Human Security Centre Human Rights and International Security Research
27 January, 2021
By Ataa Dabour – Research Assistant
At a time where people across the world are particularly reliant on an effective and resilient health care system amidst the COVID-19 pandemic, the healthcare sector has become a direct target for repeated cyberattacks. Such actions only add to the challenges of managing modern medical services in an era of aging populations and evermore stretched resources.
A recent report from Check Point Software indicates that cyberattacks against the healthcare sector have increased by 45% between 1 November 2020 and the beginning of 2021, compared to a 22% increase in cyberattacks against the industrial sector. The average number of weekly cyberattacks against the healthcare sector was 626 per organization in November 2020, compared to 430 in October.
For the same period, statistics indicate that Central Europe is the region most affected by rises in cyberattacks against the health sector, with a 145% increase. Southeast Asia faced an increase of 137% and 112% in Latin America. Europe and North America come at the end of the line with an increase of 67% and 37%.
The increase in cyber-attacks against the health sector and pharmaceutical and biotechnology institutions can best be explained by broadened opportunities via the increased use of technology such as artificial intelligence and digital devices by health organizations and professionals, and the potential to use such attacks to acquire money and trigger disruption. While the use of new technologies is certainly making it possible to rapidly develop a vaccine against COVID-19 and increase the health professionals’ availability and efficiency in patient management, it offers many avenues for cybercriminals to threaten human health security in different ways, including through the theft and sale of sensitive and confidential personal data, the blocking of vaccine’s development, or the dysfunctions related to patient care.
These cyberattacks do not just endanger systems but are a direct threat to human life, explains Stéphane Duguin, the CEO of the CyberPeace Institute. As a resilient health system increases the capacity to cope with shocks to health-related human security, how much is our health system prepared to ensure human security and human life?
In October 2020, Germany’s health infrastructure faced a rising cyber threat. Germany’s Robert Koch Institute for Infectious Disease Control and its hospital workers were targeted by deceptive phishing emails that sought to trick them into giving away system passwords. Germany’s cybersecurity watchdog detected a distributed denial-of-service attack on the health agency’s website. These cyberthreats caused the death of one patient after a hospital in Dusseldorf was unable to admit her because its system had been knocked-out by a cyberattack. This was the first death in Germany caused directly by a cyberattack.
On June 24, 2020, an Iowa hospital detected a breach when a hospital worker’s hacked account began sending phishing and spam emails. After examination, security experts confirmed in October that the attacker was able to access sensitive patient data. On November 13, Mercy Iowa City began notifying patients that data exposed included names, social security numbers, driver’s license numbers, and health insurance information. More than 60,000 patients have been impacted by this security incident.
The latest recorded cyberattack in 2020 occurred on December 29 and hit the General Medical Laboratory (AML) in Antwerp, Brussels, which works on the management of the COVID-19 epidemic. With around 3,000 tests a day -that means about 5% of the national total – this laboratory is the largest private facility in the country dealing with the COVID-19 crisis. Hackers had paralyzed the laboratory’s website by installing ransom demand software. No patient data had been stolen, but the hackers were able to obtain confidential documents about Pfizer’s corona vaccine, and deploy the ransom demand.
Whether it comes to the violation of patients’ privacy and data, the access to confidential documents, the laboratory’s economic and competitive loss, or even to the death of patients, these security incidents point out that our health system is not sufficiently prepared to ensure continuity of healthcare provisions, particularly in times of a global health crisis.
How to better prepare our Healthcare System?
Although we have fallen behind in thinking about how to prepare our health system to safeguard human security, vulnerabilities and gaps in the health sector are not inevitable. The health crisis we are experiencing is both a brake and a lever that would enable us to better understand this issue and provide viable solutions.
Far from purely costly technological and technical security solutions, whose implementation in such a crisis on the scale necessary is difficult to imagine, there are at least two possible alternatives that would make our healthcare system more secure and better preserve human security: bridge-building between different actors and cyber education.
In 2020, the CyberPeace Institute launched an initiative called Cyber 4 Healthcare to respond to the challenges posed by the lack of budget, resources, operational capacity, and implementation of cybersecurity for the entire health sector in times of crisis. Cyber 4 Healthcare is a platform that connects healthcare organizations in need of cybersecurity advice with its network of qualified companies and cyber-volunteers.
Through this platform, hospitals, care facilities, clinics, labs, and clinicians, as well as pharmaceutical, life sciences, and medical device companies that are providing, researching, developing, and manufacturing COVID-related treatments, and non-governmental organizations (NGOs), and international non-governmental organizations (INGOs) working to combat COVID-19 can access a personalized service to find free and trusted cybersecurity assistance.
As health professionals had to increase their reliance on the Internet to carry out their work during the COVID-19 crisis, whether it is in the connectivity with patients or in the interconnectivity of different medical devices designed to transmit patient data, cyber educating these professionals has become crucial. According to James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, the health sector is in desperate need of a cyber hygiene injection.
Cyber hygiene allows professionals to:
- Master how to protect and preserve oneself in the digital world,
- Acquire the knowledge and skills necessary for safe and secure Internet use,
- Know the risks and threats related to the Internet, and the good practices to adopt in such a case.
Cyber hygiene refers to the fundamental practices that computer and other digital devices users can take to improve their cybersecurity while engaging in common online activities – such as web browsing, emailing, texting – to better protect themselves and their security online, and to better protect the security of their patients. In other words, these practices are generally part of a routine to ensure the safety of identity and other details that could be stolen or corrupted.
While there are obvious reasons that cause cybersecurity problems in the healthcare industry to be particularly burdensome during a pandemic, these organizations should realize the importance of cybersecurity and lead the charge from within. Even though it is currently difficult to implement purely technological and technical security solutions in the healthcare sector, developing and implementing alternatives based on the human factor to ensure health-centric human security is still possible. Especially in times of pandemic, less is more!
Image via National Cancer Institute
