By: Stéphane Duguin, CEO of the CyberPeace Institute
Despite a long series of wake up calls, healthcare is still targeted by cyberattacks. As healthcare professionals take care of our lives, their security is our collective responsibility. Help us to shed light upon the reality of the facts: If you have been impacted by a cyberattack, please contact us.
What was long feared has finally happened. The healthcare sector, already under stress due to COVID-19, is facing systemic, repeated cyberattacks that do not just endanger systems: they are a direct threat to human life. During September 2020 only, we saw the tragic death of a patient in the aftermath of a ransomware attack in Duesseldorf University Clinic, and the crippling of 250 hospitals run by Universal Health Services (UHS) in the United States.
After documenting one attack per day at the peak of the COVID-19 pandemic, we saw evidence of a rapid escalation. This should serve as the final wake-up call that CyberPeace is an absolute urgency.
Tracking such accountability cannot happen in a vacuum. It takes action from every actor involved. Recognising that States bear a unique responsibility, the CyberPeace Institute hosted a public pledge asking governments to better protect their healthcare organisations against cyberattacks. At the same time, we launched the Cyber 4 Healthcare program with several industry partners in order to provide free cybersecurity assistance to healthcare organisations anywhere in the world. To date, the program has received more than 100 requests for help.
Whilst these initiatives are filling a tremendous gap, this is obviously not enough. The last two weeks of September alone have demonstrated that more should be done, and urgently.
A cyberattack on Duesseldorf Hospital
Earlier this month, a ransomware gang encrypted 30 servers at the Duesseldorf University Clinic, forcing it to postpone operations and redirect emergency patients to alternative hospitals or healthcare facilities. One such patient with a life-threatening condition, died. German prosecutors have since opened an investigation into “negligent homicide” to probe the link between the death and the ransomware attack.
The Duesseldorf attack highlights the systemic vulnerability of the healthcare sector, which has gone unheeded in the past. For example, in October 2019, the Health Minister of North Rhine-Westphalia received a warning by the German Federal Office for Information Security (BSI) of the growing threat towards hospitals and was urged to modernize hospital IT security in North Rhine-Westphalia.
An attack on Universal Health Services in the US
A computer outage sent the major hospital chain Universal Health Services into chaos last Sunday. The company took down systems used for medical records, laboratories and pharmacies across about 250 of their U.S. facilities to halt further spread of the malware attack, Universal Health President Marc Miller said in an interview to WJS.
Although UHS said in its first public statement that there was no disruption to patient care as employees turned to backup protocols including paper documentation, initial reports on various news outlets suggest otherwise. It has been reported that patients are being turned away and emergencies are being redirected to other facilities. Employees are being told it could be several days before the IT systems are operational again.
A call for testimonials
These events are tragic symptoms of a systemic issue. Are we going to accept that attacking hospitals is a normal feature of the Internet?
This situation has to change and you can help. To ensure that all actors are following their responsibilities and commitments, the impact of attacks should be documented, and the voice of the victim needs to be heard.
This is why we are calling on all people who have experienced real-life consequences of such attacks to share their stories. If you have been impacted, or witnessed your health provider being impacted, you can contact us at: [email protected]
A lack of accountability in cyberspace
While many facts surrounding recent incidents remain to be verified, a few things are clear:
- While the healthcare sector has long been at risk from cyberattacks, the harms to human security are heightened during health crises like the COVID-19 pandemic, when people across the world are particularly reliant on health services.
- Cyber operations that disrupt healthcare services are a direct threat to human security, which is vital to CyberPeace. Recent events evidence an emerging trend: cyber operations increasingly put human lives in jeopardy.
- Just as we all benefit from cyberspace, we all have a role to play in protecting it — and this is no less true in the context of the complex and heavily interconnected digital ecosystem supporting healthcare.
- Similarly, everyone from government officials to healthcare administrators to doctors and patients has a role to play and a responsibility to uphold. Increasing accountability for these responsibilities is our best hope for protecting human security, dignity and equity in cyberspace
Who are we
The CyberPeace Institute is an independent, non-profit organization with the mission to enhance the stability of cyberspace. It does so by supporting vulnerable communities, analysing attacks collaboratively, and advancing responsible behaviour in cyberspace.
- We assist vulnerable populations.
- We analyse and document impacts of attacks on human life and how they violate the rules of law.
- We forecast future threats in cyberspace.
- We provide knowledge about the obligations of all actors, including States.
- We advance responsible behaviour.
- We share the voice of those who cannot speak.
Copyright: The CyberPeace Institute