Mind the gap: adopting new international norms on cyberattacks against health-care services

Updated: Mar 4, 2021

Bianca Rocca

In the midst of every crisis, opportunities lie. The Covid-19 pandemic, while opening up new cyber threats linked to expanded network access, could also act as a catalyst for regulatory change, marking a turning point for cybersecurity.

The March 2020 Europol Report “Pandemic profiteering: How criminals exploit the Covid-19 crisis” promptly underlined that the world, with the outbreak of Covid-19, has been witnessing a surge of cyberattacks. Cyber-criminals, feeding on the global panic triggered by the spread of the pandemic, have seized the opportunity to strike and to profiteer out of this crisis.

The targeting of critical infrastructures such as hospitals and health-care services is certainly not something new, suffice to think of two sophisticated cyberattacks that hit the mark in 2017. First, the WannaCry ransomware that, besides infecting tens of thousands of computers worldwide, plunged the United Kingdom’s National Health Service into chaos. Second, the NotPetya ransomware that debilitated most of Ukraine’s systems, including those of health care providers, and also struck health care systems in the United States. The health-care industry remains a top target for cyber-criminals because hospitals and medical facilities are a goldmine of sensitive data. Moreover, despite becoming increasingly reliant on technology, health-care establishments are often unequipped to monitor and to properly address potential cybersecurity threats.

This holds particularly true now that, since hospitals are in dire straits because of the Covid-19 outbreak, ramifications of cyberattacks can be disastrous. On March 14, a cyberattack hit Brno University Hospital, one of the Czech Republic’s largest hospitals and biggest Covid-19 testing labs. This incident is an important reminder of how cyberattacks can significantly aggravate the current global health crisis, not only putting patients’ health at risk but also hampering the broader fight against Covid-19. Because of the incident, the hospital’s entire IT system was shut down, urgent surgeries were postponed and new acute patients were re-routed to a nearby hospital. On May 4, Fresenius, the largest private hospital operator in Europe, was hit by a ransomware that forced the shutdown of several systems, causing considerable disruption. On September 27, the Universal Health Services, which operates about 400 facilities across the United States, was targeted by a cyberattack which triggered a multi-day IT outage. On October 27, three hospitals at New York’s St. Lawrence Health System were also hit by a ransomware attack. Since the start of the pandemic, the World Health Organization has also witnessed a dramatic increase in the number of cyberattacks directed at its staff and of email scams targeted towards the public at large.

These examples should serve as a warning that hospitals and health-related services must be provided protections against cyberattacks by global international rules. Now more than ever that the current pandemic has underscored the utmost importance of well-functioning health-sectors, the time has come for the world to act and take steps to protect hospitals and health services from cyber operations. In most of the cases, due to the inadequacy of the existing international legal framework, the injured State is not granted effective solutions. This should come as no surprise if one thinks that the large majority of norms of international law have been established long before the invention of computers. For instance, international humanitarian law is applicable only to those cyber operations against hospitals and health-care services that take place in the context of an armed conflict. But this scenario seems to be an exception rather than the rule since most cyber operations occur in peacetime and do not cross the threshold of an armed attack that would transform the legal framework applicable.

Indeed, cyber is blurring the lines between war and peace, the two contrasting poles around which international law has been developed. In a non-conflict situation, there is no standalone international legal norm ensuring a comprehensive protection of health-care centers. The general prohibition on the use of force, enshrined in Article 2 (4) of the UN Charter, the principle of non-intervention in other States’ domestic affairs and the principle of sovereignty provide only piecemeal solutions in regard to attacks launched against the health infrastructure of a State. Undoubtedly, Article 2 (4) covers just those State-sponsored cyber operations against hospitals and health services directly resulting in the killing of people abroad. This provision would therefore theoretically encompass a State-sponsored cyberattack that remotely shuts down ventilators and other life support systems in hospitals, causing the death of patients. However, the UN regime of the prohibition of the use of force is conceived from an inter-State perspective. The thorny issue of attribution of cyberattacks is thus further complicated by the fact that State-sponsored operations are often conducted by non-state actors. If this is the case, the threshold for attribution is very high: it must be proved that the non-state actor acted under the instructions, direction or control of the State.

The principle of non-intervention in other states’ domestic affairs is no less problematic when it comes to cyberspace. In accordance with the “Tallin Manual 2.0”, this principle is violated only when cyber operations have a coercive element: mere intrusion into another State’s systems is not enough. Consequently, it goes without saying that all the cyber operations that entail the use of force are coercive per se. In this view, on the contrary, cyber operations that disrupt medical facilities without using methods of coercion would fall outside the scope of this principle.

Cyber operations interfering with a State’s health-care sector could also in principle qualify as violations of that State’s sovereignty. However, no consensus has been reached on this front since there is an ongoing debate as to whether there actually is a standalone international legal obligation to respect the sovereignty of other States in cyberspace. Or whether sovereignty is simply a principle that should be used as a benchmark to guide State interactions, but which cannot itself be violated.

When it comes to protecting hospitals and health services from cyberattacks, the inadequacy of the existing legal framework is self-evident. At a time when medical systems are struggling to respond to the Covid-19, the international community must act and adopt new norms of international law. Unequivocal prohibition on any kind of cyber operation against hospitals and health services should cover all times, not only war ones. In this respect, the Covid-19 crisis may thus open up a window of opportunity for international law to mind the gap in cyberspace, with the ultimate goal of boosting international stability.

Bianca Rocca is Editor of APRA's Think Tank Team.

51 views0 comments