With more than half a million deaths recorded globally, the COVID-19 pandemic is arguably the worst health crisis the world has faced in modern times. It has come as a reminder not only of the interconnected and interdependent nations we are part of today, but also the necessity for the international community to collectively work on addressing key issues that have a bearing on societies. In this respect, the need to secure health care infrastructure and systems cannot be overemphasised — as much in the online realm as in the physical world, owing to the increasing digitalization of the sector. To deliberate on this subject and discuss cyber attacks and data breaches in health care, the ICRC collaborated with the Observer Research Foundation (ORF) to hold a webinar on 16 July 2020 titled 'COVID-19: Securing Healthcare Online'.
In order to effectively deal with the unfolding crisis and continue providing critical life-saving treatment, health facilities and health care personnel must be able to carry out their duty without any threat to their life, their work systems and work spaces. However, since the pandemic outbreak, the ICRC has recorded several instances of cyber attacks aimed at crippling the health infrastructure. This online panel discussion aimed to discuss the existing legal and statutory frameworks — both domestic and international — and the increased protections that are required as new techniques and methods of attacks emerge.
Moderated by Arjun Jayakumar, associate fellow, Cyber Initiative, ORF, the panel comprised Helen Durham, director of International Law and Policy, ICRC, Gulshan Rai, former national cyber security coordinator, Prime Minister's Office (PMO) India, chief information security officer at the PMO India, Amandeep Singh Gill, director Global Health Centre project on International Digital Health & AI Research, Graduate Institute, Geneva, Kaja Ciglic, senior director, Digital Diplomacy, Microsoft, and Dhruv Pahwa, senior director, Global Health Strategies. Samir Saran, president, ORF, delivered the opening remarks.
Setting the tone of the discussion, Saran emphasised that the event is both relevant and important. Important because of the present pandemic scenario and the various attacks on health care, and relevant because how we respond to it will determine the framework and architecture for the future. "It is imperative that medical facilities are protected. The ICRC's global call against cyber attacks in May was based on protections guaranteed under the Geneva Conventions. The rules of international humanitarian law (IHL) and international law apply in the physical world and in cyber space," he said.
Underscoring the devastating consequences of cyber attacks on the health sector, Durham said, "This will not be the last health crisis and the real threat of cyber attacks and their potential humanitarian consequences, as seen during the COVID-19 pandemic, must be a wake-up call. Such attacks pose great risk to those seeking medical care – and this can mean all of us, our families, our societies."
Dr Rai spoke extensively on the development of cyber space and cyber norms. He said that till a couple of years ago, most medical equipment had a proprietary software with strict quality control but with the passage of time these proprietary norms and standards are being diluted leading to greater attacks. "The issues and the threats have now become real because of technology merging with the commercial and the medical sectors. No software is fool-proof and gives chances to breaches and vulnerabilities. We need to address these issues."
Helen Durham, director of International Law and Policy at the ICRC, stresses the need for governments, private sector and civil society to work together to ensure medical facilities are respected and protected. ©ICRC
Ciglic dwelled upon the measures Microsoft is putting in place to ensure online security and privacy of its users. She clarified that whilst the number of cyber attacks during the pandemic have not increased significantly, what has changed is the way the attacks are conducted. Hackers have impersonated trusted entities and have been able to target not just individuals, but also institutions, she added. Echoing Durham's views, she stressed, "This is a challenge that we can only solve together and not uniquely. We need many more discussions on how we can make that framework environment work better." Pahwa spoke of human nature and human vulnerabilities. He said, "Technology is an important factor, but we need to address human behaviour issues in parallel."
Gill, having been part of the UN GGE and the UN working group on digitalization, pointed out that there were significant gaps in the present legal architecture and the applicability of existing norms. "The difficulty today is there is no consistency on existing norms and how they must be applied. Traditional distinction between civilian and military objectives in IHL does exist, but do these apply in peacetime? This is a legal vacuum and this needs to be clarified." He also drove home the point of attribution — that deterrence can be instituted, and measures can be taken against those who exploit vulnerabilities if we can identify them.
Durham acknowledged that cyberspace is still relatively new and emphasised that IHL requires medical facilities and personnel must be respected and protected at all times. She also clarified that international laws offer protection even in peacetime and that international human rights law requires states to respect and ensure the right to life and the right to health of all persons within their jurisdiction.