State responsibility for Healthcare: human rights obligations in relation to cyberattacks

As World Health Day (April 7th) approaches, it is important to remember that the enjoyment of the highest attainable standard of health conducive to living a life in dignity is a fundamental human right, indispensable to the enjoyment of all other human rights.[1] Recent articles (1, 2, 3) by the CyberPeace Institute have evidenced how cyberattacks threaten the enjoyment of this fundamental right for communities across the globe, and in this environment it is important to recall the responsibilities States have to protect access to healthcare and the right to health.

This article analyzes the obligations placed upon States to protect access to healthcare under international human rights law. It also explores obligations States have domestically, their international duties, and responsibilities to promote a global environment to fulfill the right to health. While inclusive of many components, including access to clean water, sufficient food, a healthy environment, etc. access to timely and appropriate healthcare represents a key component of the right to health.[2] In the past year however, the CyberPeace Institute (Institute) has recorded a dramatic increase in cyberattacks that target healthcare facilities and interfere with peoples’ enjoyment of their right to health.

In 2021,  over 230 cyberattacks were recorded that impacted health facilities and providers. This number is only a snapshot of the actual scope of attacks that the healthcare sector faces, and the total number of attacks and attempted attacks is much larger and widespread than the data currently shows. Analyzing the available data, the Institute has moved beyond the fact that the attacks occurred, and looked into their disruptive impacts. Many of these attacks have forced systems offline, resulting in the rescheduling of surgeries, rerouting of patients, interruptions to the provision of care, and in some cases, leaking sensitive patient data that was then used in extortion attempts against these patients. In these cases, cyberattacks have a lasting impact on both the physical health of communities and individuals. For example, by disrupting the provision of much needed medical care, psychological harm ranging from loss of trust in the healthcare system to fear and anxiety that  one’s medical conditions or professional records are accessed by malicious actors, fear of  re-victimization as information can be used for phishing attacks, extortion, and more.

It is clear that cyberattacks that impact healthcare can have dramatic impact upon the standard of health of communities across the globe, and thus one must ask, what are the duties of States to protect access to healthcare and thereby peoples’ right to health? Although the right to health is present in many international documents, including the World Health Organization’s Constitution and in Article 25 of the Universal Declaration of Human Rights, its inclusion in the International Covenant on Economic, Social, and Cultural Rights (ICESCR) places international legal obligations on all 171 State Parties. As a party to the ICESCR, a State has the duty and obligation “to take steps, individually and through international assistance and co-operation, especially economic and technical, to the maximum of its available resources, with a view to achieving progressively the full realization of the rights recognized in the present Covenant by all appropriate means, including particularly the adoption of legislative measures”.[3] Enumerated in the covenant under Article 12, the right to health’s inclusion in the ICESCR ensures that State parties take all measures to protect, respect, and fulfill the right to the “highest attainable standard of physical and mental health”.[4]

For the purpose of this article, we explore the distinct obligations that States have to ensure that cyberattacks do not impact access to timely and appropriate healthcare both domestically and abroad under the ICESCR through the three duties mandated by the covenant: to protect, respect, and fulfill.

Domestic

Key among the Article 12 duties for States facing cyberattacks against healthcare within their effective control is the duty to protect. As noted in General Comment 14, the Committee on Economic, Social and Cultural Rights communicated that, “Violations of the obligation to protect follow from the failure of a State to take all necessary measures to safeguard persons within their jurisdiction from infringements of the right to health by third parties”.[5] In the cyber domain, this obligation requires that States, to the maximum of their available resources[6], ensure that healthcare providers within their jurisdiction maintain a minimum standard of cybersecurity in order to ensure that cyberattacks launched by third parties do not impact the provision of care.

This obligation has been contextualized by the Oxford Process, in the context of ransomware, to require action to “prohibit ransomware by law, take feasible steps to stop ransomware operations, mitigate their effects, investigate and punish those responsible, as well as prevent and suppress ransom payments to the extent possible”.[7] Cyberattacks are a daily reality for healthcare providers, and so proactive measures need to be taken by States to ensure that this critical sector has the necessary knowledge, know-how, and technology to stave off attacks in order to properly protect the right to health.

