, in particular administrative or criminal.

Administrative sanctions can take the form of a fine, an injunction or a suspension of activity.
Criminal sanctions may take the form of a fine or imprisonment.

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities.

Contact us!

+33 1 85 09 15 09