Ransomware Attacks on Healthcare Sector ‘Pose a Direct and Systemic Risk to Global Public Health and Security’, Executive Tells Security Council
Ransomware attacks on hospitals and healthcare systems can be “issues of life and death” and pose a serious threat to international security, the head of the UN health agency told the Security Council today, as several delegates echoed his calls for international cooperation to address one of today’s most damaging cyberthreats, while others questioned whether the 15‑nation organ was the appropriate forum for the meeting.
Tedros Adhanom Ghebreyesus, Director-General of the World Health Organization (WHO), said that ransomware attacks by cybercrime groups target the digital infrastructure of health facilities, disrupt or shut them down, and for access to be returned, the perpetrators demand a fee — or ransom — to be paid. These groups operate on the logic that the greater the threat to patient safety, confidentiality and service disruptions they can create, the greater the ransom they can demand.
“Let’s be clear… ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality; they can be issues of life and death,” he stressed, pointing out that health facilities, so as to not put patients at further risk, are often willing to pay a substantial ransom, even if there is no guarantee data will be decrypted, and attackers will not try again.
Health facilities make attractive targets for ransomware attacks, he said, due to health systems’ digital transformation, the high value of health data and increasing demands on health systems and resource constraints. He recalled the March 2020 ransomware attack against Brno University Hospital in the Czech Republic, which forced the hospital to shut down its network, and the May 2021 attack by the Conti Ransomware Gang against the Irish Health Service Executive, which paused radiotherapy services in five major centres.
Citing a global survey in 2021, he said that over a third of respondents reported at least one ransomware attack in the preceding year, and one‑third of those reported paying a ransom. However, even when ransoms were paid, 31 per cent of respondents did not regain access to their encrypted data, he said, noting as well attacks against clinical trial software vendors, laboratories and pharmaceutical companies.
“The report of the UN Open-Ended Working Group makes many recommendations on measures that Member States can take to strengthen cybersecurity” and WHO and its partners are working on many of those recommendations as they apply to health.
He noted that, in December 2023, experts convened by WHO identified several key challenges: a failure to communicate the threat of ransomware and the value of investing in cybersecurity clearly to decision-makers; lack of a clear governance framework for cybersecurity; complex infrastructure that is challenging to make more secure; a significant gap between the global demand and supply of cybersecurity skills and experts; and more. WHO and other UN agencies are actively supporting Member States with technical assistance, norms, standards and guidance to close those gaps, he added, detailing its other work to strengthen cybersecurity.
Stressing that “cybersecurity is a whole-of-government responsibility”, he said that Member States can invest in technology, including for early identification of attacks, and include costs of basic cybersecurity controls in the budgets for digital health projects. Underscoring the need to also invest in people, he stressed: “Training staff to identify and respond to cyberattacks, and rehearsing incident response plans, is critical.”
International cooperation is essential, he underscored, “as viruses don’t respect borders, nor do cyberattacks”. The Global Initiative on Digital Health and the Global Initiative on Artificial Intelligence (AI) for Health are two new global platforms for international dialogue hosted by WHO, he added. Cybercrime, including ransomware, pose a serious threat to international security, he emphasized, appealing to the Council to consider adopting resolutions and decisions on the matter to strengthen global cybersecurity and accountability.
Eduardo Conrado, President of Ascension, said that his organization — the third largest health system in the United States — is a non-profit and Catholic health system that provides care to over 6 million people each year. Recalling the 8 May ransomware attack on Ascension, he recounted that overnight, nurses were forced to comb through paper backups to see a patient’s medical history or their prescribed medications, while runners had to deliver printed copies of scans to surgery teams. Detailing further impacts, he said it took until 14 June — 37 days after the ransomware attack was launched — for Ascension to restore connections and access to all its electronic health record systems and bring its last hospitals back online.
Ascension, which is working closely with United States authorities and is in the lengthy process of digitizing the data from all the paper patient records created during that period, has spent approximately $130 million on its response to this attack and lost approximately $900 million in operating revenue as of the end of the fiscal year, he said. “Ransomware attacks on the healthcare sector […] pose a direct and systemic risk to global public health and security,” he stressed, urging international coordination and cooperation to fight against ransomware attacks and safeguard healthcare systems worldwide.
In the ensuing debate, delegates echoed concerns about the growing and worsening threat of ransomware and its impact on international peace and security. The delegate of the United States, who requested the meeting, said that ransomware-related incidents generated over $1.1 billion in payments in 2023, marking a 10‑fold increase since 2018 and a 100‑fold increase since 2014. To disrupt such attacks, her country launched in 2021 the 68‑member International Counter Ransomware Initiative, which focuses on disrupting ransomware attacks, enhancing the security of critical infrastructure and increasing the capacity and incident response capabilities of its partners together.
