CaRE Program

The CaRE program (“Cybersecurity, Acceleration and Resilience of Healthcare Establishments”) is the national program aimed at strengthening the cybersecurity of healthcare institutions. Launched in 2023, it pursues a very concrete objective: reducing the likelihood of a major incident and, above all, reducing its impact when it occurs, in order to preserve continuity of care, patient safety, and the operational capacity of healthcare facilities.

In a context where information systems have become essential to the daily operation of hospitals (EHR, imaging, prescriptions, laboratories, admissions, billing), CaRE addresses a field reality: a cyberattack is no longer an exceptional event, but a systemic risk.

If CaRE had to be summarized in a single image, it would be that of an operating room: you may have excellent teams, but without formalized procedures, regular training, and proven recovery capabilities, when everything goes down, continuity of care becomes a gamble.

What is the CaRE program?

CaRE structures a 2023–2027 roadmap combining operational requirements, national governance, and funding mechanisms conditional on achieving measurable security objectives. It relies on national reference frameworks, binding instructions, and centralized monitoring mechanisms.

The challenge is not merely to “conduct audits” or respond to a call for projects, but to establish a sustainable, traceable, and governance-driven security posture, with clearly identified responsibilities and evidence of implementation over time.

Who is affected by CaRE?

The DORA regulation applies to financial entities, covering 21 different types of actors such as:

It applies both to financial entities and to their ICT service providers that deliver a critical or important function, meaning a function whose disruption could seriously affect the financial stability, service continuity, or regulatory compliance of a financial entity.

Am I concerned by CaRE?

Talk with a specialist

What are the CaRE funding mechanisms and milestones?

01

Domain 1 (D1) – Technical audits: technical directories and Internet exposure

An initial mechanism targeted two weaknesses frequently exploited in healthcare attacks: Internet exposure and technical directories (Active Directory). These vectors have historically been preferred entry points for attackers, particularly in ransomware scenarios.

The allocated budget for this domain is EUR 65 million, with a launch in March 2024 and a validation and closure milestone set in particular at June 30, 2025. Healthcare institutions were required not only to carry out the actions, but also to demonstrate achievement of a target security level.

02

HospiConnect domain

A “HospiConnect” mechanism was announced with a budget of EUR 1.4 million, focused on securing electronic identification use for healthcare professionals, in line with national identity and authentication roadmaps in healthcare.

03

Domain 2 (D2) – Business continuity and disaster recovery strategy

The second pillar clearly strengthens the resilience axis, with a focus on backup strategy, real recovery capability after an incident, and demonstration through testing. The objective is to ensure that an institution is able to restart from a clean information system after a compromise.

What are the requirements of the CaRE program?

The operational requirements expected from healthcare institutions are formalized in particular by instruction DNS/2025/12 of January 22, 2025. The approach is deliberately pragmatic: CaRE does not ask for “a document”, it requires actions, evidence of implementation, and continuous improvement. Requirements concern both effective execution and the ability to demonstrate, over time, the progression of the institution’s cyber maturity.

01

Conduct an annual cybersecurity crisis exercise

The institution must organize at least one annual cybersecurity crisis exercise involving decision-makers (executive management, CIO, CISO, communications, critical business units). The objective is to test decision-making chains, crisis communication, and team coordination.

A lessons-learned report must be formalized, analyzed, and improvement actions integrated into the Quality Improvement Plan (QIP). Completion of the exercise and its outcomes must be reported on the national healthcare IT monitoring platform.

02

Perform self-assessment against priority cyber measures

The institution must declare at least annually its level of maturity with regard to priority cyber measures on the national healthcare IT monitoring platform. This self-assessment makes it possible to identify gaps, prioritize actions, and manage remediation plans.

Actions resulting from this assessment must be integrated into the QIP, ensuring that cyber maturity is not merely a technical indicator but a genuine quality and risk management steering tool.

03

Regularly conduct security audits of certain IT infrastructures

The instruction sets concrete expectations: registration with the SSI Club led by ANSSI, registration with the SILENE service, and execution of an ADS (Active Directory Security) audit at a minimum quarterly frequency for all directories. It also defines a remediation and measured progression approach, with a target minimum score for Active Directory security.

Have your penetration test carried out

04

Formalize a BCP and DRP for all healthcare institutions

By the end of June 2025 at the latest, the institution must implement the BCP/DRP approach through formal governance: designation of a BCP/DRP owner, a framing letter signed by executive management, and establishment of a steering committee.

By the end of June 2026, the institution must formalize BIA for all critical care services (emergency, surgery, etc.) and medico-technical services (pharmacy, imaging, laboratory, etc.).

By the end of June 2027, BIAs must be extended to all remaining care, administrative, and logistics services, and a global framework PCRA must be formalized for all services.

Get support for building your PCRA

05

Integrate cybersecurity into quality and risk management

Cyber actions must be integrated and monitored within the QIP, including remediations from audits, improvements from crisis exercises, phased construction of the PCRA, and actions required to meet priority measures.

Have a Risk Analysis carried out by our experts

06

Comply with identification and authentication reference frameworks

By the end of June 2025 at the latest, the institution must implement the BCP/DRP approach through formal governance: designation of a BCP/DRP owner, a framing letter signed by executive management, and establishment of a steering committee.

