CyberPeace Lab: Protecting the Health Sector against Cyberattacks

CyberPeace Institute

Regardless of any period of crisis, the health sector and its supply chain are the hardest hit. The COVID-19 pandemic is no different. Why is the health sector susceptible to cyberattacks and what are the main challenges in documenting them?

ModeratorStéphane Duguin, CEO of the CyberpPeace Institute. 


  •  Anastasiya Kazakova, Public Affairs Manager at Kaspersky; 
  • John Todd, Executive Director of Quad9 of the Global Cyber Alliance; and 
  • Serge Droz, Chair of the Forum of Incident Response and Security Teams.

Information Communication Technology (ICT) security is a low priority in the budget planning of the healthcare sector: The healthcare systems operate on a tiny budget compared to the responsibilities they have to take on, and ICT is very low in the budget agenda. Serge Droz said thatthe sector is challenged by a strong hierarchy where physicians are more respected and heard then IT personnel.

“The aviation industry has already realized the importance of ICT security, the same has to happen also in the healthcare sector,” said Serge Droz, Chair of the Forum of Incident Response and Security Teams.

Ransomware attacks expose holes in the design of medical IoT devices and reveal a lack of awareness: Modern medical devices are fully functional computers with operating systems and apps. By their design, the software is written to treat people, often overlooking the cybersecurity aspects. Anastasiya Kazakova stated that IT infrastructure of modern hospitals is not properly organized and protected, caused by the low cybersecurity awareness of the hospital personnel and a lack of international security standards for medical IoT devices. 

Roughly 30 per cent of medical technology is infected (Kaspersky): A majority of medical devices are connected to the Internet, from MRI scanners to cardiology equipment. These devices still operate under the Windows XP OS and have dozens of old, unpatched vulnerabilities that can lead to the full compromise of a remote system. Anastasiya Kazakova pointed out that in some cases these devices have unchanged default passwords that could easily be found in manuals published on the Internet.

Ad-hoc expansion of supply chain adds new vulnerabilities:  As countriesstruggle with responding to the COVID-19 pandemic, tech communities try to come up with quick solutions to ease up the situation. Stéphane Duguin described that the ideas are realized within days without proper analyses and testing, resulting in greater cybersecurity vulnerability. 

Cyber attackers use psychology not code to attack the health sector:  Hospitals are attacked for ransom, not because of their security vulnerabilities but because of the overworked and stressed staff who are more likely to click on a file they shouldn’t be clicking on. John Todd mentioned that alsoworking from home has exposed people in the new way as are emerging from behind the protective barriers of the office environment. 

“We observe growing numbers of targeted APT attacks against medical research institutes and pharmaceutical companies conducting innovative research. State actors have also launched attacks against health institutions for intelligence gathering,” Anastasiya Kazakova, Public Affairs Manager at Kaspersky

Criminals go after data and research and hold it to ransom: Hospitals are operating with an abundance of data, including patients’ personal data, and a complex network of internet-connected devices, including medical equipment and staff’s and patients’ personal devices. Anastasiya Kazakova explained that the current modus operandi is to facilitate the attack to ransom as the hospitals are more willing to pay to decrypt their data. A recent trend shows an increase in targeting pharmaceutical companies, medical research universities and labs with the aim of gathering significant information, such as about a vaccine, and holding it or selling it on the black market. 

Hospitals hide attack details making it difficult to analyze and find those who are responsible: Thefirst COVID-19 attacks against a Czech hospital showed that healthcare providers are not ready to share details about attacks. The fact that the hospital was forced to shut down its entire IT network proves that the data breach was significant, according to Kaspersky analyses. Information about the nature of the incident would have helped to identify the threat and the attacker and help others avoid similar attacks. 

Voluntary cooperation is stressing the need for a clear goal and trust among partners: Collaboration like in the CTI-League is a welcomed development as threat intelligence providers, who are often competitors of the industry, are sharing threat mitigation data and models for free.  Serge Droz emphasized that the cooperation to succeed after the end of the current pandemic requires a clear common goal and trust. 

“My hope is that we can see this kind of collaboration continue even after the crisis. I am very optimistic based on what I see at the moment – threat intelligence communities are sharing methodologies, data and certain types of IOC more widely than ever before,” said JohnTodd, Executive Director of Quad9 of the Global Cyber Alliance

Global incident information sharing is the key for closing the accountability gap: The COVID-19 pandemic and self-isolation pose additional challenges as the incident response is no longer possible to conduct physically, onsite. Experts concluded that in order to improve the incidence reports, greater data sharing is needed among cyber intelligence providers, also there is a need for international trusted platforms or communications channels to report on the incident, share intelligence data and come up with mitigation solutions for vulnerable populations like the front-line healthcare providers are at the moment. 

The CyberPeace Institute is an independent, non-profit organization with the mission to enhance the stability of cyberspace. It does so by supporting vulnerable communities, analysing attacks collaboratively, and advancing responsible behaviour in cyberspace.

Copyright: The CyberPeace Institute

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.