Promoting collective action to protect our healthcare

Event report

The healthcare sector has become a target of choice for cyber criminals. Since March 2020, we have witnessed a significant increase in the number of cyber attacks against hospitals and research labs, resulting in serious problems in the adequate provision of healthcare. Those attacks have caused direct harm to individuals and collective well-being.

As Ms Roxana Radu (Research Associate, CyberPeace Institute) explained, cyberattacks shut down the operational systems of hospitals resulting in the need for the adjustments in the treatment of patients, or delay due to the reversion to pen and paper. So, how can we better address the lack of cybersecurity to better protect the healthcare system around the world?

Ms Rozentāle Līga (Senior Director and Team Lead for EU Cybersecurity and Emerging threats, Microsoft) elaborated on the operational perspective of the protection of healthcare sector since the start of the COVID-19 pandemic. The healthcare sector is the most vulnerable sector and, as such, it will be subject to attacks despite numerous efforts made whether by the government, the private sector, or the civil society – attacks will continue. She stressed that it is a national issue very difficult to address at a global scale because each nation differs in its way of handling cyber attacks. Similarly, we should look at how different regions address the protection of critical infrastructure. Microsoft worked with specific healthcare institutions and researched where it could make an added value and a difference, or use its services in order to get the highest protection for those who are the most vulnerable. 

Ms Klara Jordan (Chief Public Policy Officer, CyberPeace Institute) stressed that ‘cybersecurity is an enabler to providing healthcare’ and that it is such mindset that we explicitly have to adopt. Given the fact that access to healthcare is a human right, the motivation for protecting healthcare should also be looked at from the perspective of access to healthcare service – which is also a human right. Second, the understanding of human impact of cyber attacks on individuals is lacking: do we understand what it means for a hospital to go offline? Once we understand the impact, it becomes a motivator for collective action and we start thinking of the accountability. Another aspect in which cyber attacks have serious implications are the data breaches which we mostly observe from the privacy perspective only. Jordan made a point that ‘a data breach can lead to a lifetime of victimization if personal data about, for example, abuse or mental illness are accessed or stolen. It is really important that, when thinking about the kind of incidents that healthcare is subjected to, we think how it really impacts individuals, too.’

Mr Pavel Mraz (Cyber Policy Coordinator, Ministry of Foreign Affairs of the Czech Republic) addressed limitations to the current efforts. First, the lack of concrete support for implementation of the commitments made at the UN level; second, international community has still not been able to recognize that international law (IL) applies to cyberspace and we are still having this basic conversation and it is time to move beyond and ask how the IL applies; third, we are not recognizing the linkages between the UN Sustainable Development Goals (SDGs), more importantly, bridging digital gaps, and the cyber capacity building. Mraz stressed that, despite the fact that we recognize the healthcare sector as being particularly vulnerable and as a part of critical infrastructure (agreed in GGE/OEWG reports), it cannot be just written in the reports, but that rather the political will and resources need to be mobilised. According to Mraz ‘at the UN, there are many states who want to make more norms and still leaving them on paper.  We need to start implementing.’ With regards to implementation, we should develop an inclusive permanent platform at the UN level in order to have a more technical cross-over discussions with technical experts, industry, and the civil society.

Mr Guilherme Rosso (Head of Innovation, Pequeno Príncipe Complex) spoke about the situation in Brazil. Several hospitals in the country were targeted by cyberattacks. According to Rosso, ‘the technical part is important, but the human part is important, as well’. On one hand, it is about the lack of technology and the infrastructure to protect the databases of patients’ data but, on the other hand, it is about training people to properly use such technology.

By Kristina Hojstricova

Session in numbers and graphs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu. The automated summary of this session can be found at this link.