IGF 2021 – Day 3 – WS #154 Promoting Collective Action to Protect our Healthcare

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> We All Live In a Digital World.  We all need it to be open and safe.  We all want to trust.

>> And to be trusted.

We all despise control.

>> And desire freedom.

>> We are all united.

>> ROXANA RADU: Hello, everyone, for a discussion on collective action on how to protect our healthcare system against cyber attack.  I'm Roxana Radu, with the cyber.  We will try to make it as interactive as possible.  We are organizing this with the German Marshall Fund, and I will give them floor for welcome remarks.

Before we start this conversation, let me offer a few thoughts on what brought us here today.  We have suggested this session because healthcare has become a target of choice for cyber criminals.  This is the start of the pandemic, we have witnessed a sharp increase in the number of cyber attacks against hospitals, research labs, resulting in the serious provision of healthcare and direct harm to our individual and collective well‑being.

At the cyber institute, whether the treatment time for patients had to be adjusted or delayed because of a reversion to pen and paper or whether the rollout of COVID‑19 vaccines was impacted, ultimately, it is human lives that are put at risk because of these cyber attacks.

We have seen a number of responses to address this crisis, and diplomatic financial resources being mobilized to improve the situation, but how do we ensure that the sum is greater.  In the next 57 minutes or so, we will hear from our swishes speakers, their concise thoughts on what the problem is and what solutions we might need to explore to better protect the healthcare system.

I'm very pleased to give the floor first to Bruno Lete, senior fellow at the German Marshall Fund and co‑organizer of this workshop.  Bruno, please.

>> BRUNO LETE: Hi, Roxanna, hi, everyone.  I'm really glad to be here with you today and I might perhaps have the easiest job on this panel to welcome everyone, but I'm really delighted to see such a group of experts to come together and talk about this issue.  Let me say thank you to the cyberpeace institute, and Microsoft to enable the conversation today.

Those of you who don't know the German Marshall Fund, we are an American policy institute headquarters in Washington, D.C., and we are operating seven offices in Europe and our mission is very simple.  It's to strengthen the transAtlantic cooperation while working with global partners that share the same values.  And cybersecurity is one the topics of our era, especially these times during the pandemic.  The link with the healthcare is of most important.

At GMF we want to make it more transparent and not just looking at what governments can do this this regard but also what businesses can do, civil society and other actors and how all of these actors can work together.  That's the approach that we believe in, and that's also why GMF thought it was important to be present alongside our workshop partners and our audience here at the IGF.

But we also try to contribute to a more safe cyberspace, GMF had the Paris call for the security in cyberspace that was launched in 2019.  So Roxanna, you already explained why we are gathering today, again, I think it's a very important topic, given that the transition of health is becoming the storm.  It is really not only impacting the infrastructure but it's also about people, about human life and well‑being.  So we should keep that in mind as well.  So it's really important to strengthen the cyber resilience of the healthcare sector and as well to human, diplomatic and operational resources to prosect this sector.  Again, I'm ‑‑ protect this sector.  I'm impressed by the fantastic group that we here on this workshop and Roxanna, over to you for a fantastic and enlightening discussion.

>> ROXANA RADU: Thank you very much.  Without further ado you, representing different parts of the world, and various stakeholders we are pleased to have here with us today, Liga Rozentale with Microsoft and Pavel Mraz and Guilherme Rosso, 100‑year‑old institution that includes largest pediatric hospital in Brazil, a college and research institute, and he's joining us today.  And Klara Jordan, chief public policy officer at the Cyberpeace Institute.  We are headquarters in Geneva but we are a global organization.  So we have a number of perspectives that we can include in our conversation today.  Thank you all for accepting this invitation and let us get started what is the reality of cyber attacks against health care today?  We have documented a number of attacks on the cyber incident traces, but has this been any significant shifts in the way hospitals have become targets, or is it more that supply chain and vaccines are month in focus today?  What have you observed in Brazil?

