Brussels Report: Governments’ Concerns Rise About Pandemic Cyberattacks on Health Care

A surge in cyberattacks on medical facilities during the pandemic has alarmed national governments. The…

Brussels Report: Governments’ Concerns Rise About Pandemic Cyberattacks on Health Care

A surge in cyberattacks on medical facilities during the pandemic has alarmed national governments. The potential consequences were highlighted last week with the death of a woman after she was turned away from a German hospital that had been struck by ransomware.

“There is growing recognition that we need stronger protections… If coronavirus testing has to stop because computers freeze or are under ransomware or [denial-of-service cyberattacks] and can’t function properly for days or weeks, that can have serious repercussions for patients,” said Kubo Macak, a legal adviser at the International Committee of the Red Cross.

Medical institutions faced an onslaught of hacking attempts as the coronavirus spread this year, ranging from ransomware attacks on hospitals to espionage campaigns targeting pharmaceutical companies developing vaccines. Ransomware crippled servers at University Hospital Düsseldorf this month, prompting the hospital to send emergency patients to other facilities. One woman died during the delay in her treatment.

Several governments, including the U.S., U.K. and Canada, blamed Russian and Chinese hackers for some serious attacks. In United Nations meetings over the past few months, more governments described health care as a type of critical infrastructure that should be specially protected from attacks, Mr. Macak said. “We’ve never seen so much interest at the state level,” he said.

Governments have recently pointed out the vulnerabilities of critical infrastructure during the pandemic because sectors such as energy, telecommunications and transportation depend on each others’ services. A deliberate cyberattack can have wide-ranging effects on other organizations, Australia’s Department of Home Affairs said in a paper published last month. The government is planning changes to a national law outlining security measures for critical infrastructure. These will include an obligation for operators of critical services to provide information to the government upon request “about networks and systems,” the paper said.

“There has definitely been a greater focus on making health care off limits to government-led and -sponsored cyberattacks,” said Kaja Ciglic, senior director for digital peace at Microsoft Corp.

Hackers are targeting the sector with a variety of attacks that could have damaging effects. For example, espionage campaigns could derail vaccine trials if hackers access confidential information, even if the data isn’t manipulated, said Dapo Akande, professor of public international law at the University of Oxford.

Many countries already designate health care as a critical infrastructure sector. In some places, that means companies are required to implement cybersecurity measures, report attacks to authorities and can receive government assistance or information about threats.

Denmark’s Health Data Authority can communicate with the national cybersecurity center around the clock because health care is a critical infrastructure there, said Søren Bank Greenfield, the authority’s head of department for Danish Healthcare Cyber and Information Security.

The health data authority saw a 300% increase in cybercriminal activity during the pandemic and quickly shared information with cybersecurity officials, who blocked websites that hackers used for coronavirus-themed phishing emails, he said. “That wouldn’t have been as easy as a noncritical sector,” he said.

Hackers attacked several Czech hospitals and compromised one in the city of Brno this spring. Martin Konir, the chief information officer of Bulovka Hospital in Prague, said his team made backup files of all hospital data in case hackers encrypted everything with ransomware. Hackers tried to intercept the hospital’s network but there has been no sign that the attack succeeded, he said. Government authorities shared some information about the attacks with hospital security experts, he said.

Czech hospitals increased their cybersecurity measures after a cyberattack disabled a hospital IT system in the small town of Benešov last December, Mr. Konir said. Still, many health-care organizations struggle because they lack adequate funding for cybersecurity efforts, he added. “I’m running around the market and begging consulting firm companies to help me pro bono because I don’t have resources,” he said.

Write to Catherine Stupp at [email protected]

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8