PGSSI-S - General Security Policy for Health Information Systems

The legal framework for good security practices

What is PGSSI-S?

The PGSSI-S (General Security Policy for Health Information Systems) documentation sets out a framework of eHealth security guidelines, standards and good practices.

Digitising the health sector has globally improved the patient care process. However, the State has put into place a policy of risk management to prevent potential threats. The ANS has issued a framework to secure eHealth practices, both for patients and professionals. It has several goals: 

  • Set out a framework project leaders can refer to when setting the required security standards;
  • Enable industrial companies to specify the security levels in their products or services;
  • Support healthcare facilities in defining and implementing their own information system security policies.

There are many benefits in abiding to the PGSSI-S guidelines when you create your products or services for the health, social-health and social work sectors:  

  • Making sure the security compliance requirements approved by the Ministry of Health are respected; 
  • Following the good practice guidelines, using the PGSSI-S guidebooks at your disposal, to meet the general security rules set out by the public health code, the "Informatique and Liberté” bill (Computing & Freedom) and the GDPR;
  • Meeting the criteria required to receive a label or certification in these sectors;
  • Encouraging your clients to follow their own good practice obligations in terms of health Information System security;
  • Contributing to improving user data security, the image of health industrials, and client satisfaction.

PGSSI-S in 1 click 

Discover and use the PGSSI-S in 2 Minutes

The PGSSI-S is made of reference toolkits and opposable documents that set out the requirements involved in all aspects of health Information System security, as well as guides and practical support material which include guidelines about data protection.

These toolkits and practical guides are divided into levels: a minimal level and progressive levels. The aim of these documents is to make it easier for you to improve gradually the security level of your projects.

The PGSSI-S is updated frequently to adapt to industrial and technological evolutions, usage, and regulatory changes.

The PGSSI-S Documentation Corpus in 3 Steps

Step 1

Read the toolkits (opposability) and guides (recommendations) that apply to the product or service being developed or distributed

Read the Guides and Toolkit Corpus

Step 2

Apply the requirements of the relevant toolkit and take into account the guides recommendations on your proposed product or service’s life cycle, from its conception to the end of its use.

Step 3

Should the product be eligible, apply for the Ségur label

Useful documentation

Latest toolkits:

Toolkit for digital identification of users (in French) (zip - 591.18 KB)

Toolkit for digital identification of workers in the sanitary, medico-social and social work fields (physical persons) (in French) (zip - 739.4 KB)

Toolkit for digital identification of workers in the sanitary, medico-social and social work field (moral persons) (in French) (zip - 592.57 KB)

Read all the guides and toolkits available

Key service dates

T1 2022

The Accountability Framework is updated

T1 2022

The e-Identification Toolkits for professionals of the health, medico-social, and social work sectors (for both moral and personal entities) are published

T1 2022

The e-Identification Toolkit for Users is published

2022

The Access Control Toolkit is published

Frequently Asked Questions

The ANS answers the most common questions about PGSSI-S

Read FAQ about PGSSI-S (in French)

[ Date de mise à jour : 1 Jul. 2022 ] Product / Service : PGSSI-S - General Security Policy for Health Information Systems Category: Cybersecurity

Generally speaking, the PGSSI-S needs to be applied as soon as personal health data are being handled. It is relevant to the public sector as well as the private sector, health professionals, workers of the social-health and social sectors, healthcare establishments and service providers. 

As a patient, the PGSSI-S is a seal of guarantee on the accountability of digital health ecosystems.

[ Date de mise à jour : 29 Jun. 2022 ] Product / Service : PGSSI-S - General Security Policy for Health Information Systems Category: Cybersecurity

There is a specific FAQ on this topic, accessible here:

Go to the FAQ (in French)
[ Date de mise à jour : 26 Jun. 2022 ] Product / Service : PGSSI-S - General Security Policy for Health Information Systems Category: Cybersecurity

Complying with the PGSSI-S frames of reference is either required by law (if the documents have been approved by a ministerial decree) or meant to be followed on a short-term basis until the documents are approved by the ministry.

[ Date de mise à jour : 26 Jun. 2022 ] Product / Service : PGSSI-S - General Security Policy for Health Information Systems Category: Cybersecurity

The PGSSI-S guides are not meant to be opposable. However, it is strongly recommended to meet as many of the criteria as possible, in order to create secure enough products and services, and stay in line with the general guidelines set out by the public health code and the GDPR. Moreover, it makes the compliance requirements easier to meet when you apply for a label or a certification, or request to be listed in the health professionals directories.

Partners

Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI)

Was this page useful to you?

The information you provide in this questionnaire will be saved by the ANS into a digital database in order to optimise our website and improve our services.

The information saved is only to be used by the ANS and is only accessible to its services, its staff, and third-party providers authorised to consult it.

According to the regulation applicable in terms of personal data protection, you have the right to access, modify and erase your data. To do so, you may contact our Data Protection administrator, following the conditions set out in the page Personal Data Protection Policy on the ANS website.