>> GUILHERME ROSSO: Thank you, Roxanna, it's a pleasure to be here at the Internet Governance Forum to learn about such an important topic and I would like to thank Bruno, Klara and Pavel and all of us here joining the conversation.

So I speak from Brazil and since I'm representing here the Latin American academic group, you should mention equality.  And I would like to mention a few data.  So Brazil has a population of 213 million people and 7 out of 10 Brazilians depends on the public health system, known as SUS.  According to the Brazilian Internet Steering Committee, 35 million people over 10 years old does not have Internet access in the country.  So my first point, I think inequality is a basic topic to address over the next months and years.  So bringing the conversation to hospitals, which is my experience, so several hospitals by being cyber attacked, started to create strategies.

In little Prince hospital which the largest hospital in the country, we are learning that the technical part is important, but as important is also the human operation part.  We are now developing our digital transformation strategy, which we didn't have in the past and it's based on cybersecurity but also training people to properly use technology before I panel, I was talking with our medical director and the first vice president of the national council of medicine, and he said, Guilherme, healthcare is an activity that belongs to society.  So in this sense, it submits to technology and its sequences.  So I think that's the context that the Brazilian hospitals have to change the deal with we deal with technology.  I think the hospitals, as I said, by seeing the pain of other hospitals being attacked or with a lack of the infrastructure to protect their database or patients, they started to design more preventative actions.

But I think in Brazil, we have still a long way to go.

>> ROXANA RADU: Thank you, Guilherme.  It's nice to see that cybersecurity is more at a systemic level and this is important not just for pediatric hospitals but for the entire sector.  And when you think about some of the changes that we are seeing, obviously data is a bit limited.  It's limited already because of the pandemic situation, but it's also limited because we simply don't have enough insights into cyber attacks.  If we are to turn to an operator point of view and to you Liga, what have we learned about the protection of the healthcare sector since the start of the pandemic?  Can you offer some initial thoughts on how the situation has been changing since March 2020?

>> ROZENTALE LIGA: Yeah, thank you, Roxana. and thank you for all the participants.  Just a comment on Gill's remarks I think it's excellent to have this perspective from Brazil as many of us that are on this panel sit to go in Europe but to have the vision of how this affects issues globally is quite important.  And, you know, that's the spirit of the IGF.  That's why it's unfortunate that we are all sitting in our corners of the world, and we can't come together.  It's certainly that interaction that makes IGF such a useful format in which to interact.  It's oftentimes what we say outside of this panel on the sidelines that gives us the most insights on really what progress we can make in this space.

So look ‑‑ addressing the question that you have been asked and trying to focus on the wide variety of responses from all sectors and the multi‑stakeholder environment that works on digital security, cybersecurity and healthcare, it's ‑‑ it's been a bumpy road.  To say that we learned so much and progressed so much.  The request he is have we learned anything ewe meek that we haven't learned from ‑‑ unique that we haven't learned from different sectors that have to address cybersecurity across different periods of time where necessity have been the most vulnerable.  We have learned that the health care sector is the most vulnerable.  The most vulnerable sector will get attacks despite very many efforts, whether it's despite civil society or government, attacks will continue.

That's nothing new.

This is a national issue.  It's important to address this because each nation is very different on how they handle this aspect.  Some have higher level of digital transformation, and it's important to see how different regions address health scares.  It's a seat in Brussels, I see how the EU has addressed it through legislation and this is certainly the case globally but there's many examples of how critical infrastructures are addressing cybersecurity at this point and how we are all trying to learn from each other on what is the best approach.  Oddly, I don't think you can legislate it away.  So how we deal with it on a global, region and local scale is very important.

We work with specific healthcare institutions.  We look at where we can make an added value difference on protecting email, on using our services to get the highest project to those the most vulnerable in the healthcare sector so it's not an issue of how much money you can put into it.  The Microsoft approach to providing more projection towards existing customers that haven't taken it into consideration to alleviate that kind of pressure.  So we work with many healthcare sector and life sciences to provide additional protection.