As shown above, there are many instances where lapses in cybersecurity can provide avenues for malicious cyber actors to infiltrate and target healthcare, resulting in disruption or delay of care and distrust in the sector that can interfere with the full realization of the right to health.   Noted in general comment 24, the Committee on Economic, Social and Cultural Rights opined that “States would violate their duty to protect Covenant rights, for instance, by failing to prevent or to counter conduct by businesses that leads to such rights being abused, or that has the foreseeable effect of leading to such rights being abused, for instance through lowering the criteria for approving new medicines”.[8]

Drawing from this example, we can make an a priori argument that, with the new reality of cyberattacks against healthcare, not having cybersecurity practices commensurate with the threat mandated for healthcare providers, whether public or private, would count as a possible act of omission by the State in not taking all available measures to ensure the availability of and access to healthcare.[9] Additionally, not taking steps through regulation or testing to ensure that new medical devices or software to process patient data are equipped with sufficient security when used within their jurisdiction would also be a potential violation. 

In the case of cyberattacks, their impacts can lead to many losing access to essential medical care, thereby limiting the provision of care entirely and negatively impacting the right to health. To hold to their Article 12 obligations to protect the availability of care, States should take positive action, whether by working directly with healthcare providers or through legislative action, to ensure cybersecurity measures commensurate with the threats to the healthcare sector.

Where healthcare provision falls under States’ direct control (public administration), they should directly implement, in coordination with healthcare practitioners, sector specific policies and training to ensure cybersecurity measures commensurate with the threat. For States that have private systems of healthcare, they are under the same obligation to ensure that the right to health is not unduly impacted by cyberattacks. According to the Committee on Social, Economic, and Cultural Rights, “States thus retain at all times the obligation to regulate private actors to ensure that the services they provide are accessible to all, are adequate, are regularly assessed in order to meet the changing needs of the public and are adapted to those needs”.[10]

Therefore, States should implement sector specific regulations to ensure standards of cybersecurity commensurate with the threat that private healthcare providers in their jurisdiction must implement in order to ensure their obligations under Article 12. Additionally, in areas where healthcare providers do not have the ability, know-how, or financial resources to ensure sufficient standards, States should provide the necessary resources to ensure that healthcare within their jurisdiction, both public and private, can meet the necessary standards of safety and security. Thus, States, in the interest of fulfilling the highest attainable standard of physical and mental health, should ensure they take all available actions to ensure that medical care is accessible and that health practitioners are adequately defended against disruptive cyber threats. 

International

In addition to their domestic obligations, experts have also found that States carry additional duties under Article 12 to ensure the respect and protection of the right to health beyond their own borders. In the case that either the actions or omissions taken by States negatively impact the right to health of people residing outside their jurisdiction, States have positive and negative obligations to ensure that potential negative actions taken by their State organs or those they have jurisdiction over, i.e. citizens or private sector actors headquartered in their territory, do not occur.

Unlike other human rights treaties, which limit the scope of responsibilities to the territory and effective control of State parties[11], the ICESCR “lacks a clause limiting its extraterritorial application, [and therefore] its provisions are not subject to any such kind of threshold restriction, jurisdictional or otherwise”.[12] This means that a State’s obligations and duties do not end where their jurisdiction ends. As viewed by the Committee on Economic, Social, and Cultural rights, “the extraterritorial obligation to respect requires States parties to refrain from interfering directly or indirectly with the enjoyment of the Covenant rights by persons outside their territories”.[13]

In the cyber domain, a State that knowingly conducted disruptive cyber operations against healthcare providers in another State’s territory, would possibly be in violation of their Article 12 obligations to respect the right to health. Therefore, among the other international legal obligations on a State[14], parallel obligations are upon States to not conduct disruptive cyber operations against healthcare facilities and providers in other States’ territory. Alongside their obligations to respect, States also have the duty to protect the right to health from activities that would interfere with the right in the territory in other States conducted by those within their jurisdiction.

