A letter signed by more than 40 world leaders, international business leaders and organisations including the Red Cross was published on Tuesday 26 May 2020, calling on the world’s governments to take immediate and decisive action to prevent and stop cyberattacks on healthcare and medical research facilities.
“We are hoping that the world’s governments will step up to affirm their commitments to the international rules that prohibit such actions,” said Peter Maurer, president of the International Committee of the Red Cross, in the letter.
How are cyberattacks targeting the healthcare sector?
The call follows cyberattacks in recent weeks that have targeted hospitals, healthcare, research organisations including in the Czech Republic, France, Spain, Thailand, and the United States as well as the health authorities such as the World Health Organisation and others providing critical care and guidance in the midst of the ongoing global pandemic.
In March, the Brno University Hospital in the Czech Republic – a key Covid-19 testing site – was the target of a sophisticated cyberattack which forced it to shut down all computers. This, in turn, meant that the hospital had to turn away patients suffering serious conditions and postpone surgeries.
“The computer networks used in many hospitals are not secured as well as they could be,” Mikko Hypponen, the chief research officer of security firm F-Secure, told Wired. “This is often because of budgeting restrictions.”
The attack on the Czech hospital prompted a fiery response from US Secretary of State Mike Pompeo.
In a statement, Pompeo called the attack “deeply irresponsible and dangerous,” adding that the culprits should “expect consequences.”
These attacks range from ransomware operations aimed at crippling primary and urgent care networks in exchange for payouts to disinformation campaigns aimed at undermining and disrupting wider elements of the response to the pandemic, including testing and vaccine research facilities. Where successful, these attacks have interrupted the provision of healthcare and put additional costs on healthcare providers. They underline the vulnerability of this sector to cyberattacks at a time when medical care is needed more than ever.
“These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients. With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever,” the letter stated.
What is the letter calling for?
The signatories demand that governments work together, including at the United Nations, to reaffirm and recommit to international rules that prohibit such actions, and to join forces with civil society and the private sector, to ensure that medical facilities are respected and protected, and to hold attackers accountable. They have backed up the letter with full-page adverts in the UK’s Guardian and the US’s New York Times newspapers.
“We don’t tolerate attacks on health infrastructure in the physical world, and we must not tolerate such attacks in cyberspace — whether in time of peace or in time of conflict. […] For now and for the future, governments should assert in unequivocal terms: cyber operations against healthcare facilities are unlawful and unacceptable,” the letter stated.
Who are the signatories?
Mikhail Gorbachev, Microsoft Corp (MSFT.O) President Brad Smith and former US Secretary of State Madeleine Albright are among the 42 co-signers of the letter initiated by the non-government CyberPeace Institute whose mission is to prevent the internet from becoming “weaponized.”
“As healthcare professionals are protecting us in the real world, it is up to civil society, industry and governments to collectively act for their protection in cyberspace”, said Stéphane Duguin, Chief Executive Officer at the CyberPeace Institute. “In this effort, humanity needs governments to work together by setting the tone and the example, to ensure healthcare is protected, and perpetrators are held accountable.”
The Cyberpeace Institute was founded with the backing of Microsoft in 2019. Other sponsors at launch were Mastercard and the Hewlett Foundation. The launch came after a vocal campaign by Microsoft for “Digital Peace”, born in part out of frustration at the leak of nation state cyber tools that ended up being co-opted by cybercriminals.
Additional notable signatories include former Secretary General of the United Nations Ban Ki-Moon, former UN High Commissioner for Human Rights Zeid Raad Al Hussein, former Director General of the World Health Organization Margaret Chan and former Mexican President Ernesto Zedillo. The signatories also include seven Nobel Prize Laureates.
“Above all, governments should take action and stop cyberattacks on hospitals and medical facilities. The time to act is now,” the letter declared.
How to address this?
Earlier this month, the European Union Agency for Cybersecurity released practical advice for how to address these attacks.
- Share the information with healthcare staff in the organisation, build awareness of the ongoing situation and, in the case of infection, ask staff to disconnect from the network to contain the spread. Raise awareness internally in healthcare organisations and hospitals by launching campaigns even during the time of crisis (i.e. to inform hospital staff not to open suspicious emails).
- In case of systems compromise, freeze any activity in the system. Disconnect the infected machines from others and from any external drive or medical device. Go offline from the network. Immediately contact the national CSIRT.
- Ensure business continuity through effective backup and restore procedures. Business continuity plans should be established whenever the failure of a system may disrupt the hospital’s core services and the role of the supplier in such cases must be well-defined.
- In case of impact to medical devices, incident response should be coordinated with the device manufacturer. Collaborate with vendors for incident response in case of medical devices or clinical information systems.
- One preparedness measure is network segmentation. With network segmentation network traffic can be isolated and / or filtered to limit and / or prevent access between network zones.