I will leave it to address other cooperation, since we already dealt with the Cyber Peace Institute and the Czech government.  So I will leave it to them to discuss these issues.  We tried to bring attention to the global level for how cyber norms have to be addressed and we can protect the ICT supply chain and working within the UN structures and to incorporate insights from the nongovernment sector.

I'm happy to provide more examples as we look at this as a wide issue.  We look at how AI for health can empower different organizations to address the tough challenges in mobile health, from simply to very understanding the basics of security, how data flows work, all of these issues somehow calculate into the security and the attacks again the healthcare sector.

I think I will stop this and give an opportunity to other partners to speak, and we'll be happy to address further questions.

>> ROXANA RADU: Thank you, Liga.  We note the regional differences, and we have an intervention from Craig Jones the director of cybercrime at Interpol.  I wonder if he wants to take the mic for what they have in terms of Interpol support, I assume from various regions around the world.  Craig, are you able to take the floor?

>> PARTICIPANT: Yeah, happy to.  Thank you very much.

Some really insightful comments so far.  Looking at it through the global, regional and national lens that we have at Interpol, certainly we have seen some attracts on national critical infrastructure, and hospitals, we have seen an upswing in reporting from healthcare whether it was a hospital, whether it was researchers and they were being targeted specifically by cyber criminals because of the acquisitions they were undertaking at that time, they were very central to the work that was going on.  And sometimes the legacy systems, that vulnerability is greatly increased.

One came to us for support and we used one of our private partners to help to mitigate that attack and that took a huge amount of intervention because of their infrastructure they had.  They had some real, real difficulties and if you take it through just recently to the attack in Ireland on the HSC there, and that's when we saw the real world impacts where the ‑‑ effectively the healthcare system was taken offline and you saw people not being able to have their appointments and not having their therapy treatments.  That's an ongoing piece of work.

Then you take it from the collaboration, from the law enforcement and the private partners, how do we investigate that?  How do we identify those threat actors where the infrastructure is and then we come into the trust element there in countries working together and detecting and disrupting cybercrime, but also draws back to one of the key features we are looking at is prevention and so coming back to normal crime in a physical sense, that's taking it to an online space and whose responsibility is that?  It's a whole of society response.

But actually what we are seeing now is if you have a burglary, you won't necessarily do it beforehand.  Now people are seeing the impact of this.  It's changing, but in some countries, it's not a priority.  And in a the more developed nations we are seen in a priority but working in Africa at the moment, we look at the vulnerabilities there and it works on many different levels and certainly trying to bring the country together and we were talking about the new U.N. Conventions and I'm happy to be here as a part of IGF.  It's my first time in this forum this week, and I think we have been missing from this conversation.  Hopefully I will be able to be involved in the future, as well as my team.  Thank you very much.

>> ROXANA RADU: Thank you for this contribution.  And we heard from everyone so far about the vulnerability of the sector.  We also heard about the many actions underway to better protect healthcare.  So where are we falling short?  You will brought into the discussion, Craig, the UN processes and I think we are hear more about that from Pavel.  But I would like to ask what he sees as the limitations to the current efforts and then what we are exploring diplomatically at the moment.  Pavel.

>> PAVEL MRAZ: Thank you so much for the floor.  It's a pleasure to be with you before the WEOG meets again.  Where are we falling short?  I would highlight three major things and the first one is a lack of concrete support for implementation of the commitments we made UN level.  We are still having this basic conversation and I think it's time to move beyond that to ask how it applies.

And the third one is not really recognizing at this point the linkages between the UN sustainable development goals and the cyber capacity building on the other.

