This Report focuses on the impact of cyberattacks on people and society. As a cornerstone of the Cyber4Healthcare program, the Report consolidates scattered information for the first time, demonstrating the complexity, magnitude and scope of the cyber threat to healthcare, from ransomware through disinformation to COVID-19-related cyberespionage. It breaks down the silos of research and investigation to connect victims’ testimonials, cybersecurity reporting, volunteer initiatives and academic findings. It analyses the technical innovation of modus operandi, the diversity of threat actors and their incentives, the difficult implementation of domestic and international norms and laws, the under-resourcing of the healthcare sector despite a vibrant ecosystem of assistance initiatives. It highlights how accountability is critical to any systemic resolution in the current context where incidents are under-reported, attacks are seldomly attributed and threat actors evade punishment. The Report shows the overarching responsibilities of nation states in leading the way for attacks to decrease globally and threat actors to be held accountable. To achieve these goals, the Report maps existing initiatives and provides actionable recommendations to governments and policy makers to engage with civil society, industry and academia and design collective solutions.
Published: 9 March 2021
Author: The CyberPeace Institute
Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.
Online or offline, attacking healthcare is attacking people and should be off-limits. It needs a de-escalation in the number and magnitude of cyberattacks, the enforcement of responsibility and accountability of all actors, and the recognition that victims need a voice and have a right to redress.
When healthcare providers are attacked, it is the people who suffer. While the targets of attacks are most often portrayed as the healthcare organisations or service providers whose data or infrastructure was compromised, the direct victims are healthcare professionals and patients. Whilst disruption of medical services and IT systems have an immediate impact on the process of patient care, healthcare professionals and patients are also suffering less visible impacts: acute stress from being in an incident response situation, psychological impact of having private information stolen by criminals.
Attacking healthcare in a connected world is having a societal impact, globally. The multiplication of attacks on healthcare, especially during a pandemic, is creating a global threat to health. While the phenomenon is under-researched, the documented impacts of converging threats are of immediate concern: disruption in patient care, loss of confidence in the sector’s cybersecurity, notably with an erosion in trust in the sector’s ability to protect patient data; while disinformation operations instill fear and distrust in the sector, they causing confusion and harm throughout society.
Attacks are increasing while the arsenal of weapons used to target healthcare is evolving. The COVID-19 pandemic gave rise to a concerning convergence of malicious and irresponsible behaviors: vaccine research centers are targets of cyberespionage; hospitals are held to ransom with little choice but to pay to maintain operations; healthcare professionals and international health organisations are targeted with a blend of disinformation and cyberattacks aimed at undermining their credibility. As national statistics have shown, data breaches against healthcare in 2020 have increased significantly.
Ransomware creates both an immediate risk to patient care and a long-lasting impact on healthcare organisations. The escalation of ransomware attacks are particularly dangerous as they put both patient care and the healthcare sector capability in jeopardy. The ransomware business model is in constant evolution, notably via the double extortion tactic. It is characterised by an increased cooperation among cybercriminals, who have sought to maximize reach and increase profits. As a result, healthcare organizations suffer from a costly and time-consuming disruption, which requires funds to recover and improve its systems, re-train staff, and manage reputational damage. Losing access to medical records and lifesaving medical devices impacts the healthcare professionals ability to effectively care for their patients on the long run.
Healthcare has a fragile digital infrastructure. Threat actors are exploiting the complex, vulnerable, and sometimes outdated healthcare digital environments including medical devices and IT infrastructure. Security-by-design does not apply to legacy systems and is difficult to achieve with the multiplication of connected endpoints. The healthcare security perimeter is widening, and necessitates a closer look into the resilience of the supply chain.
Healthcare cybersecurity is under financed. While a minority of big healthcare actors have deployed major cybersecurity programs, the vast majority of the sector suffers from a systemic lack of resources to secure its infrastructure, train its personnel, and hire and retain cybersecurity staff. The threat landscape increases this resource gap, as attacks create loss of revenue, new risks create increased cybersecurity costs to secure medical devices, hardware and software, including the fast expanding telehealthcare supply chain.
