Healthcare is targeted by repeated campaigns of cyberattacks, cyberespionage and disinformation. These attacks have a cost on all fronts: resources dedicated to fighting COVID-19 are crippled, patients’ safety is impacted, sensitive data is stolen, and overall, society loses trust in its healthcare system. Preventing attacks, building resilience and prosecuting offenders requires policy steps from governments and companies alike.
“The unacceptable reality is that too many states and criminals get away with using cyberattacks for their cynical agendas. That hospitals and vaccine labs are attacked amidst a pandemic hurts people directly. It is essential that prevention and accountability are rolled out more effectively.” - Marietje Schaake, President, CyberPeace Institute.
Online or offline, attacking healthcare is attacking people. The report shows that while healthcare professionals and patients are facing a significant threat, collective action is possible. This report shows the overarching responsibilities of states to take the lead in decreasing attacks globally and holding threat actors to account.
“Nurses, doctors, researchers and other healthcare professionals are under attack. As they take care of our lives, their security is our collective responsibility. Applauding them is fine, but we all need to do more. It is in the public interest that a coalition of political leaders, corporate executives, technologists and civil society actors come together around a shared ambition to protect healthcare.”- Stéphane Duguin, CEO of the CyberPeace Institute.
Key findings and recommendations from the Report
● Attacks on healthcare are causing direct harm to people and are a threat to public health, globally.
● Attacks are increasing and evolving as they continue to exploit vulnerabilities in the healthcare sector's fragile digital infrastructure and weaknesses in its cybersecurity regime.
● Attacks on healthcare are low-risk, high-reward crimes. Acting with near impunity, criminals and state actors are joining forces against healthcare with varying motives and agendas.
● Healthcare professionals and patients do not benefit fully from legal instruments and existing assistance initiatives designed to protect them.
● Governments should lead the way to protect healthcare, apply and enforce national and international norms and laws, commit to doing no harm, and declare cyberespionage and intelligence-gathering against healthcare unlawful.
● Healthcare needs investment to protect and defend itself; for example routine stress tests to assess weaknesses in IT ecosystems which can inform future procurement processes for upgrading or securing existing technologies.
● The private sector has a responsibility given its role in building the technologies used across the healthcare sector. Security by default and security by design should be embraced by companies and be constituent elements in product creation.
About the CyberPeace Institute
The CyberPeace Institute is a non-profit, international organization headquartered in Geneva, Switzerland. It strives to protect vulnerable populations from the harms of cyberattacks and cyberconflict, to bring information and data about methods into the public realm, with the aim of ensuring responsible behavior and the advancement of international law at corporate and state level. Through field analysis and global campaigning, the institute aims to protect the most vulnerable and to achieve peace and justice in cyberspace.
In 2021, the Cyberpeace Institute will launch:
● A campaign, supported by a coalition of actors, which aims to decrease the number of attacks on the healthcare sector;
● A digital platform referencing attacks on healthcare, and providing information on how these attacks have violated international norms and laws, and the impact they have had on people.
Full report “Playing with Lives: Cyberattacks on Healthcare are Attacks on People: https://cpi.link/sar001
For more information, visit the CyberPeace Institute’s website https://cyberpeaceinstitute.org