So for the first one, let me just say for the support of implementation, so we have a recognition that healthcare sector is particularly vulnerable and it's part of critical infrastructure and we need to more to do that and we have done it through the WEOG and the Czech Republic along with Australia and the United States, Kazakhstan, Estonia and Pakistan and a couple of others who really tried to push this.

Now that we have it, the question is where do we take it from there?  It cannot just stay a report.  We really need to take this somewhere.  So we need to mobilize political well and mobilize resources to implement.  I think there are a lot of states who want to make more norms and still leaving them on paper.  We need to start implementing.  So that's one thing and there's a lot we can learn from waft attacks.  We have legislations and doing cyber auditing and hospital‑specific CyberDrills, and we would like to share that with other states to see if err interested in other measures.  The WEOG is not the right mat for that.  We need different people in the room.  So going forward on implementation, we will need to think very creative, how no create an inclusive permanent forum so we can have crossover debate with technical experts, but we are not there.  That's one place we are falling short.

On the international law, there are different strands, international human rights law and the right to live, you should not be attacking healthcare, it's a fundamental human rights and there's the IHL, which provides care to medical personnel and we are stilling whether all of these principles apply and we should be talking about specific cases and what do we need to implement international law.  And some countries even say that, you know, I. HL does not apply because ICTs do not fit their definition of a weapon and I think this really takes us into a very dark place where cyberspace would be a sort of wild, wild west where in rules apply.

We need to have more specific conversations on that.  And the last one on the linkages.  We mentioned bridging the digital gaps.  We need to ensure that as we assist with digitalization, that we have cyber resilience very much in mind.  So so far cyber capacity building is presented as a niche or a boutique issue, but it needs to go more mainstream.  So we believe that at least in the UN system, whenever we have digital development projects we should think about how to add cybersecurity and cyber resilience comb ponents to these projects so we are not digitalizing and creating new vulnerabilities including in the healthcare sector but instead we can start from the get‑go and build this in third‑world countries.  I think these are the three main topics I would highlight.  Now.

>> ROXANA RADU: Thank you, Pavel.  I especially appreciated the complimentary between on the two sides of cyber protection.  It's necessary to have both, and it's necessary to work on multiple levels at the same time.  From a civil society perspective and I'm turning now to Klara, why do you think some of the current efforts are ineffective.

>> KLARA JORDAN: I apologize for my voice.  I was not singing in a bar until 3:00 in the morning.  I'm sorry that you have to listen to this.  What is still not efficient and what we don't need to understand, sign err security is an enabling to providing care.  I think it's the mindset that we have to sort of adopt and access to health care and care is a fundamental human right.  So you know, the motivation for protecting healthcare should be looked at the access to service which is a human right.  I think that's first thing I would say is missing.  The other thing that's missing is understanding the human impact, you know, the impact on individuals of the attacks on healthcare.

You know, we talk about, okay, well, our hospital went offline.  But do we actually know what a hospital being offline means for that provision, you know?  So we need to know what the impact on individuals is because I think that's an important motivator to the collective action and also to thinking about the accountability for these attacks.  There's an interesting conversation around how we think about this collective ‑‑ the collective sort of impact of them on society and so second point I would say that's missing is that understanding of, you know, that this is about humans.

This point is very important, we got the news that the breaches in the healthcare sector.  But we see them from the privacy perspective.  There's another important point that we have no think about is how once your data is actually stolen and dumped somewhere.  How you are open to somewhere.  When your potential employer goes to look for those because they now do that too.  You know, that one data breach can lead to a lifetime of victimization.  I think it's really important that when you are thinking about the kind of incidents that healthcare is subjected to.  We try to measure and understand it.  I think the other big issue where we are falling short is collectively making protecting healthcare a priority.

