CHU de Lille with myCarto
Mapping the Information System to Improve Patient Care and Strengthen Cyber Resilience
About CHU de Lille...
- 3,250 beds and care units, the largest capacity of any single university hospital center in France
- 10 healthcare organizations grouped within a Regional Hospital Group (GHT), with CHU de Lille serving as the lead institution
- 115 employees within the Digital Resources and Information Systems Department (DRNSI)
- 525 business applications documented and managed
Discover how CHU de Lille, the lead institution of a Regional Hospital Group comprising 10 healthcare organizations, relies on myCarto to manage a portfolio of 525 applications, strengthen NIS2 compliance, and support information system convergence across its healthcare territory.
Background: Three Key Drivers Behind the Mapping Initiative
Information System Architecture and Urbanization is not a new topic for CHU de Lille. A first solution had previously been tested, but the initiative never fully took off due to excessive complexity, high costs, and limited user adoption.
The real turning point came in late 2022 when Thomas Aubin, CISO of both CHU de Lille and its Regional Hospital Group (GHT), discovered myCarto (then known as SoluQIQ) during a discussion with a counterpart from SESAN. The value proposition immediately resonated.
With myCarto, I found the multidimensional mapping capabilities required by ANSSI’s framework: network mapping, data flow mapping, server mapping, process mapping, and application mapping. That comprehensive approach immediately appealed to me.”
Thomas Aubin – CISO, CHU de Lille
Three major factors then converged, making Information System mapping a strategic priority :
NIS2 Compliance
CHU de Lille is classified as an Essential Entity under the French cybersecurity framework ReCyF (REférentiel CYber France) published by ANSSI.
Among the twenty security domains defined by the framework, one is almost entirely dedicated to Information System mapping. Compliance is no longer optional.
Complex Infrastructure Operations
Two successive core network redesign projects highlighted a recurring challenge: without a consolidated repository, assessing the impact of an outage required dozens of stakeholders to manually cross-reference information scattered across multiple silos.
“During both major infrastructure projects, we felt like we were repeating the exact same work every time.”
Magali Verschelde-Delettrez – Head of Application Portfolio Management, Information System Urbanization and Mapping
The Armentières Hospital Cyberattack
In 2024, one of the hospitals within the Regional Hospital Group suffered a major cyberattack. Nearly 95% of its Information System was encrypted, resulting in more than six months of recovery efforts.
“Reconciling information during a cyberattack, while under pressure from every direction and without a consolidated repository, is extremely difficult. The lack of a single source of truth was one of the key lessons learned from what happened in Armentières.”
Thomas Aubin – CISO, CHU de Lille
Why CHU de Lille Chose myCarto: Flexibility and Automatically Generated Maps
The implementation of myCarto and the strengthening of Information System Urbanization were jointly sponsored by the CISO and Magali Verschelde-Delettrez, who manages Information System Urbanization on a part-time basis alongside her responsibilities as Application Portfolio Manager.
Compared with previous approaches, myCarto offered two decisive advantages:
- Floating licenses, providing flexibility and encouraging collaboration among more than 210 active users.
- Automatic map generation, where information entered into repositories is automatically reflected in the various visualizations and diagrams.
What convinced me about myCarto is that the maps generate themselves. You create an application record, and visualizations are automatically generated for all applications without having to draw them one by one. It’s incredibly powerful.”
Magali Verschelde-Delettrez – Information System Architect, CHU de Lille
A Pragmatic Approach to Information System Mapping: Show First, Ask Later
The deployment strategy adopted by CHU de Lille deliberately reversed the usual approach. Before asking teams to populate the repository, the Digital Resources Department (DRN) first demonstrated the value they would gain from it.
“We showed people how the information could benefit them before asking them to enter any data. If people don’t see the value, the information quickly becomes outdated. Not because of bad intentions, but simply because there is always something else to do.”
Magali Verschelde-Delettrez
This same philosophy guided the functional rollout of the solution. Each new feature was refined, tested in real-life situations, and then made available to users. As teams continuously saw the platform evolve, they gradually adopted new use cases and integrated them into their daily work.
The Mapping Architecture: Layers and Use Cases
The data model was built from two sources: ANSSI requirements within the NIS2 framework and the practical needs expressed by individual teams. The result is a tailor-made approach, free from externally imposed methodological constraints.
The Application Layer: The Foundation
The starting point was an already well-structured application inventory, with a unique identifier assigned to each application and linked to the procurement repository. This contractual reference point enabled a rapid initialization of myCarto.
Today, 525 applications are documented, including business contacts, technical owners, contractual information, and data flows.
The Infrastructure Layer
CMDB data is imported regularly into myCarto. The objective is to connect each application to its underlying servers, and each server to its physical infrastructure, enabling precise impact analyses during maintenance operations or cyber incidents.
“Our goal is to know whether we need to switch back to a closed network: what is still working, what is no longer working, and in what order systems should be restarted.”
Business Processes
BPMN process modeling is activated whenever needed, particularly during audits. For example, a research department mapped its activities as part of a certification initiative. The quality engineer involved subsequently became a natural advocate of the approach among colleagues.
Business Continuity Plans
Integrated into myCarto, Business Continuity Plans enable teams to immediately identify which services are affected during an incident and determine the appropriate application restart sequence.
In a university hospital where some departments operate around the clock, this information is critical.
“We know exactly which departments are our critical services. We can notify them in advance and work with them to determine the best maintenance window.”
