Since the start of the COVID-19 pandemic, there has been a marked global increase in cross-border malicious cyber operations against the healthcare sector. The targets of these operations include hospitals and other healthcare providers, research institutes and pharmaceutical companies, including those responsible for the development of COVID-19 vaccines, medical suppliers and distributors, health ministries and regulators, the World Health Organization, and even the public. These operations have variously disrupted the provision of healthcare, compromised sensitive digital information, such as patient records, clinical trial data, or the intellectual property associated with vaccine research, and have brought about the spread of false health-related information––all hindering states’ management of the pandemic and, ultimately, public health. States widely agreed that malicious cyber operations against the healthcare sector constitute a critical threat to the provision of healthcare, with widespread and devastating effects on the provision by public and private institutions of healthcare, the development of medicines and medical technologies, public trust in healthcare providers and other relevant institutions, and individuals’ ability to access accurate health-related information online.
Against this backdrop, the project report seeks to clarify the applicability of existing rules of international law to cyber operation against the healthcare sector. To the extent that rules of international law are applicable in this context, the report scrutinises the ways in which they apply to the various kinds of cyber operations targeting the healthcare sector. The focus of the report is the international legal rules applicable to the conduct of states in peacetime, namely the prohibition of the threat or use of force under Article 2(4) of the Charter of the United Nations and under customary international law, the customary prohibition of intervention in the internal or external affairs of a state, the prohibition of other relevant conduct as a consequence of the sovereignty of a state over its territory, and relevant obligations under international human rights law, that is obligations relating to the right to life, the right to health, the right to privacy, and the rights to freedom of expression and information. While cyber operations against the healthcare sector may not always be easily found to be in breach of some rules or regimes of international law, they may nevertheless involve the breach of other relevant rules or regimes.
The report is authored by Priya Urs, Talita Dias, Antonio Coco and Dapo Akande, and the project was supported by the Government of Japan.