In the medical profession, practitioners commit to ‘do not harm’ as part of their Hippocratic Oath. Is the international community ready to take a similar oath to protect healthcare against the growing threat of disruptive cyberattacks? The Cyber Peace Institute, Microsoft, and the Czech government know we need to act now and are kick-starting a project to identify good practices needed to protect this vital infrastructure.
The world is in the midst of a global pandemic. Despite it, and potentially because of it, disruptive cyberattacks against the healthcare sector have increased during this period, closing down hospitals, disrupting supply chains, and impacting vaccine research.
Between January and August 2021, the CyberPeace Institute has recorded 77 disruptive attacks on healthcare organizations of which 66 of them resulted in systems being unavailable causing operational disruption.
While this number seems high, even this is likely to provide only a subsection of how bad the situation actually is, as many attacks go under-reported, hampering streamlined action at both national and the international levels.
Whatever way you count the threats and the attacks, the situation is serious and untenable. To begin to address it, the Czech Republic, the CyberPeace Institute, and Microsoft are today announcing a groundbreaking project “Protecting the healthcare sector from cyber harm”. It will bring together healthcare, cybersecurity, and regulatory experts united in the desire to ensure access to healthcare is not disrupted, but rather enhanced by reliance on modern technology. We believe that the challenges we face, can only be overcome through a multistakeholder partnership that spans borders, but also sectors – government, industry and civil society.
We recognize that we are not starting from scratch. Attention has rightly been focused on the healthcare sector over the past year. Governments, such as the Czech Republic that have had to deal with hospital disruption, have updated their incident response processes and identified areas that need further action. The community of international law experts have come together under the “Oxford Process” to help clarify how international law can be applied and utilized in this space to remind governments of their obligations to individuals around the world. In 2020, the CyberPeace Institute and the International Committee of the Red Cross united over 50 government, industry, and civil society leaders in a call to protect healthcare from cyberattacks and “to assert in unequivocal terms: cyber operations against healthcare facilities are unlawful and unacceptable”. The following year, the Institute published a report analyzing disruptive attacks on healthcare, and Microsoft has, amongst other things, unveiled AccountGuard for Healthcare is a dedicated security service offered at no cost for healthcare providers on the front line of care combatting COVID-19).
But it has not been enough.
Through a series of workshops, the three organizations aim to investigate the different aspects of protecting healthcare online: resilience, incident response, impact on healthcare practitioners, international law and diplomacy, and national regulation. Through these workshops we plan to distill a set of recommendations for policy makers, technology vendors, diplomats, and healthcare practitioners to ensure this sector is as secure from online threats as possible.
Access to healthcare is a human right and it is the responsibility of us all to lead the way to protect this common good. The enjoyment of this right and safe, secure, and stable cyberspace are intertwined in the digital age. Based on our ongoing work we know that acting now means minimizing harm to patients and to society as a whole and sets the foundations for protection of the healthcare sector in perpetuity. We are inviting all those committed to protecting this critical sector to join us in determining an effective path forward.
Klara Jordan – Chief Public Policy Officer, CyberPeace Institute
Kaja Ciglic – Senior Director, Digital Diplomacy, Microsoft
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.