A year ago, 51 world leaders called on nation states to protect healthcare from cyberattacks. Nobel Peace Prize laureates, former Heads of State, business executives and civil society leaders were all unanimous – health is a fundamental right and it is states’ responsibility to lead the way to protect this common good. As Chief Executive Officer of the CyberPeace Institute, I had the honour of signing this Call, and since then, the Institute has worked to analyze the threat to healthcare, support healthcare professionals and campaign for collective solutions. After twelve months, what’s the record?
Attacks on healthcare are attacks on people
It is clear that attacks continue, as do the testimonies of victims of such attacks. Attacks seem to be spreading at the speed of light, while the response of states is lagging. Legal measures are not in place.
As we reported in our strategic analysis report last March, cyberattacks on healthcare are attacks on human life. Over the past twelve months, examples have multiplied. In September 2020, the American hospital group UHS was the victim of a major attack requiring them to redirect patients awaiting surgery. The same scenario occurred in Villefranche-sur-Saône and Dax in February 2021, French hospitals having been hit more than 25 times in a few months. On 14 May 2021, a large part of the Irish hospital system was attacked. The Irish Health Service Executive (HSE) found itself subject to a criminal ransom demand, with patients citing surgeries being cancelled.
The impact on patients is real and severe. In September 2020, more than 25,000 people in Finland had their data hacked during the attack on a Vastaamo psychotherapy centre. Their confidential interviews and their innermost thoughts are now sold to the highest bidder on the Internet.
The number of victims increases
The psychological damage and family tragedies that have followed are terrible. In fact, the last 12 months have confirmed an explosion in the number of victims.
The Executive Director of the Irish Health Service Executive has stated that all of the data in his network has potentially been compromised. This is not exceptional.
In May 2020, Blackbaud, a cloud computing vendor for nonprofits, was hit by a ransomware attack, with the theft of more than one million donor data files. There are so many victims who, in most cases, have no one to turn to for support and reparation. It is clear that in any response the interests of the victims must be at the heart of proposed solutions. The severity of attacks is too often assessed in terms of the amount of money demanded by criminals. This ignores the human impact of such attacks. A price cannot be put on the harm caused to the health and psychological wellbeing of health workers and patients. This cannot be factored in a ransom payment.
What can governments do?
This escalation calls into question the responsibility of states. The right to health is a fundamental right, and the state is its guarantor. Some signals are promising. States have recently recognized hospital care as a critical infrastructure within the Open Ended Working Group at the United Nations. That being said, in reality, there has been little progress: judicial sanctions against criminal groups are rare, and efforts to attribute attacks to states remain the exception.
Yet a year ago, the signatories of the Call echoed the strong expectations of civil society towards States. States are expected to make every effort to arrest criminal groups, and to establish a transparent and efficient judicial process, respectful of international conventions. States are expected to regulate the industry, in particular, by imposing cybersecurity standards, especially related to purchasing of health equipment.
Above all, States are expected to be an unfailing example, notably by applying the standards of responsible behaviour and international law. It is thus intolerable in the midst of a pandemic that States carry out attacks on health.
Examples have multiplied in recent months: an attack on the Ministry of Health in Georgia, an attack on the European Medicines Agency, an attack on the Moderna laboratory, and an attack on the World Health Organization.
Stop attacks on healthcare
The threat seems like a pandemic: in all countries throughout the world, thousands of health workers must respond to this crisis in the pandemic crisis. Millions of patients have had their personal data stolen or their right to treatment attacked.
One year to the day after the Call, and in the face of this state of affairs, how can solutions be put in place for the victims of these attacks? The CyberPeace Institute makes practical recommendations in its latest report that, if implemented, can help to reverse the situation. We stand ready to support the efforts of states, industry and civil society to ensure that health care benefits from a free, open cyberspace where justice is practised.
The Call on Governments marked an awakening of consciences. There is an urgent need to stay awake. And act.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.