This is a topic of much debate within general international law regarding the positive due diligence obligations States face in regards to stopping cyber attacks emanating from their territory. As Markovic and Schmitt noted, “not all States have publicly commented in the cyber context on whether the due diligence obligation is a binding rule of international law, although there does appear to be international consensus that it is at least a voluntary non-binding norm applicable to cyber operations”.[15]

However, in regards to healthcare, the ICESCR provides potential obligations arising under Article 12 to protect healthcare in other jurisdictions from attacks emanating from one State’s territory. As per the opinion of the Committee on Economic, Social, and Cultural Rights, “to comply with their international obligations in relation to article 12, States parties have to respect the enjoyment of the right to health in other countries, and to prevent third parties from violating the right in other countries, if they are able to influence these third parties by way of legal or political means, in accordance with the Charter of the United Nations and applicable international law”.[16]

In the cyber domain, States need to ensure that actors within their jurisdiction do not launch disruptive cyber operations against healthcare facilities and providers in other States.In the event that actors in their jurisdiction do launch attacks, they must take all available and appropriate measures or to exercise due diligence to prevent, punish, investigate or redress the harm caused by such acts by private persons or entities. While these obligations exist under general international law[17] Article 12 also puts duties on States to ensure that they are able to prevent or redress negative impacts upon the realization of the right to health from activities originating in their territory.

Cooperation

Despite the obligations stemming from the duties listed above, the fulfillment of them can be challenging for many States that do not have the resources or know-how, or are limited by local realities in ways that prevent them from being able to provide effective measures to defend healthcare providers from cyberthreats. Much work has already been done surrounding the discussion of cyber capacity building, across States, the United Nations, and civil society. to the point that many recognize the important place it has in protecting many key sectors and rights for many communities.

However, it is important to note that if cybersecurity is a key component in protecting the right to health under the ICESCR and a part of a State’s core responsibilities to respect, protect, and fulfill, there are additional obligations to provide international and technical assistance in order to fulfill the right to health in those State parties where they are able and have the necessary resources to do so.  In the view of the Committee of Economic, Social and Cultural Rights, “it is particularly incumbent on States parties and other actors in a position to assist, to provide “international assistance and cooperation, especially economic and technical” which enable developing countries to fulfill their core and other obligations” in relation to their Article 12 obligations.[18] Additionally, the Committee also found that, “Consistent with article 28 of the Universal Declaration of Human Rights, this obligation to fulfill requires States parties to contribute to creating an international environment that enables the fulfillment of the Covenant rights”. To that end, States parties must take the necessary steps in their legislation and policies, including diplomatic and foreign relations measures, to promote and help create such an environment”.[19]

In the case of cyber capacity building, promoting cybersecurity policies commensurate with the threat to healthcare facilities and with practitioners would be a key component to an environment that enables the fulfillment of the right to health and represents a core responsibility for States to uphold. While this obligation does not place distinct duties for action in the same manner as the above examples regarding the protection and respect of the right, this duty to fulfill encourages States that have the resources and knowledge to share with those that currently do not.

Adherence and Redress

The above discussion has outlined the duties and obligations required by Article 12, but with any obligation it is important to understand how they may be enforced and what avenues are available to potential victims for redress.

The main mechanism in place under the ICESCR to ensure that States are upholding their obligations under the covenant is the mandatory reporting procedure. This requires States to submit reports containing “specific information relating to the implementation, in law and in fact, of articles 1 to 15 of the Covenant, taking into account the general comments of the Committee, as well as information on recent developments in law and practice affecting the full realization of the rights recognized in the Covenant” as well as “concrete action taken towards the goal”.[20] These reports are analyzed by the Committee of Economic, Social, and Cultural rights who then issue concluding observations that will contain suggestions and recommendations for further action States should take to meet/further progress their obligations for all articles under the Covenant. Within this process, it is imperative that the Committee should consider steps States have taken to implement cybersecurity measures in the areas connected to the delivery and maintenance of rights enumerated in the Covenant, including those considerations outlined in relation to Article 12 above. This can ensure direction is given to and pressure is put on States to fully implement cybersecurity to the maximum of their available resources.  However, as the reporting procedure only requires States to submit reports every 5 years after their initial report, it is a slow moving process that may not keep up with the changing nature of cyberthreats.

