France's CNIL Seeks Input on Proposal for Securing Electronic Patient Records
French data protection regulator CNIL launched a consultation on a draft recommendation about how healthcare institutions should handle electronic patient records.
Sign up for a free preview to unlock the rest of this article
The proposed recommendation is aimed in particular at data protection officers and their advisers on the protection of personal data, information systems managers and general management of public and private health facilities, CNIL said. It addresses, among other things, the creation of teams to determine the exchange and sharing of health information between professionals involved in a patient's care; data protection obligations for subcontractors; and requirements for multifactor authentication, CNIL said. Comments are due May 16.
Electronic patient records are of particular concern because they centralize data of all patients within a health establishment, the regulator said. Given the sensitivity and volume of that data, it must be protected through stronger security measures, it added.
In addition, health care data is a major target of bad actors. For example, notifications of personal data breaches by hospitals jumped from 16 in 2018 to 196 in 2024, CNIL said, and last year, massive leaks took place on an unprecedented scale. Some cyberattacks led to the complete blocking of the information systems of several large institutions, it noted. The CNIL was also alerted several times about illegitimate access to patient data contained in their electronic health records, it said.