Highlighting her Government’s pledge, along with 40 other States to not pay, or allow its agencies to pay ransomware bounties, she pointed out that some States — most notably the Russian Federation — continue to allow ransomware actors to operate from their territory with impunity, even after they have been asked to rein it in. Additionally, the developer of the cybercriminal gang LockBit, responsible for a large share of the world’s healthcare ransomware attacks, is Russian national Dmitry Khoroshev, charged by the United States Department of Justice for committing hacking crimes. Cybercriminals associated with the most impactful ransomware variants, like the one that committed the attack against Ascension healthcare, are also tied to that country, she added.
Similarly, the representatives of the Republic of Korea and Switzerland drew attention to the Democratic People’s Republic of Korea, which, according to the former speaker, generates approximately 50 per cent of its foreign currency revenue through “malicious cyberactivities”. He called for regular briefings from the Secretary-General and enhanced international cooperation, highlighting that, the Council, “in order to remain relevant, should pay more attention to the new types of threats emanating from emerging technologies”.
Other speakers took the floor to detail their countries’ experiences grappling with such threats and offered ways to better mitigate and respond to them. The United Kingdom’s delegate, Council President for November, speaking in his national capacity, recalled that his country’s National Health Service was affected by a ransomware strain in 2017, which cost $118 million to recover from. His country has issued 36 sanctions against actors involved in these types of activities. Slovenia’s representative noted earlier in the meeting that the Council can also include cybercriminals under its sanction regime.
France’s representative, noting that 10 per cent of such attacks targeted healthcare establishments in his country, called on States to agree on norms of responsible behaviour to prevent and manage cyberincidents. He also voiced support for the United States’ initiative, which promotes the exchange of good practices to strengthen a collective response posed by such risks to societies and democracies.
Japan’s delegate, noting that ransomware attacks have posed impediments to his country’s emergency patients care and scheduled surgeries, underlined the need for information-sharing and cooperation between States, including law enforcement agencies; and raising awareness for potential targets of ransomware attacks. The Programme of Action of the Open-Ended Working Group should serve as a future permanent platform to ensure a seamless transition from the Working Group after 2025, he added.
Malta’s representative underscored that these attacks violate the fundamental right of privacy of the individual and threaten the overall well-being and security of citizens. He called on Member States to ensure that information and communications technology (ICT) personnel, particularly in healthcare, possess contemporary cybersecurity skills.
Other delegations questioned the need for today’s meeting, with the Russian Federation’s delegate noting that it is not clear what concrete threat is being posed to international peace and security, and when many other inclusive mechanisms exist to discuss such issues. He pointed to the UN’s Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, which his country initiated, as well as the UN Open-Ended Working Group on security of and in the use of ICT. His country is in favour of an international legal instrument that would cover all aspects of ensuring security in the use of ICT, negotiated through a mechanism under the auspices of the United Nations, he emphasized.
Taking issue with the United States delegation for its use of the Council to put forward “an unrealistic narrative” involving the now-anecdotal trope of “Russian hackers”, he called for more depoliticized cooperation, citing his country’s launch in May of a global, intergovernmental points of contact directory on ICT, among other efforts. Finally, he stated that, if his colleagues wanted to discuss the security of healthcare facilities, they should discuss specific steps to stop Israel’s horrific attacks on hospitals in the Gaza Strip.
China’s delegate concurred, noting that while ransomware is a significant global menace, he is not in favour of the hasty push by Council members to convene today’s meeting, and hopes to participate in more in-depth and practical discussions through more appropriate platforms. The international community should analyse and address the issue in multiple dimensions, including focusing on the source of ransomware, pathways for its spread and channels for its monetization.
Several delegations, including Algeria and Ecuador, drew attention to developing countries’ lack of resources and expertise to combat cyberthreats. Sierra Leone’s delegate urged support for the implementation of the African Union’s cybersecurity initiatives, fostering a regional approach to ensure that the continent’s health infrastructure is protected from digital threats. Mozambique’s representative called for a comprehensive and tailored strategy to address cyberattacks in developing countries, with a focus on preparedness, response, modernizing outdated systems and establishing robust regulatory policies and partnerships. Guyana’s delegate called for perpetrators of ransomware attacks to be held accountable, including through collaboration and partnerships to investigate and prosecute cybercrimes.
The head of the delegation of the European Union called upon all States, in line with the UN framework for responsible State behaviour, not to allow their territory to be used for such malign activities, and to respond to appropriate requests to mitigate such activities. “The establishment of a permanent UN mechanism — the UN Cyber Programme of Action — will allow us to advance our collective ability to counter threats against our societies and economies like ransomware,” he underscored, urging a united and coordinated global approach to effectively combat the escalating threat of ransomware.