Regional Hospital Group (GHT) Convergence
A functional Land Use Plan (POS) provides visibility into applications shared across the ten healthcare organizations within the Regional Hospital Group. It helps identify redundancies and supports the contractual convergence strategy across the entire network.
Benefits: From Operational Confidence to Cyber Resilience
A Single Source of Truth
Before myCarto, every new project generated its own information requests and dedicated datasets.
Whether for a Windows migration project, an audit, or an infrastructure operation, teams constantly created parallel Excel files that gradually drifted out of sync.
“During workstation operating system migrations, we had to identify compatible applications. We recreated the same list every time. There were around fifty Excel files, all containing different information. With myCarto, the data is centralized, unique, and no longer duplicated.”
Magali Verschelde-Delettrez, Information System Architect, CHU de Lille
Thomas Aubin highlights the same challenge from a cybersecurity perspective:
“When multiple teams manage their own repositories independently, after six months or a year those repositories inevitably become out of sync. Cross-referencing information becomes extremely difficult again. That’s one of the key benefits of myCarto: maintaining a single source of truth over time.”
Greater Autonomy for Teams
External support providers use myCarto to quickly identify the right contacts. Application owners can access the full scope of their responsibilities. The CISO and Data Protection Officer can retrieve the information they need without relying on manual requests or intermediaries.
“What really changed is that people became autonomous in finding information themselves. I spend less time repeating the same answers and receive far fewer requests about information that is already available.”
Magali Verschelde-Delettrez, Information System Architect, CHU de Lille
Peace of Mind Before High-Risk Operations
As the infrastructure layer continues to be enriched, the objective is to orchestrate maintenance operations with greater reliability: knowing exactly what needs to be shut down, in what order, and ensuring that nothing is overlooked.
“What we gain above all is security. And, more importantly, peace of mind before an operation. We reduce the risk of human error and the possibility of overlooking a critical application.”
Magali Verschelde-Delettrez
For Thomas Aubin, the ability to project oneself into critical situations makes it easier to prepare for incidents and refine both Disaster Recovery Plans (DRP) and Business Continuity Plans (BCP).
“Once you have an established Information System map, you can right-click, simulate the impact, and immediately see the criticality level and the people who need to be informed. It’s much more difficult when you don’t have a single source of truth.”
Information System Mapping: A Cybersecurity Essential
For Thomas Aubin, the question is no longer whether Information System mapping is useful, but rather how quickly organizations should implement it.
“To manage risk, you first need to understand it. And for that, you need a map of your Information System. A CISO without mapping is working blind. I don’t see how anyone can conduct a proper risk assessment without it.”
Thomas Aubin, CISO, CHU de Lille
In the event of a cyberattack, myCarto becomes a genuine crisis management tool. Because beyond technical resilience, a much larger mission is at stake.
“The primary objective of my role as CISO is to ensure that, whatever happens, the hospital can continue caring for patients without compromising the quality of care. That’s what should guide all of our decisions.”
Thomas Aubin, CISO, CHU de Lille
The Relationship with AB+ Software: Tailored Support and Responsiveness
The implementation was carried out alongside an AB+ Software project manager in two phases: an initial structuring phase, followed by several months of autonomous adoption, and then a targeted support phase focused on more advanced requirements.
“The support team is extremely responsive and answers our questions precisely. I’ve never had a single call where I needed to explain the issue a second time. What I really appreciate is that they take the time to understand how we work rather than trying to impose a preconfigured approach.”
Magali Verschelde-Delettrez, Information System Architect, CHU de Lille
Advice from an Information System Architect and a CISO
For Thomas Aubin, Information System mapping is no longer optional and should be approached as a strategic initiative rather than simply a software project.
Thomas Aubin’s Recommendations
- Invest in an Information System Architect. Building a meaningful metamodel requires a cross-functional understanding of IT and business operations. This role makes all the difference. Once the framework is in place, the tool can fully deliver its value.
- Do not underestimate the internal effort required. Even the best tool cannot do everything on its own. Success requires dedicated resources, time, and a genuine commitment from the organization.
- Do not postpone the initiative. Information System mapping is essential, not optional. The longer you wait, the longer you continue operating without full visibility.
Magali Verschelde-Delettrez’s Recommendations
According to Magali, four principles are critical for a successful Information System mapping initiative:
- Define the metamodel upfront based on the questions you want to answer and the analyses you need to perform. Major changes later can have significant consequences.
- Capture only useful information. Information collected without a clear purpose quickly becomes a burden.
- Start small and enrich over time. A limited amount of reliable information is far more valuable than a large volume of inaccurate data.
- Demonstrate use cases first. Adoption comes from perceived value, not from being told to enter data.
Bonus Question: What's Your Favorite myCarto Screen?
For Thomas Aubin, the answer is immediate: the POS (Land Use Plan).
“The POS is truly impressive. You can zoom in, click on elements, and instantly access information. That’s something Excel, PowerPoint, or Visio simply can’t provide.”
Thomas Aubin, CISO, CHU de Lille
For Magali Verschelde-Delettrez, the answer is the business dashboards.
The Digital Resources Department (DRN) has created dedicated dashboards for each major domain, providing an at-a-glance view of applications, associated documentation, contracts approaching renewal, and documents requiring updates.
“Our goal is for myCarto to become everyone’s first reflex. Whenever someone needs information about IT, they know exactly where to find it.”
Magali Verschelde-Delettrez, Information System Architect, CHU de Lille
Additional Information
Learn more about CHU de Lille on its official website: https://www.chu-lille.fr