By the end of June 2026, the institution must formalize BIA for all critical care services (emergency, surgery, etc.) and medico-technical services (pharmacy, imaging, laboratory, etc.).

By the end of June 2027, BIAs must be extended to all remaining care, administrative, and logistics services, and a global framework PCRA must be formalized for all services.

07

Calculate and report the share of budget dedicated to digital

The institution must calculate the share of the budget dedicated to digital within the overall budget and the number of FTEs allocated to information system security, then enter these data annually on the national monitoring platform after account closure.

How to prepare for CaRE?

Achieving CaRE compliance means avoiding a “paperwork” or “isolated project” effect and instead managing a coherent long-term program. An institution can succeed with CaRE if it implements a realistic roadmap aligned with operational constraints, clear priorities, documented evidence, and regular testing.

Assess your situation

Identify exposed perimeters, directories, sensitive services, and dependencies, then establish a maturity baseline aligned with the instruction requirements.

Conduct a risk analysis and prioritize

Perform a pragmatic risk analysis focused on the most costly healthcare scenarios (ransomware, identity compromise, unavailability, workstation/server compromise, third-party access), and translate this analysis into a prioritized treatment plan.

Have a Risk Analysis carried out by our experts

Implement priority technical measures

Reduce external attack surface, harden and monitor Active Directory, strengthen privileged account management, industrialize patching, and establish evidence (logs, tickets, audit reports, indicators).

Build resilience through BCP/DRP and testing

Document, but above all test: backups, restoration, recovery scenarios, dependencies, crisis communications, and the ability to return to a “clean” information system after compromise.

Get support for building your PCRA

Train and continuously improve

Conduct the annual exercise, analyze feedback, integrate actions into the QIP, and measure progress through recurring audits and controls.

Training delivery by a QUALIOPI-certified organization

How Ziwit supports you on CaRE

In addition to our services, Ziwit is also the publisher of the HTTPCS platform, dedicated to continuous security monitoring, exposure analysis, and vulnerability detection. This platform can be integrated into the CaRE roadmap to enhance visibility over attack surfaces, support audits, and provide actionable indicators for IT and CISO teams.

At Ziwit, our CaRE approach is deliberately operational and evidence-driven. The goal is not to produce theoretical or purely documentary compliance, but to concretely secure the information system and demonstrate that the institution knows how to detect, resist, and recover after a cyber incident.

CaRE technical audits (D1): Internet exposure and Active Directory

We perform technical audits and hardening missions aligned with CaRE expectations and ANSSI practices. For Internet exposure, we cover mapping of exposed services, configuration of equipment and applications, authentication mechanisms, remote access, TLS encryption, and commonly exploited healthcare attack vectors.

On Active Directory, we address overall hygiene, privilege management, GPOs, attack paths, trust relationships, and reduction of lateral movement capabilities. These audits follow a measured progression and prioritized remediation approach.

Ziwit is ANSSI PASSI certified, enabling us to deliver recognized penetration tests and security audits adapted to hospital environments and compliant with regulatory requirements.

BCP / DRP, BIA, PCRA: turning requirements into real capability

Our BCP/DRP support always begins with a risk analysis based on the EBIOS Risk Manager method, to identify the most critical cyber threat scenarios for the institution (ransomware, privileged identity compromise, prolonged EHR unavailability, loss of medico-technical services, etc.). This step directly links care and business challenges to real IT dependencies.

Based on this, we conduct a critical review of existing materials (BCP/DRP documentation, IT procedures, technical DRPs, backups, outsourcing contracts), then update or draft an operational BCP/DRP, structured by scenarios with realistic RTO/RPO objectives.

Our BCP/DRP specificity lies in a focus on real recovery capability: integration of application dependencies, consideration of identities and directories, coordination with critical service providers, and restoration and recovery testing to move from documentation to an actionable crisis runbook. We also support BIA rollout and progressive construction of the framework PCRA, in line with CaRE milestones.

Get support for building your PCRA

SOC & incident response: reducing time between intrusion and reaction

Within CaRE, the ability to detect and respond quickly is a key factor in reducing impact. Our SOC offering is based on an integrated approach combining SOC, CTI, and CSIRT, covering the entire chain from anticipation to remediation.

The Ziwit SOC includes a Cyber Threat Intelligence (CTI) unit monitoring threats targeting the healthcare sector (ransomware, phishing campaigns, opportunistic APTs), and a CSIRT capable of supporting incident response from investigation through crisis management.

Our SOC is vendor-agnostic: we integrate with existing tools (SIEM, EDR, probes, firewalls, IAM) without vendor lock-in, leveraging existing investments and avoiding technology sprawl. Support is continuous, with indicators, regular reviews, and a continuous improvement logic for detection and response posture.

ZIWIT SOC: Concentrated expertise in information security

Awareness, crisis exercises, and maturity uplift

Phishing is often the entry point, but impact depends on human and organizational response. We design targeted awareness programs (clinical staff, administrative teams, IT, executive management) aligned with real-world usage and threat scenarios.

We also support institutions in preparing and running cybersecurity crisis exercises in line with CaRE requirements, to test governance, internal and external communication, and partner coordination. The objective is to turn exercises into a lever for continuous maturity improvement, integrated into the QIP.

Training delivery by a QUALIOPI-certified organization

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities.

Contact us!

+33 1 85 09 15 09