Technical and human resource limitations are preventing a healthy information-sharing environment within healthcare. Beyond the shortages in cybersecurity, healthcare lacks technical and human resource capacities to send, receive and use threat related information (i.e indicators of compromises, e-evidence, threat intelligence). Sharing these information is critical to improve resilience and enforce fast recovery. Best practices from more mature sectors are not implemented at scale in healthcare (i.e financial sector).
Attacking healthcare is a lucrative and global business. Attacks on healthcare are a global phenomenon, regardless of whether the intent is to hold healthcare providers to ransom, steal medical records and intellectual property, or erode public trust. As healthcare organizations are gatekeepers of sensitive information, the data they hold makes the sector a highly profitable target for both cybercriminals and state actors.
Attacking healthcare serves geopolitical interests. Not only does attacking healthcare provide State or State-sponsored threat actors an attractive target for data theft regarding vaccine research and private medical records, but attacks also weaken geo-political rivals.
Attacks on healthcare are widely underreported. When targeted, many organizations don’t know what to report and how to do it, notably because they don’t have the necessary cybersecurity capability. In addition, the fear of facing liabilities or reputational loss is hampering reporting as is a lack of faith in reporting leading to prosecution. This underreporting prevents a comprehensive evaluation of the true scale of the threat.
Threat actors enjoy near impunity, as attribution and prosecution lag behind. The enforcement and prosecution rate for threat actors involved in attacks on healthcare is extremely low. This stems notably from the underreporting of attacks, from the lack of resources in law enforcement and the judiciary, and from shortfalls in attribution. In addition, opportunities offered by legal instruments – such as investigative cooperation – and enforcement mechanisms – such as sanctions – are rarely used systematically in the case of attacks against healthcare and are complexified by geo-political agendas in the case of state or state-sponsored attacks.
There is a lack of transparent and independent mechanisms to track accountability. Various actors bear various responsibilities to protect healthcare. When analysing an attack, there is no standard process to track who is responsible for what or to hold them to account, let alone systematic documentation or transparency on how malicious behaviors are violating laws, norms and principles.
States are not using the full extent of norms and laws to protect healthcare. State actors have a variety of opportunities to protect the healthcare sector at their disposal. It is the State’s duty to ensure that the rule of law is followed and enforced within their jurisdiction and States equally have the duty to respect international law, including in cases of attacks performed by cyber means. Cooperation mechanisms also remain quite limited, despite the transnational nature of cyberspace. States have notably tread with caution when legally condemning cyber attacks on healthcare or voicing their interpretation of how international law applies, too often relying on political and technical attributions as a means of taking a stand against attacks.
Assistance initiatives lack visibility, scale and sustainability. As criminals and threat actors join forces to attack healthcare, numerous coalitions have been established which provide fast and free support to healthcare professionals. Be it civil society, industry or individuals, from professionals to volunteers from all corners of the world, they operate with an agile and targeted assistance model. Regrettably, these initiatives lack proper visibility, scale and sustainability. In addition, the Cyber4Healthcare initiative identified that healthcare professionals were found to have limited visibility of the assistance resources available to help them and may lack the technical know-how to request the most relevant support and/or apply the recommendations.
Academia and civil society: Identify and connect existing initiatives aiming at assessing the impact of attacks (i.e. existing research, documented victims stories, healthcare community led initiatives, cybersecurity analytics).
Civil society: Document attacks in a continuous and transparent way, with a focus on societal impact and victim testimonials.
Academia and Civil Society: Perform empirical research on the short and long-term impacts of attacks on people, healthcare organizations and society, notably on healthcare professionals, patient care and trust in healthcare.
- Improve the cybersecurity of healthcare infrastructure
- Healthcare organizations and governments: Develop certification and labeling schemes across the sector to enhance trust and security in products and services thereby protecting the complex healthcare supply chain which relies heavily on third-party vendors for its day-to-day operations.
Healthcare organizations: Implement cybersecurity best practices and hygiene, such as patching vulnerabilities and updating systems. Assistance within civil society is available to support this resource-intensive activity (see below).
Governments: Adopt stringent healthcare regulations, including procurement guidelines, to tighten healthcare cybersecurity requirements. Such regulations should apply regardless of whether healthcare is provided via a public or private entity, and across its supply chain. This should notably provide for standards to ensure state-of-the-art security and accountability criteria when healthcare providers write tenders.
