In recent months, cyberattacks have been launched against medical facilities, including in the Czech Republic, France, Spain, Thailand, and the United States as well as against other health authorities. Cyberattacks threaten the medical sector at a time when medical facilities and staff are under immense pressure due to the medical needs arising from the pandemic and from physical violence. The ICRC has recorded more than 200 incidents of physical violence against health workers and facilities linked to COVID-19 across more than 13 countries since the beginning of the pandemic. These are just the attacks we know about; the actual numbers are likely much higher. These physical attacks are causing suffering today and greatly concern the ICRC. While this is not yet the case for cyberattacks that we know about, it is important to also protect the medical sector from this rising threat.
The vulnerability of the healthcare sector to cyberattacks
Recent cyberattacks against medical facilities underscore a concern the ICRC has raised for some time: medical facilities are particularly vulnerable to hostile or malicious cyber operations. Based on consultations with experts from States, the tech industry and security companies, the ICRC has identified hospitals as particularly vulnerable to cyberattacks. The vulnerability of this sector is a consequence of increased digitization and interconnectivity in healthcare. For example, medical devices in hospitals are connected to the hospital network, and biomedical devices such as pacemakers and insulin pumps are sometimes remotely connected through the internet. This growth of connectivity increases the sector’s digital dependence and ‘attack surface’, leaving it exposed, especially when these developments are not matched by a corresponding improvement in cyber security.
The ICRC has voiced this concern repeatedly with States in the United Nations. In the ‘UN Open-ended working group on developments in the field of information and telecommunications in the context of international security’ in February 2020, the ICRC called on States to reiterate that States should not conduct or knowingly support ICT activity that would harm medical services or medical facilities, and should take measures to protect medical services from harm. In light of the COVID-19 pandemic, in March 2020 ICRC legal advisers recalled this statement and expanded it in a broader blog post on the international legal protection of hospitals against cyber attacks. Most recently, during a UN Security Council Arria-Formula meeting held last week, the ICRC emphasized that ‘when medical services are disrupted, people’s lives are put in danger’.
Concerns about cyber operations against healthcare facilities have also been raised by several States.
Today, the focus is on the protection of medical facilities during a global pandemic. While cyberattacks have not yet caused major humanitarian consequences, strengthening the protection of medical facilities against cyberattacks will become even more important in the future, including during armed conflict. Societies are digitalizing and cyber operations have become a reality in today’s armed conflicts. With an increasing number of States developing military cyber capabilities, cyber operations can be expected to increase. The threat to the healthcare sector during the current pandemic should be a wake-up call to address the threats that cyberattacks against healthcare facilities may pose in the future.
International humanitarian law prohibits cyberattacks against medical facilities during armed conflict
The protection of medical facilities during armed conflict is at the heart of international humanitarian law (IHL). The Geneva Conventions leave no doubt: medical facilities and their staff must be respected and protected. As Helen Durham, the ICRC’s Director of International Law and Policy, stressed recently, basic rules of IHL such as these also ‘apply in cyberspace and must be respected’. This means that belligerents must not harm medical infrastructure through cyber operations and must take great caution to avoid incidental harm caused by such operations.
This prohibition is clearly established in times of armed conflict. As a group of international law experts have recently recalled in ‘The Oxford Statement on the International Law Protections Against Cyber Operations Targeting the Health Care Sector’, there is also a set of international law rules and principles that protect medical facilities against harmful cyber operations at all times.
The ICRC is part of the group of international leaders and institutions that have signed this call. The box below reproduces the call and the list of signatories.
A Call to All Governments: Work Together Now to Stop Cyberattacks on the Healthcare Sector
We call on the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations. To this end, governments should work together, including at the United Nations, to reaffirm and recommit to international rules that prohibit such actions.
Over the past weeks, we have witnessed attacks that have targeted medical facilities and organizations on the frontlines of the response to the COVID-19 pandemic. These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients. With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever. This will not be the last health crisis. For now and for the future, governments should assert in unequivocal terms: cyber operations against health care facilities are unlawful and unacceptable.
We don’t tolerate attacks on health infrastructure in the physical world, and we must not tolerate such attacks in cyberspace – whether in time of peace or in time of conflict. We stand with the International Committee of the Red Cross in support of its call to protect medical services or medical facilities against cyberattacks of any kind. We call on governments to work together, and to join forces with civil society and the private sector, to ensure that medical facilities are respected and protected, and to hold perpetrators accountable. Above all, governments should take action and stop cyberattacks on hospitals and medical facilities. The time to act is now.