So how then can States be held accountable for their obligations and potential violations outside of the reporting procedure? The Committee points to the important role that national judicial systems can play in providing redress for victims  and a “monitoring and corrective role”, through “declaratory orders stating that a particular policy or legislation is incompatible with the State’s obligations in relation to economic, social and cultural rights; orders requiring the State to take certain steps to ensure a violation does not reoccur; and, supervisory orders that monitor future actions of the State”.[21] In this regard, courts can provide direction for states to ensure that there are security standards commensurate with the present cyber threats in cases of cyberattacks that interrupt the delivery of healthcare within their jurisdiction and deliver redress to victims.

The issues with relying on national courts in regard to cybersecurity obligations for States are that judges may not have the technical expertise to be able to provide appropriate recommendations for their government, and, as judicial independence is not a constant in States worldwide, may not be a viable avenue to ensure oversight of government action.

The ICESCR provides a mechanism for victims to still fight for redress and hold states accountable for lapses in their obligations, under the Optional Protocol to the International Covenant on Economic, Social, and Cultural Rights. The Protocol allows for individuals or groups of individuals to submit complaints to the Committee on Economic, Social, and Cultural Rights claiming to be victims of violations under the articles of the Covenant. This is an opportunity to ensure that States are held accountable even in the absence of sufficient judicial action. However, the Protocol is not widely ratified and only has 26 state parties as of 2022. Therefore it is not a widely available recourse for violations, and in cases where judiciaries are unwilling to take actions against governments in States that are not party to the Protocol, victims have little to no avenue for redress.

Conclusion

Amidst the growing threat of cyber disruptions facing healthcare facilities and providers, it is important for States to recognize the obligations they have to protect their key services in order to ensure the fulfillment of the right to health under the ICESCR. In the above discussion we have explored three obligations and duties that State parties to the ICESCR should hold to in order to ensure the right to health;

  1. Protect the availability of healthcare within their territory by providing and mandating sector specific cybersecurity measures;
  2. Respect and Protect the availability of healthcare in other States by ensuring that State organs and third parties within their jurisdiction do not conduct disruptive cyber operations against healthcare in other States, and;
  3. Work through international assistance and co-operation to ensure that States who might not have the capacity to ensure the security of their health services independently have the necessary resources and knowledge to be able to do so through cyber capacity building.  

Together, these obligations can ensure that States create the best possible environment in which the right to health, and the enjoyment of the highest attainable standard of health is not unduly interrupted by disruptive cyberattacks.

This article concludes by highlighting some critical questions that should be explored by States and the global community in order to ensure access to healthcare in the face of disruptive cyberattacks.

First, how can the global community and human rights bodies measure and ensure that States are exercising their duties sufficiently? Cybersecurity is a fast evolving field making it difficult to know the exact level necessary to ensure protection. Additionally, human rights bodies may not be technically or conceptually equipped to be able to judge the proper level required to ensure standards are commensurate with the threat present to healthcare.

Furthermore, malicious actors are rapidly evolving to improve the efficiency of cyberattacks and in no scenario will even the best security strategies be able to prevent every disruptive attack. Therefore, it also raises the question of how human rights bodies can measure whether the appropriate standards were in place and actions were taken to prevent and defend against the attack in line with a State’s obligations?

Finally, in the discussion of adherence and recourse, while there are mechanisms in place to ensure adherence to obligations arising from the ICESCR, they may not be able to fully meet the requirements due to technical capacity, independence, and coverage necessitated by the growing threat. The question is then, what additional mechanisms can be put in place to ensure that victims are able to seek appropriate redress for cyberattacks flowing from violations of a State’s obligations?

In all scenarios there will be a need for the multistakeholder community to work together with States and human rights bodies to ensure there is a technical capacity and knowledge base, to measure, implement, and monitor these obligations as well as sufficient accountability mechanisms in place to ensure that States adhere to their duties and ensure the right to health is well protected from cyberattacks.


