Only 15% of establishments have experienced a disruptive cyber incident in the last 3 years, but less than 1 in 6 really felt well prepared at the time of the incident, according to the first national survey, co-constructed by the Digital Health Agency (ANS) with hospital federations, among 719 directors of healthcare establishments.
The Digital Health Agency analyzes, in a survey, the management of cybersecurity in health establishments in the medium term. Only 15% of establishments experienced a disruptive cyber incident in the last 3 years, but few felt well prepared.“Even without any incident, the majority of directors remain clear-eyed about their level of preparation, only 13% say they are well prepared”she notes among her many observations. Generally speaking, the survey highlights “a real hiatus” between the ambitions and the resources allocated in this area. “If cybersecurity is well on the agenda of general management (crisis exercises, information systems security meetings, direct involvement), 42% of directors believe they do not have the necessary means for a suitable prevention plan. This observation is accentuated in public and non-profit establishments”.
The survey also points to a budgetary trade-off unfavorable to cybersecurity: “60% of establishments devote less than 5% of their IT CAPEX to cybersecurity, and more than one in four less than 1%.” In this context, the actions perceived as the most accessible are staff awareness, crisis exercises and document updates.
Well-identified reflexes in the face of the crisis
On the good news side, establishments are showing reactivity: “in the event of an attack, directors favor two responses: the rapid mobilization of technical experts (84%) and the provision of equipment to ensure continuity of care (73%). On the other hand, crisis communication or the support of an experienced peer remain very secondary.” Among the perceived consequences of a cyber incident, the managements surveyed cite continuity of care and patient safety first and foremost. They place quality of life issues at work in third place, because of the stress they induce. Asked about the lessons to be learned: 73% of respondents consider it an absolute priority “the provision of computer and telephone equipment to resume activity”. 84% of them also cite “the identification of technical experts who can be mobilized instantly”.
- Study on the cybersecurity of health establishments, ANS. https://esante.gouv.fr/sites/default/files/media/document/Resultats-enquete-cyber-2025-ANS.pdf