Dapo Akande, Professor of Public International Law, University of Oxford
Madeleine Albright, Former Secretary of State, United States
José María Álvarez-Pallete López, Chairman & CEO, Telefónica
Ban Ki-moon, Former Secretary General of the United Nations
Lakhdar Brahimi, Former Foreign Minister, Algeria
John Bruton, Former Taoiseach, Ireland
Fernando Henrique Cardoso, Former President, Brazil
Margaret Chan, Former Director-General, World Health Organization
Eva Chen, Chief Executive Officer, Trend Micro
Stephane Duguin, Chief Executive Officer, CyberPeace Institute
Mohamed ElBaradei, Former Director General of the International Atomic Energy Agency (Nobel Peace Prize Laureate)
Beatrice Fihn, Executive Director of the International Campaign to Abolish Nuclear Weapons (Nobel Peace Prize Laureate)
Mikhail Gorbachev, Former President, Soviet Union (Nobel Peace Prize Laureate)
Gro Harlem Brundtland, Former Director General, World Health Organization
Zhixiong Huang, Professor of International Law, Wuhan University
Igor Ivanov, Former Foreign Minister, Russia
Ellen Johnson Sirleaf, Former President, Liberia (Nobel Peace Prize Laureate)
Eugene Kaspersky, Chief Executive Officer, Kaspersky
Khoo Boon Hui, Former President, INTERPOL
Larry Kramer, President, William and Flora Hewlett Foundation
Ricardo Lagos, Former President, Chile
Doris Leuthard, Former President of the Swiss Confederation
Adrian Lovett, President and Chief Executive Officer, World Wide Web Foundation
Susana Malcorra, Former Foreign Minister, Argentina
Peter Maurer, President, International Committee of the Red Cross
Daniel Mitov, Former Foreign Minister, Bulgaria
Eduardo Montealegre, Former Foreign Minister, Nicaragua
Marty Natalegawa, Former Foreign Minister, Indonesia
Nandan Nilekani, Non-Executive Chairman of the Board, Infosys
Ngozi Okonjo-Iweala, Former Finance Minister, Nigeria
Maia Panjikidze, Former Foreign Minister, Georgia
Zeid Ra’ad Al Hussein, Former UN High Commissioner for Human Rights
Sir Richard J. Roberts, Chief Scientific Officer, New England Biolabs (Nobel Laureate in Physiology or Medicine)
Francesco Rocca, President, International Federation of Red Cross and Red Crescent Societies
Julio María Sanguinetti, Former President, Uruguay
Juan Manuel Santos, Former President, Colombia (Nobel Peace Prize Laureate)
Samir Saran, President, Observer Research Foundation
Marietje Schaake, Former Member of the European Parliament
Michael Schmitt, Professor of International Law, University of Reading
Wendy Sherman, Former Under Secretary of State for Political Affairs, United States
Brad Smith, President, Microsoft
Helle Thorning Schmidt, Former Prime Minister, Denmark
Desmund Tutu, Archbishop Emeritus of Cape Town (Nobel Peace Prize Laureate)
Danilo Türk, Former President, Slovenia
Lech Wałęsa, Former Polish President (Nobel Peace Prize Laureate)
Sir Graham Watson, Former Member of the European Parliament, UK
Harold F. Wolf III, Chief Executive Officer, Healthcare Information and Management Systems Society
Ernesto Zedillo, Former President, Mexico
- Kubo Mačák, Tilman Rodenhäuser & Laurent Gisel, Cyber attacks against hospitals and the COVID-19 pandemic: How strong are international law protections? April 2, 2020
- Helen Durham, Cyber operations during armed conflict: 7 essential law and policy questions, March 26, 2020
- Laurent Gisel and Tilman Rodenhauser, Cyber operations and international humanitarian law: five key points, November 28, 2019
- Cordula Droege, COVID-19 response in conflict zones hinges on respect for international humanitarian law, April 16, 2020
- Humanitarian Law & Policy Blog, Human Costs of Cyber – Blog Series, May-June 2019
- ICRC, International Humanitarian Law and Cyber Operations during Armed Conflict, 28 November 2019