The International Legal and Normative Frameworks to Defend the Health Sector against Cyberattacks

CyberPeace Institute

Cyber operations that leverage the COVID-19 pandemic are on the rise. The healthcare sector, which is already under greater stress, is among the most at risk from such operations.

In the midst of the COVID-19 pandemic, the uninterrupted functioning of the health care sector and broader health care supply chain (research facilities, medical equipment manufacturers, emergency responders, etc.) is essential to prevent a massive loss of life. As noted in our last blog the increased stress of the pandemic has opened new avenues that malicious actors can leverage to launch crippling cyber operations against the health sector. Worryingly, a number of cyberattacks have already targeted multiple hospitals, research facilities, and even government and international health organizations — impacting the functioning of numerous facilities.

In this context, it is critical to consider not only operational and technical measures but also to look to the ecosystem of laws and norms as a powerful tool for protecting the health sector.

As the recent Open Ended Working Group (OEWG) initial pre-draft notes, many states, private sector and civil society organizations have reaffirmed their view that international law applies to cyberspace, and overall, existing international laws offer strong protections for the health sector and medical facilities against cyber operations.

However, the effectiveness of these protections may be limited by a number of grey areas, such as differing definitions of key terms and concepts or the application in different contexts.

For example, International Humanitarian Law (IHL) includes clear guidelines for the protection of medical personnelunits, and transports within armed conflicts. As discussed in the OEWG, many states recognize that IHL also applies to cyberspace, and so cyber operations that target medical facilities are prohibited. Yet IHL only applies within the confines of an armed conflict,  leaving open the question of protections during peace time.

International norms are another instrument aimed to promote responsible behavior in cyberspace, including the protection of critical sectors like healthcare.  And while the applicability of these norms is not typically tied to peacetime or armed conflict, there are still other grey areas here. In this context as well, debate continues about the definition of key terms such as “critical infrastructure,” leaving the scope of protections and state obligations unclear.

To address these grey areas, states, private sector and civil society have proposed a number of clarifying measures. For example, the International Committee for the Red Cross has put forward a new norm that would prohibit states from knowingly conducting or supporting cyber operations against the health care sector. Other entities have called for implementation guidance to accompany existing norms, helping to clarify the definition of terms or scope of applicability, while still others have urged for new international legal instruments altogether.

Each of these approaches comes with benefits and drawbacks, challenges and compromises – none are a “silver bullet.” And, when adopted, no matter its exact contours, any legal and normative framework for accountability requires a strong and unified appetite for enforcing it. Therefore, it is critical that the international community, first and foremost, understand the different considerations and dynamics at play, conscientiously weigh these issues and work together to determine the best path forward.

For a more in depth discussion on the international legal and normative framework protecting the healthcare sector, as well as a discussion surrounding the current international appetites for implementing these protections, we invite you to join our upcoming CyberPeace Lab: “COVID-19 INFODEMIC Defending the Health Sector: how cyber operations transgress international norms”

More information can be found at the event page.

The CyberPeace Institute is an independent, non-profit organization with the mission to enhance the stability of cyberspace. It does so by supporting vulnerable communities, analysing attacks collaboratively, and advancing responsible behaviour in cyberspace.

Copyright: The CyberPeace Institute

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.