[1]UN Committee on Economic, Social, and Cultural Rights CESCR, General Comment No. 14 (2000): The Right to the Highest Attainable Standard of Health (Art. 12), 11 August 2000, E/C.12/2000/4, available at: https://www.refworld.org/pdfid/4538838d0.pdf [accessed 29 March 2022]

[2] “OHCHR | Ohchr and the Right to Health,” OHCHR and the Right to Health (Office of the High Commissioner for Human Rights), accessed March 29, 2022, https://www.ohchr.org/en/health.

[3] UN General Assembly, International Covenant on Economic, Social and Cultural Rights, 16 December 1966, United Nations, Treaty Series, vol. 993, p. 3, available at: https://www.refworld.org/docid/3ae6b36c0.html [accessed 29 March 2022], Article 2

[4] Ibid. Article 12

[5] CESCR, General Comment 14, Paragraph 51

[6] A key component of the ICESCR is the condition, listed in Article 2, that States ensure the respect, protection, and fulfillment of enumerated rights contained within the treaty to the “maximum of its available resources”. This is to ensure that the covenant does not place undue obligations on developing nations that they would be unable to realize due to the lack of funding, personnel, or knowledge to ensure.

[7] Akende, Dapo, et. al. Oxford Statement on International Law Protections in Cyberspace: The Regulation of Ransomware Operations. Available at: https://www.elac.ox.ac.uk/the-oxford-process/the-statements-overview/the-oxford-statement-on-ransomware-operations/.  Paragraph 5

[8] UN Committee on Economic, Social and Cultural Rights (CESCR), General comment No. 24 (2017) on State obligations under the International Covenant on Economic, Social and Cultural Rights in the context of business activities, 10 August 2017, E/C.12/GC/24, available at: https://www.refworld.org/docid/5beaecba4.html [accessed 29 March 2022] Paragraph 18

[9] See CESCR, General Comment 14, paragraph 12 for further discussion on availability and access.

[10] CESCR General Comment 24. Paragraph 22

[11] See discussion in the European Court of Human Rights,  Bankovic v. Belgium, 2001-XII Eur. Ct. H.R. Paragraphs 74-82.

[12] Marko Milanovic and Michael N. Schmitt, Cyber Attacks and Cyber (Mis)Information Operations During a Pandemic Journal of National Security Law & Policy, no. Vol. 11 (May 28, 2020): pp. 247-284, https://doi.org/10.2139/ssrn.3612019. 265

[13] CESCR, General Comment 24. Paragraph 29

[14] For further discussion see Kubo Mačák, Tilman Rodenhäuser, and Laurent Gisel, “Cyber Attacks against Hospitals and the COVID-19 Pandemic: How Strong Are International Law Protections?,” Humanitarian Law & Policy Blog (International Committee for the Red Cross, August 30, 2021), https://blogs.icrc.org/law-and-policy/2020/04/02/cyber-attacks-hospitals-covid-19/.

[15] Markovic and Schmitt. Cyber Attacks and Cyber (Mis)Information. 280

[16] CESCR, General Comment 14, Paragraph 39

[17] See Markovic and Schmitt, Cyber Attacks and Cyber (Mis)Information, 279-281 for further discussion

[18] CESCR, General Comment 14. Paragraph 45

[19] CESCR, General Comment 24. Paragraph 37

[20] UN Secretary General, COMPILATION OF GUIDELINES ON THE FORM AND CONTENT OF REPORTS TO BE SUBMITTED BY STATES PARTIES TO THE INTERNATIONAL HUMAN RIGHTS TREATIES, 21 May 2007, HRI/GEN/2/Rev.6,  available at: https://digitallibrary.un.org/record/600446?ln=en. Chapter 2, Annex, Paragraph 2

[21] Economic Social Council, Report of the United Nations Commissioner for Human Rights,21 June 2006, E/2006/100, available at: https://www.ohchr.org/Documents/Issues/ESCR/2006_86_en.pdf. Paragraph 24


Keefer Denney-Turner is a Research Associate at the CyberPeace Institute.

Articles for Cyberpeace

Articles for Cyberpeace is a regular series of articles produced by or for the CyberPeace Institute. These articles seek to inform and engage audiences including policy makers, governments, civil society organizations, non-governmental organizations, industry, academics and the media.