The healthcare sector has become one of the major targets for malicious cyber activities as hospitals and medical facilities have been digitizing and digitalizing their operations. This trend accelerated with the COVID-19 pandemic with healthcare providers and vaccine research facilities particularly vulnerable. Responding to the pressing threats, the CyberPeace Institute introduced the Cyber Incident Tracer (CIT) #HEALTH to record and analyse data on cyberattacks in this vital sector and, importantly, their impact. From June 2020 to November 2022, the Institute aggregated a total of 501 incidents affecting 43 countries around the world, equating to 4.1 attacks taking place each week The cyber threat landscape is multifaceted and includes ransomware, malware, DDoS, phishing emails, data theft and loss of connected medical devices, among others.. While this is only a fraction of the full scale of the threat landscape, CIT #HEALTH attempts to bridge the current gap in the understanding of the harm to people stemming from cyberattacks.
Protecting healthcare under the UN normative framework
Normative, legal, and regulatory mechanisms relevant to the use of information and communications technology (ICTs) are important for and impact the work of healthcare professionals and by extension the care provided to patients. The sector must be protected against malicious cyber activity to ensure that people can access the appropriate standard of healthcare services and to safeguard trust in healthcare institutions. The international community has taken important steps towards this goal, firstly when governments agreed on the importance of protecting critical infrastructure in general under the framework of responsible state behaviour in cyberspace.
In 2015, as part of the United Nations Group of Governmental Experts (GGE) on development in the field of ICTs in the context of international security, States adopted a norm that committed all States not to conduct or knowingly support cyber activity contrary to international law that damages or otherwise impairs infrastructure providing essential services (Norm F) and to take appropriate measures to protect their critical infrastructure from ICT threats (Norm G) There is no unequivocal global agreement on what is included under the definition of critical infrastructure.. The GGE framework reiterates these protections by outlining that “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs” (Norm C). All states have endorsed these voluntary, non-binding norms of responsible state behaviour via several UN General Assembly resolutions.
Despite this milestone in cyber diplomacy, cyberattacks on the healthcare sector have continued to increase in intensity, sophistication, and magnitude. Recognizing the unprecedented scale and scope of cyber threats occurring during the coronavirus pandemic, the multistakeholder community issued a Call to Governments to draw attention to the rise of cyberattacks on healthcare and to urge states to take the necessary steps to stop such attacks. Concurrently, a number of states proposed to recognize the healthcare sector as part of critical infrastructure under applicable cyber norms, and the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG) United Nations, General Assembly, Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, Final Substantive Report, … Continue reading and the UN GGE United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (A/76/135), July 14, … Continue reading.”)) unanimously agreed that healthcare and medical facilities should be explicitly included under critical infrastructure.
Compendium of Multistakeholder Perspectives
Achieving additional progress at multilateral fora will depend on the ability of the international community to harness the convening power of the UN to implement existing commitments. With the aim of contributing to these efforts, and stressing the importance of multistakeholder partnerships, the Government of the Czech Republic, the CyberPeace Institute, and Microsoft partnered to identify critical gaps that needed to be addressed to protect the healthcare sector from cyber harm. This partnership reflects the shared commitment to advance the implementation of UN cyber norms through concrete action and to increase the sector’s resilience through meaningful stakeholder collaboration.
Between 2021 and 2022, we brought healthcare and cybersecurity communities together at multistakeholder workshops attended by a diverse group of experts, practitioners, and stakeholders, where each discussion addressed a selected critical topic. During these workshops, key recommendations, lessons learned, and good practices were collected and presented in the Compendium of Multistakeholder Perspectives on Protecting the Healthcare Sector from Cyber Harm launched on the sidelines of UN Open Ended Working Group (OEWG) in July 2022. The publication offers healthcare institutions, governments, international organizations, and other interested stakeholders a useful resource to support their efforts to safeguard the healthcare sector from cyber threats.
The Compendium serves as a practical example that governments, industry, and civil society stakeholders can form multistakeholder partnerships to drive the implementation of specific critical infrastructure commitments, in line with their priorities. This multistakeholder input can offer a practical guide for cooperation between stakeholders. As a model, it could be scaled up by including other areas of critical infrastructure and by engaging a variety of other partners that include states and non-state actors.
Read more about the findings from the multistakeholder workshops on protecting the healthcare sector from cyber harm in our article: “Implementation of UN cyber norms through multistakeholder action – Part 2”
|↑1||The cyber threat landscape is multifaceted and includes ransomware, malware, DDoS, phishing emails, data theft and loss of connected medical devices, among others.|
|↑2||There is no unequivocal global agreement on what is included under the definition of critical infrastructure.|
|↑3||United Nations, General Assembly, Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, Final Substantive Report, A/AC.290/2021/CRP.2, March 10, 2021, https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf. The 2021 OEWG consensus report includes the following guidance on norms implementation: “While agreeing on the need to protect all critical infrastructure (CI) and critical information infrastructure (CII) supporting essential services to the public, along with endeavouring to ensure the general availability and integrity of the Internet, States further concluded that the COVID- 19 pandemic has accentuated the importance of protecting healthcare infrastructure including medical services and facilities through the implementation of norms addressing critical infrastructure. such as those affirmed by consensus through UN General Assembly resolution 70/237.”|
|↑4||United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (A/76/135), July 14, 2021, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/075/86/PDF/N2107586.pdf?OpenElement; The 2021 GGE report was endorsed by consensus and included the following guidance that mentioned the healthcare sector under norm F: “The COVID-19 pandemic heightened awareness of the critical importance of protecting health care and medical infrastructure and facilities, including through the implementation of the norms addressing critical infrastructure (such as this norm and norms (g) and (h|