Cyberattacks On Healthcare

In the research study “Playing with Lives: Cyberattacks on Healthcare are Attacks on People,” the CyberPeace Institute analyzes the impacts of disruptive cyberattacks, data breaches and disinformation operations on healthcare, people and society. In my view, this is one of the most comprehensive reports on the subject.

Healthcare is targeted by repeated campaigns of cyberattacks, cyberespionage and disinformation. These attacks have a cost on all fronts: resources dedicated to fighting COVID-19 are crippled, patients’ safety is impacted, sensitive data is stolen, and overall, society loses trust in its healthcare system. Preventing attacks, building resilience and prosecuting offenders requires policy steps from governments and companies alike.

“The unacceptable reality is that too many states and criminals get away with using cyberattacks for their cynical agendas. That hospitals and vaccine labs are attacked amidst a pandemic hurts people directly. It is essential that prevention and accountability are rolled out more effectively,” says Marietje Schaake, President, CyberPeace Institute.

Online or offline, attacking healthcare is attacking people. The report shows that while healthcare professionals and patients are facing a significant threat, collective action is possible. This report shows the overarching responsibilities of states to take the lead in decreasing attacks globally and holding threat actors to account.

“Nurses, doctors, researchers and other healthcare professionals are under attack. As they take care of our lives, their security is our collective responsibility. Applauding them is fine, but we all need to do more. It is in the public interest that a coalition of political leaders, corporate executives, technologists and civil society actors come together around a shared ambition to protect healthcare”- highlights Stéphane Duguin, CEO of the CyberPeace Institute.

Victims and targets of attacks on healthcare (Source: The CyberPeace Institute 2021)

Key findings and recommendations from the Report

Attacks on healthcare are causing direct harm to people and are a threat to public health, globally.
Attacks are increasing and evolving as they continue to exploit vulnerabilities in the healthcare sector’s fragile digital infrastructure and weaknesses in its cybersecurity regime.
Attacks on healthcare are low-risk, high-reward crimes. Acting with near impunity, criminals and state actors are joining forces against healthcare with varying motives and agendas.
Healthcare professionals and patients do not benefit fully from legal instruments and existing assistance initiatives designed to protect them.
Governments should lead the way to protect healthcare, apply and enforce national and international norms and laws, commit to doing no harm, and declare cyberespionage and intelligence-gathering against healthcare unlawful.
Healthcare needs investment to protect and defend itself; for example routine stress tests to assess weaknesses in IT ecosystems which can inform future procurement processes for upgrading or securing existing technologies.
The private sector has a responsibility given its role in building the technologies used across the healthcare sector. Security by default and security by design should be embraced by companies and be constituent elements in product creation.