WHO Director General's remarks at Meeting of the UN Security Council on threats posed by ransomware attacks against hospitals and other health care facilites and services

Madame President,

Excellencies,

I thank France, Japan, Malta, the Republic of Korea, Slovenia, the United Kingdom and the United States for convening this discussion, and for the opportunity to brief you on this increasingly important and disturbing topic.

In March 2020, Brno University Hospital in Czechia suffered a ransomware attack that forced it to shut down its network, transfer patients to neighbouring institutions, postpone planned procedures, and revert to paper-based processes. This attack occurred just as the nation entered a state of emergency due to the pandemic.

In May 2021, the Conti Ransomware Gang compromised the Irish Health Service Executive, or HSE.

This attack began with a phishing email containing a spreadsheet attachment that, when opened, downloaded malware. The malware spread throughout the HSE network over two months, encrypting about 80% of the data, making the national diagnostic imaging platform inaccessible, and pausing radiotherapy services in five major centres.

As a result, more than half of acute hospitals postponed outpatient appointments and elective clinical investigations and interventions, with clinical staff resorting to paper-based processes to maintain baseline services.

Let's be clear at the outset that ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death.

At best, these attacks cause disruption and financial loss. At worst, they undermine trust in the health systems on which people depend, and even cause patient harm and death.

The digital transformation of health systems, the high value of health data, increasing demands on health systems and resource constraints all contribute to making health facilities attractive targets for ransomware attacks.

These attacks target the digital infrastructure of health facilities, disrupt or shut them down, and in order for access to be returned, the perpetrators demand a fee - or ransom - be paid.

Cyber-crime groups operate on the logic that the greater the threat to patient safety, confidentiality and service disruptions they can create, the greater the ransom they can demand.

If health facilities don't pay, the consequences are not simply financial and operational - they are potentially putting patients at risk. So to restore the system and retrieve the data quickly, health facilities are often willing to pay a substantial ransom, even if there's no guarantee data will be decrypted and attackers won't try again.

Surveys have shown that attacks on the health-care sector have increased in both scale and frequency, and this is because of the success the hackers have had in attacking hospitals and health facilities.

In a global survey in 2021, over a third of respondents reported at least one ransomware attack in the preceding year, and one-third of those reported paying a ransom.

However, even when ransoms were paid, 31% of respondents did not regain access to their encrypted data.

Although the main focus of ransomware attacks has been on hospitals and other health service providers, the broader biomedical supply chain was also targeted during the pandemic.

Security researchers identified vulnerabilities in at least 17 biomedical companies involved in manufacturing COVID-19 vaccines and developing therapeutics.

Further attacks were reported against clinical trial software vendors, laboratories, and pharmaceutical companies.

The report of the UN Open Ended Working Group makes many recommendations on measures Member States can take to strengthen cybersecurity - through rules, norms and principles of responsible state behaviour; international law; confidence-building measures; capacity-building; and institutional dialogue.

WHO and our partners are working on many of these recommendations as they apply to health.

In December last year, WHO convened experts in Geneva to develop strategies and approaches to addressing cybersecurity threats, especially in resource-constrained settings.

They identified several key challenges.

These include a failure to communicate the threat of ransomware and the value of investing in cybersecurity clearly to decision-makers;

The lack of a clear governance framework for cybersecurity;

Complex infrastructure that is challenging to make more secure;

A significant gap between the global demand and supply of cybersecurity skills and experts; and more.

To close these gaps, WHO and other UN agencies are actively supporting Member States with technical assistance, norms, standards and guidance to enhance the resilience of health infrastructure against cybercrime, including ransomware.

In January this year, WHO published two reports in collaboration with INTERPOL, UNODC and other partners on ways to strengthen cybersecurity, and counter disinformation.

WHO is also developing guidance on implementing and investing in cybersecurity and privacy protection of digital health interventions, to be published next year.

Cybersecurity is a whole-of-government responsibility, but health sector authorities, funders and product owners remain accountable for the security of information systems used for health.

There are many measures Member States can take to enhance their cyber maturity, or their level of readiness for cyber-attacks.

That means investing in technology, and ensuring that budgets for digital health projects include the costs of basic cybersecurity controls.

Organizations should avoid unsupported software, which is more vulnerable to attack.

In particular, investing in systems to identify attacks early is essential, as most attacks are only discovered months after they occur, and the damage is done.

But while technologies to identify, protect, detect, respond and recover are crucial, they are not sufficient, especially with the increasing use of artificial intelligence.

Our mindset must change radically to acknowledge that we cannot rely on IT systems alone to protect us from cyberattacks.

So enhancing cyber-maturity also means investing in people.

It is humans who perpetrate ransomware attacks, and it is humans who can stop them.

Training staff to identify and respond to cyber attacks, and rehearsing incident response plans, is critical.

Humans are both the weakest and strongest links in cybersecurity.

This is not something that any nation can do alone.

Just as viruses don't respect borders, nor do cyberattacks.

International cooperation is therefore essential. Many of the measures you take to address other threats are just as relevant here: collaborating on joint investigations and law enforcement; sharing intelligence; or creating regional networks.

WHO hosts two new global platforms for international dialogue: the Global Initiative on Digital Health, and the Global Initiative on AI for Health, a tripartite platform with ITU and WIPO.

My thanks again to the Security Council for drawing attention to this very important issue.

As you know, your mandate under the UN Charter is to maintain international peace and security.

Cybercrime, including ransomware, poses a serious threat to international security.

Just as you have used your mandate to adopt resolutions and decisions on matters of physical security, so we ask you to consider using that same mandate to strengthen global cybersecurity, and accountability.

WHO is committed to supporting all Member States to maximize the power of digital technologies for health, and to minimize their risks.

I thank you.

Public link

Please use the above public link if you want to share this noodl on another website.