Does international law protect medical facilities from cyberattacks?

As the world continues to take on the novel coronavirus, our healthcare and medical systems have acted as the center points of defense. Hospitals and hospital staff have been, and still are, working in overdrive to provide critical care to those who are ill. Researchers are pulling together, at breakneck speed, the latest information about the structure and transmission of the virus itself. Vaccine facilities are operating at an unprecedented pace to unlock a safe and effective vaccine.

Unfortunately, the medical community’s resources are being further strained by a growing number of digital attacks, making it harder for systems and facilities to keep their focus on COVID-19. Over the past three months, we’ve seen cyberattacks unleashed on our medical infrastructure in an unheard of way, as part of likely attempts to subvert, thwart, or steal information related to COVID-19. There are also attacks that seek to exploit the crisis to make money, and others that are just destructive. Ironically, we’re seeing how the very thing that allows us to rapidly respond to COVID-19 – the existence of advanced technologies in a shared online space that depends on and produces massive amounts of data —is being used to attack or impair that response. Below are a few examples of the targets of these attacks since the pandemic began:

• World Health Organization
• University Hospital Brno, Czechia
• Hammersmith Medicines Research, London
• 10x Genomics Inc., Biotechnology company in California
• United States Department of Health and Human Services
• Assistance Publique – Hopitaux de Paris

Health care systems are the last place you think would be the target of a cyberattack – especially when we consider they each have a critical role to play in tackling the pandemic. We know that public health and medical infrastructure is more reliant on technology and the internet than ever before and it’s more vulnerable than ever before.

The question we might ask ourselves is “why?” Why is this happening and why is it being tolerated? To us, that raises an even larger issue. Taken together, these are facilities not simply bound to one city, country, or continent. They are part of an interconnected medical infrastructure that should be protected from attack.

When it comes to other interconnected spaces, States and other stakeholders have in the past emphasized international law as a solution. So, then, what does international law say about protecting healthcare?

INTERNATIONAL LAW

What international laws are in place to protect medical facilities and do any of these apply to State-sponsored hacking targeting the healthcare sector? Well, it’s complicated. A few, regional treaties purport to regulate cybercrime, but these focus on signatories domestic criminal law and do not reach beyond those States’ jurisdiction nor do they encompass specific healthcare protections. There are specific healthcare protections in wartime, but there is no standalone international legal rule that comprehensively protects medical facilities from cyberattacks during “peacetime.” As such, peacetime protections for healthcare from cyberattacks depend on extending coverage of existing, more general rules and principles. Let’s break it down.

1. International Humanitarian Law:

• International Humanitarian Law applies whenever there is an armed conflict. In fact, its rules actually originated in calls to protect medical workers on battlefields. As such, cyberattacks against healthcare facilities during armed conflict are clearly prohibited today.
• Conflict parties must always distinguish medical units, transport and personnel, and cannot make them the target of a cyberattack.
  • In some instances, cyberattacks against medical facilities during armed conflict could even qualify as a “war crime” under the Geneva Conventions. Directing an attack against a medical facility under the International Criminal Court Rome Statute could also qualify as a war crime.
• These protections do not, however, apply in peacetime.

2. Use of Force

• Article 2 of the United Nations Charter states “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations.”
  • This prohibition on use of force only applies if a cyberattack constitutes a use of force; uses of force usually involve violent effects, such as loss of life or significant property damage or destruction.
  • Thus, to the extent that a cyberattack targeting a medical facility today could shut down life support devices, resulting in people dying, the UN Charter would prohibit such attacks.
• However, where there is no use of force, different international law may apply. The principle of “non-intervention” prohibits States from interfering in other States’ internal affairs in ways designed to coerce the State to act (or not act) in some way.
  • States regard the operation of most medical facilities as part of their internal affairs. So there is an argument to be made that this principle can be applied to prohibit cyberattacks on medical facilities directly involved with coronavirus testing, but only if the cyberattack’s aim was to coerce the State in some way.
• Apart from the prohibitions on the use of force and intervention, another basic idea – sovereignty – may also protect the healthcare sector. States are not only responsible for governing their own sovereign territory, including the provision of governmental functions and essential services, but must respect the sovereignty of other States doing so as well. For some states, this principle would be violated where a State allows its territory to serve as the point of origin for cyberattacks on medical facilities and services in another State.

Although international law may have grey areas, the good news is that there are leaders across government, civil society, and industry who recognize this and are rallying together to clarify that existing international law does protect healthcare facilities in peacetime as it does in wartime.

• The International Committee of the Red Cross (ICRC) has proposed a new international norm for the UN to consider that would protect all medical services and facilities from state sponsored cyberattacks.
• Last month, more than 40 former and current world government, industry and nongovernmental organization leaders called on the states to take immediate actions to protect hospitals, research organizations and medical facilities that are responding to COVID-19 from cyberattacks.
• Following a virtual workshop at the University of Oxford, more than 130 international lawyers from across the globe joined together to produce the Oxford Statement on how existing international law applies to cyberattacks on healthcare systems during the global pandemic.
• In 2018, at the Paris Peace Forum, French President Emmanuel Macron issued the Paris Call, a call for states, private sector partners and world research and civil society to come together to tackle the new threats endangering digital citizens. Paris Call supporters were asked to adopt responsible behavior in the digital world.

The complexity and overlapping quality of the international legal obligations presented above are a clear sign that nation states need to commit to clearly defined international laws that protect medical facilities from cyberthreats, regardless of whether we are in an officially declared time of war.