Cybersecurity public-private partnerships in healthcare – Part 1

Few years ago, we would hardly put cyberattacks and the health sector in one sentence. However, cyberattacks against the health sector skyrocketed during the COVID-19 pandemic. And, these attacks continue to be a growing challenge and worrying threat to healthcare facilities. Nevertheless, the health sector’s resilience has been tested and its effectiveness has been largely questioned.

The pandemic has resulted in a number of cyberattacks against national critical infrastructures (CI). According to the USA definition, national CI are systems or assets so vital to the nation, that their destruction would have debilitating impact on national security and economic security.  In the case of the health sector, these cyberattacks can have devastating consequences on public health and safety. Hence, these consequences go beyond mere economic impact or threats to national security. Cyberattacks have great implications on human well-being, at times, they put people’s lives at serious risk.  In short, the global pandemic highlighted the vulnerability of CI and brought back the matter of resilience into political discourse.

Ransomware and denial of service (DoS) cyberattacks overwhelmed healthcare facilities around the world. Since the outbreak of WannaCry and NotPetya attacks in 2017 on a number of medical facilities, effective policymaking is deficient. Additionally, the healthcare sector was victim to more cyberattacks than the financial industry in the past two years. However, necessary cybersecurity measures largely lag behind other CI sectors.

What does the current international policymaking ecosystem look like?

Mitigating cybersecurity risks is a difficult task to handle both at the national and global level. This is mainly due to the fact that cybersecurity risks evolve much quicker than states’ ability to react. We’ve witnessed that financially motivated cybercriminals have gone even further than the traditionally-known tactics of stealing data and disrupting privacy. These new forms of ransomware attacks have the capacity to impair and disrupt the operational framework of a computer system. Afterwards, these malicious cybercriminals hold access to the user’s data encrypted until the ransom is paid. 

On the international level, the two UN-mandated working groups, the UN Open-Ended working group on developments in the field of information and telecommunications in the context of international security (UN OEWG) and UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (UN GGE), provide a democratic and inclusive platform to tackle the trends of growing use of information and communications technologies (ICTs) for malicious purposes. Moreover, they establish an initial framework for responsible State Behaviour in the use of ICTs. The two landmark reports of UN OEWG / UN GGE in cyber diplomacy, that were released this year, clearly recognize the impact of ICTs activities on CI. Furthermore, in consequence of the COVID-19 pandemic, both reports put special emphasis on the importance of protecting healthcare infrastructure, including medical services and facilities.

What are the consequences of cyberattacks on healthcare?

Ransomware attacks are particularly dangerous and their impact on the delivery of healthcare is grave. The number of ransomware attacks against the health sector is alarming. To illustrate, according to the main findings of a recent report by Sophos: 34% of healthcare organisations worldwide were hit by ransomware last year, while 65% of those that were hit said that their data was encrypted by cybercriminals, and 34% paid the ransom to get their data back. When it comes to financial losses, for instance, the USA estimates that the cyberattacks on the healthcare industry is nearly $21 billion.

If a hospital suffers a ransomware attack, the whole medical process can be delayed or completely shut down due to disruption of the clinical system which is especially worrying when it comes to the timely delivery of care for patients in need. 

In September 2020, a cyberattack on a University Hospital in Germany resulted in the first death of a patient due to complications created by the attack. Another instance of cyberattacks against medical facilities occurred in the Czech Republic when the Brno University Hospital was hit by a ransomware attack. The hospital was forced to cancel all surgeries and its entire IT network was shut down. Similarly, the USA has witnessed one of its largest medical cyberattacks in history when computer systems in 400 locations were closed down. France also reported 27 ransomware attacks on healthcare facilities in 2020. Unfortunately, these cases present only a small fraction of similar cyberattacks against hospitals and other medical facilities.

As we can see, the consequences of malicious cyberattacks are manifold. To start with hospitals, dozens of cancelled surgeries, delayed treatments, and disrupted computer networks in the midst of the worst pandemic in our history. Secondly, the ransom paid to cybercriminals is money that could be used differently. Last but not least, the long-term implications for healthcare facilities such as regulatory fines and plenty of complaints from patients whose data were stolen are among the consequences. 

In light of all this, it becomes clearer that increased cybersecurity is an urgent need in the health sector. And, it is certain that we need a far greater engagement of all relevant stakeholders to be involved in the process to better secure our health sector.

Digital transformation in healthcare

Rapid digitalisation has brought significant improvements to the healthcare industry. Under the umbrella of e-health, internet of medical things (IoMT), electronic health records (EHR), telemedicine as well as application of artificial intelligence (AI), the whole sector has become increasingly integrated at all levels.  Consequently, advancements in automation and interoperability have brought about a higher level of exposure to cyber incidents. 

Besides that, the integration of internet of things (IoT) with operational technologies (OTs), brings new standardisation challenges. Previously, standardisation processes addressed both IoT and OTs separately. Hence, the integration of different types of products gave rise to additional cybersecurity risks. Therefore, these new challenges associated with the fast-changing digital environment require new forms of governance to meet and tackle those challenges.

Why does the private sector matter?

The private sector plays an increasingly important role in the provision and delivery of healthcare and has various roles in the sector:

• A direct provider of services such as hospitals and clinics
• Provider of medical products
• IT companies that supply medical equipment
• Software or network developers
• Application developers
• Cybersecurity experts hired by the government

Two intertwined processes explicitly explain the relevance of the private sector in healthcare delivery. Firstly, the privatisation process and secondly, the transfer of ownership from public to private sectors hands. Moreover, business entities have a competitive advantage when it comes to technology development. Governments definitely do not have the capacity that businesses can serve up in terms of innovation and speed. Hence, it is the private sector which brings technology necessary for the provision of the public sector’s needs. Naturally, it implies that the private sector performs a critical and indispensable function in healthcare, especially in cybersecurity.

Indeed, cybersecurity public-private partnerships (PPPs) in the healthcare sector are a prerequisite for the protection of healthcare technology. Not only would it better protect patient data but their safety as well. Finally, these partnerships might be helpful in anticipating cybersecurity threats that are associated with rapid technological advancement.

Healthcare cybersecurity and public-private partnerships: The way forward?

Historically, the nation state was responsible for national security. The realist doctrine of international relations sees the state to be the guarantor of peace and responsible for the provision of national security. Yet, the nature of threats has changed significantly. And, this new challenging threat environment requires likewise a new mode of governance and new actors.

There are a couple of reasons for a justification for some kind of collaborative project between public and private entities in cybersecurity, particularly in the context of national CI protection. 

The interconnection between public and private sector in respect to provision of national security is quite simple. Owing to the privatisation and deregulation in the 1980s, coupled with globalisation in the 1990s, most of the CI are now owned and operated by the private sector. Besides, these processes caused major challenges for the protection of CIs. On the one hand, the private sector alone cannot provide national security in critical infrastructure sectors. On the other hand, governments alike are not capable of providing public good and national security without their business counterparts. So, both entities are in one way or another jointly involved in the critical infrastructure protection.

Now, the question isn’t whether such cybersecurity public-private partnerships are necessary, because they most definitely are. Rather, the question should be how to organise these partnerships efficiently and what this cooperation should entail?

We’ll delve in deeper to cybersecurity public-private partnerships in the health sector with a case study and main principles. Stay tuned!

What’s your take on healthcare cybersecurity and the way forward in an increasingly digitalised world? Share your thought is the comments section below!