Governments: Adopt procurement regulations to facilitate efficient and cost-effective access to cybersecurity resources. Industry: Implement security-by-design and security-by-default models for healthcare product development across the supply chain. These designs and models should align with the previous recommendation about standards for operations and procurement in healthcare.
Industry: Adapt pricing models according to the diversity of resources in healthcare, taking inspiration from pricing models facilitating the work in the not-for-profit sector (also recognizing that some not-for-profit entities are providing healthcare). This should prevent discrepancy from arising between those that can afford cybersecurity and those that can’t.
- Improve healthcare capacity and capabilities
Civil society, CERTs (Computer Emergency Response Teams) and a network of volunteers: Increase the visibility of available assistance initiatives, notably those offering pro bono support. Beyond availability, care should be given to making such initiatives understandable and adaptable to the reality of healthcare practitioners, recognizing that most lack baseline support resources to request and process the help received (tools, training, data).
Governments, philanthropy and industry: Investigate how existing healthcare funding models should prioritize cybersecurity, design new cybersecurity-centric funding schemes, and inform healthcare decision makers about fundraising strategies and equipment acquisition.
Governments and industry: Sponsor research in technical solutions such as zero-trust networks, behavioral authentication and monitoring to improve the protection of hospitals from vulnerabilities in their supply chain.
- Improve healthcare preparedness against attacks
Governments, in close collaboration with CERTs, industry and healthcare: Coordinate stress tests and awareness campaigns, and establish mandatory security audits and minimum compliance requirements to reinforce prevention against attacks and help healthcare organizations respond effectively in case of an incident.
In parallel, healthcare organizations should build and maintain the level of cybersecurity capacity required, including by means of security exercises, IT stress-test training for staff, tabletop exercises and penetration testing to reduce human and technical vulnerabilities to prevent attacks and protect their patients. These cost-intensive activities should be supported by the community, and especially pro bono assistance initiatives.
Healthcare organizations: Commit to due-diligence and standard rules of incident handling, notably via safely disclosing incidents and admitting compromises across the healthcare supply chain. This decreases the risk of potential lateral threats or further impact to victims.
- Reinforce the legal and normative ecosystem
- Governments: State unanimously within the UN-mandated processes (UN GGE and UN OEWG) and multistakeholder initiatives (i.e. Paris Call) that medical and healthcare facilities must never be targeted and consistently protected against cyberattack. Possible approaches include pledging to protect and ‘do no harm’, including public declarations of positions banning any type of state-sponsored cyberattacks on healthcare and cyberespionage against research centers and the vaccine industry.
- Governments: Publicly commit and, most importantly, take proactive steps to implement norms to secure effective protection of the healthcare sector. Said implementation of norms should complement the application of international law and create a baseline for responsible behavior. To this end, the healthcare supply chain shall be designated as critical infrastructure.
- Governments: Raise the capacity of their national law enforcement agencies and judiciary to act in the event of extraterritorial cases. This can be supported by reinforced and improved extradition processes and mutual legal assistance, notably through the systematic commitment to international cooperation mechanisms (e.g. the Budapest Convention, Mutual Legal Assistance Treaties, the Cloud Act).
- Governments and international organizations: Review the effectiveness of international cooperation mechanisms: First, by evaluating and supporting the development of cybersecurity capabilities and capacity across law enforcement and judicial entities globally, to allow for compelling investigations and the prosecution of threat actors. Second, by providing victims with a platform for their voices to be heard, enabling their access to information and securing compensation for the harm and damages they have suffered.
- Improve information sharing and reporting standards
- Healthcare organizations: Work with industry-specific organizations and associations to develop technological solutions that promote privacy-enhancing information-sharing. Engaging with established or emerging initiatives in other sectors can shed light on innovative methodologies and technologies for secure collaboration (financial sector)
- Governments: Develop cyber incident reporting schemes for the healthcare sector at the national level, or improve schemes in operation to support faster information sharing and richer research. The systematic reporting of incidents contributes to understanding the impact of full-scale cyberattacks against the sector, the associated risks, emerging trends and best practices
- Governments: Sponsor specialized national, regional or sectoral communities in the form of a Computer Emergency Response Team (CERT) to enable an efficient incident-response platform for healthcare organizations.
