Government enforcement action against attackers who target medical organizations is necessary, but better defenses are part of the solution too
Summary
Microsoft calls cyberattacks on health care organizations ‘unconscionable’ and urges governments to act against them. The company highlights three nation state actors—one Russian, and two from North Korea—that have targeted pharmaceutical companies and vaccine researchers in the US, Canada, France, India and South Korea in recent months, but also notes the long list of other cyber attacks this year targeting hospitals in a handful of countries globally.
Microsoft’s President Brad Smith is calling on multinational organizations and governments to pressure other governments and law enforcement to take action in these cases, and notes that international law specifically protects medical treatment and research facilities.
Report
Analysis
Microsoft is correct that cyber-attacks targeting medical facilities should warrant more intense government action against the perpetrators. And countries that otherwise have frosty relations with each other should cooperate in this area and take action against private sector actors in their jurisdictions who attack medical facilities in other countries. Just as warring countries that abide by the Geneva Convention agree to a set of protection standards for innocent civilians and wounded and sick soldiers—for example by not deliberately targeting field hospitals — special consideration should be given to protecting medical facilities from cyberattack.
While the norms around this need to change to protect innocent people, improved cyber defenses need to be part of the solution as well. Governments can play a leading role here by encouraging or even mandating standardized metrics on cybersecurity performance to incentivize companies to lower the likelihood of a breach. These steps would help improve general readiness, threat detection and remediation if a breach occurs.
And as we discussed earlier this year, cyberattacks against the healthcare sector were already exploding higher even before the pandemic, in large part because the healthcare sector in general has poor cyber governance, ranking near the bottom in Cyberhedge’s cyber governance rankings by sector.
Soft targets like healthcare companies and hospitals will unfortunately continue to be a target, but if governments can also incentivize companies to strengthen defenses, fewer breaches will occur and fewer lives will be put at risk.