It has been said time and again, but it is no less relevant today: attacks on healthcare are attacks on people. These are also attacks on all of us – whether they happen using kinetic or cyber means. Recognizing that, the need to protect the healthcare sector from cyber harm has been growing around the world. Unfortunately, the situation has gotten worse and not better since the start of the COVID-19 pandemic. Medical staff and vaccine centers, already under immense pressure due to the strains of the pandemic, suddenly had to deal with cyberattacks, which were not only growing in numbers, but also in sophistication. In a number of cases this has resulted in a direct impact on patients, whose treatments were delayed or postponed. In short, cyberattacks against hospitals risk potentially devastating humanitarian consequences.
Attention has rightly been focused on the healthcare sector over the past few years as reports continue to appear in the news of cyberattacks against hospitals and network shutdowns. There are many actors who have stepped up in response to the proliferation of cyberattacks against the healthcare sector. Governments such as the Czech Republic, who have had to deal with hospital disruptions, have updated their incident response processes, implemented complex measures to enhance their cyber resilience, and urged the international community to recognize the importance of protecting this sector. A group of international law experts initiated the “Oxford Process” to help clarify how international law can be applied and utilized to protect the healthcare sector, and worked to remind governments around the world of their obligations.
Though important steps have been taken to protect this critical sector, further action is needed. The multistakeholder community has a variety of expertise and lessons learned that can be shared and leveraged in order to better protect healthcare facilities. This community can also offer different perspectives on the cybersecurity of the healthcare sector, its security and resilience challenges, and the actions that the international community can take to protect this critical sector.
With this in mind, in October 2021 the Czech Republic, CyberPeace Institute, and Microsoft launched a project to bring together experts and practitioners from a range of backgrounds. Governments, international organizations, academia (including international law experts), industry and civil society came together to discuss the legal, technical, policy, and operational approaches needed to increase the resilience of the sector and accountability for malicious cyber acts. Through a series of workshops, the group identified good practices and recommendations for diplomats, policy makers, industry, and healthcare practitioners to increase the cyber resilience of the healthcare sector.
The workshops enabled frank and inclusive discussions among all relevant stakeholders and their recommendations will be distilled into a multistakeholder Compendium, to be released in July 2022. The topics included in the Compendium address the role of the diplomatic community in contributing to responsible behavior as it relates to the protection of healthcare; practitioners’ perspectives on good practices and challenges in addressing cybersecurity threats; and strengthening the resilience of healthcare institutions based on lessons learned from the past year.
This project is informed by and builds on existing initiatives led by the multistakeholder community. This includes initiatives, such as the CyberPeace Institute’s Cyber 4 Healthcare program which supports healthcare organizations by matching the cybersecurity expertise from reputable organisations to healthcare providers and the Cyber Incident Tracer (CIT) #HEALTH which tracks cyberattacks against the healthcare sector and their impact on people and society as a whole. Microsoft unveiled AccountGuard for Healthcare, a dedicated security service offered at no cost for healthcare providers on the front line of care provision during the COVID-19 pandemic. The Czech Republic, along with other partners, led international efforts to designate the healthcare sector as part of critical infrastructure eligible for protection under applicable cyber norms in the final report of the United Nations Open-ended working group on developments in the field of information and telecommunications in the context of international security (UN OEWG). These are examples of initiatives that highlight the importance of an evidence-led and solution-oriented approach to protecting the healthcare sector, and focus upon a people-centric approach. Throughout the workshop series, participants highlighted the human impact of such cyberattacks and how, in the aftermath, countries can increase the resilience of their institutions.
Ultimately, this project builds upon existing agreements such as the UN OEWG and UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (UN GGE). The project also works to mobilize political will and resources at the international level to take concrete action and address the growing challenge of cyberattacks directed at medical facilities, and the overall importance of protecting critical infrastructure. Community engagement and capacity building across the multistakeholder community is essential to achieving these goals.
It bears repeating that attacks on the healthcare sector are attacks on people, and they have an impact upon all of us. The international community – including governments, industry and civil society – needs to do more to protect this critical sector and to leverage the expertise, experience and resources of all relevant actors. Multistakeholder action is a necessity to address this challenge. This Compendium should be seen as a first step in this direction, and hopefully as an impactful resource to practitioners and decision makers across the globe.
Juliana Crema is a Research Associate at the CyberPeace Institute.