Governments: Ensure that the rule of law is strictly respected and applied, notably through enforcement, prosecution, sanctioning and extradition of accused or convicted threat actors. In the case of ransomware, law enforcement and the judiciary should investigate the money flow stemming from any extortion scheme (with a focus on cryptocurrencies), and opportunities for asset tracking and freezing to hinder the activities of threat actors.
Governments: Work towards the systematic attribution of all types of cyberattacks on healthcare. Beyond geopolitical dimensions, said attribution shall provide a strong evidence base supported by technical and legal attribution.
Governments: Specify which rule of international law or norm of responsible state behavior has been violated following an attack. Civil society and academia to support government efforts by systematically establishing any links between cyberattacks, human rights violations, and breach of international laws or norms of responsible state behavior.
Governments, CERTs and civil society: Remind the healthcare sector that paying ransom is tantamount to direct financing of organized crime and invites threat actors to perpetrate more cyberattacks. Paying ransom may be seen as a fast-track solution, but it is no silver bullet. Civil society and governments should support the healthcare sector in setting up a playbook to cyberattacks, so that it is in a strong enough position to refuse payment by extortion and limit any ransom payment to critical cases only.
CyberPeace Institute’s Response
The CyberPeace Institute will continue to collect testimonials and by developing a publicly available database on attacks, notably to enhance transparency of human and societal impacts.
The CyberPeace Institute will continue to promote the activities of volunteers, not-for-profit and industry stakeholders already providing assistance to the healthcare sector, supporting linkage between those in need and those with the capacity to help. Furthermore, the CyberPeace Institute is ready to cooperate with governments, industry and the healthcare sector to conduct vulnerability analysis and risk assessments so as to precisely define and evaluate shortfall in the human, financial, government, technical and insurance resources needed to secure the complex and critical healthcare infrastructure.
The CyberPeace Institute will monitor the application of international law and norms, and by advancing the protection of victims. These efforts will focus specifically on violations of human security, dignity, and equity so as to understand the potential gaps in legal and regulatory frameworks, and will be available for public use.
The CyberPeace Institute will work with its partners to document and promote the many active information-sharing initiatives. The Institute will inform governments and industry of any findings likely to reinforce capacity building in the healthcare sector.
The CyberPeace Institute will increase efforts to document, track and analyse attacks and subsequent accountability, notably by applying its accountability framework. This will contribute to publicly establishing any links between malicious behavior, human rights violations, and violation of domestic or international rule. The Institute will document whether or not perpetrators are brought to justice, to ensure the right of victims to justice and redress. The CyberPeace Institute will ensure that this information is actionable by both policy makers and victims.
Marietje Schaake is the President of the Cyber Peace Institute and serves as international policy director at Stanford University Cyber Policy Center and international policy fellow at Stanford’s Institute for Human-Centered Artificial Intelligence. Between 2009 and 2019, Marietje served as a Member of European Parliament for the Dutch liberal democratic party where she focused on trade, foreign affairs and technology policies. Marietje is affiliated with a number of non-profits including the European Council on Foreign Relations and the Observer Research Foundation in India and writes a monthly column for the Financial Times and a bi-weekly column for the Dutch NRC newspaper.
Stéphane Duguin is a Chief Executive Officer of the CyberPeace Institute. He has spent two decades analysing how technology is weaponized against vulnerable communities. In particular, he has investigated multiple instances of the use of disruptive technologies, such as AI, in the context of counter terrorism, cybercrime, cyber operations, hybrid threats, and the online use of disinformation techniques. Prior to this position, Stéphane Duguin was a senior manager and innovation coordinator at Europol. He is a thought leader in digital transformation and convergence of disruptive technologies, with his work published in major media and his expertise regularly sought in high-level panels.
Bruno Halopeau is a Chief Technology Officer of the CyberPeace Institute, leading the development of innovative analytical framework and forensics capabilities for the accountability function. Bruno is a cybersecurity professional with over 20 years of experience. Previously, he worked as a consultant for Accenture, held several roles (CISO, cybercrime strategic advisor, team lead R&D Innovation) at Europol, and was head of cyber resilience at World Economic Forum. At the CyberPeace Institute, Bruno holds a MSc in Information Technology, MBA in Strategic Management and MBA in Corporate Leadership.