Pavel mentioned a handful of states would really pushed in this the multilateral fora.  It's a small fraction on the international communicate.  So really raising awareness and bringing it the forefront is super important.  I would say that the other point I want to highlight is that, you know, that collective action means collective attribution.  It means political attribution attacks on healthcare and really, working between the government and the law enforcement to bring them to the forefront like we bring to the forefront other activities of the groups whether they are criminal group or nation state.  We talk about the pandemic and all of these other sectors.  I think we have to elevate the attacks the healthcare sector, the perpetrators behind them to level where we put other national security issues because that's where, you know, I think the healthcare system is initiated, the cyber tracer.

We looked at who are the actors behind this.  And for example, we realized that they account for 70% of incidents.  We know who the actors.  There's a concerted effort trying to go after them, but the reasons why we should go after them is that they are also tacking not only a sector.  It's not only a ransomware issue but is really an individual issue, and it significantly can impact the human life.  I think this is elevating this at the national security level when we talk about attribution and law enforcement action that's really brought to the forefront, not only that sector is attacked but how it impacts individual life.  Thank you.

>> ROXANA RADU: Thank you, Klara.  Thank you for bringing in the understanding of what happens to our lives in the aftermath of an attack.  It doesn't stop with the attack.  It go beyond that.  And it can have repercussions for everything else we do and also thank you for pointing to the need to stop imputative or such actions.  The actability framework still requires work, but we are now at a better level understanding as to what might be needed and how some of these concerted action could get us closer to accountability for such activities in cyberspace.  We have seen the extent of the product and there's a motivation to protect the healthcare sector but how do we ensure these efforts are effective and increase the overall resilience in the sector and ultimately our access to health care is not blocked?

Liga, can we start with you on this question, please?

>> ROZENTALE LIGA: Yes, sure.  Yeah, on this one, I mentioned there is global, regional and local ways.  We need to find in the same way how we can address different scenarios globally.  And I think we overlook the small steps that need to be taken in one situation and it's some of the whole of very small targeted projects.  It's also important to find the right partners to deliver the most results.  Just a few examples that I can think of is that looking for ways to address the supply chain that's involved in vaccine production and distribution.  We have partnered together with UNICEF to be able to provide a monitoring and tracking system to see how that's done, so that we can help those who are helping others in that particular way.

Pavel already addressed issues on international law and, of course, we are not a government, but we do bring together policymakers and the nongovernmental sector to discuss factually how the healthcare sector is back ‑‑ is being addressed through international law and how these issues need to be addressed and in the last two years we brought together many legal experts to specifically produce statements on the health of the medical sector, which has brought these independent lawyers together to really focus on what steps need to be taken globally.  And also Bruno mentioned the Paris call for security and trust.  This is high level statements on actions that need to be taken on cybersecurity and this particular initiative began over three years ago when we didn't even have particular concerns about the health care sector, and it wasn't included as such in the Paris call.

Of the other 1,200 endorsers have focused a lot on the health care sector and raised awareness through that format in the raft years so that we brought on board many more participants from the healthcare sector to simply educate and have them have more visibility on what the issuing are in cybersecurity.  While they are under focus, they are protected and trying to bring in one hospital at time has been quite important.

>> ROXANA RADU: Thank you.  I will turn to Guilherme, what are the options put on the table at the moment.

>> GUILHERME ROSSO: In association of private hospitals is discussing some issues on cyber health that I am aware of, but perspective is that the healthcare sector is not organized.  So the perspective, the situation is we are discussing the issue at the individual level and the hospitals and private companies.  It's a great deficiency that we are not having the discussion.  Liga mentioned the global, regional and local respective.  I would at intranational and institutional perspectives especially for a country as big as Brazil or the United States, or Russia or Australia or China or India.

And if you are going to manage networks of discussions and groups of discussions to protect collective ‑‑ to organize collective action, I would say regulation is not enough.  There's a need for a culture of data preservation and communication technology operators need to be aware of data protect.  I think this issue, in my perspective an important one and since we have a Q&A time following our comments, I will leave with two questions.  So work for reflection in the group.  I work in the largest pediatric country, and we have 10 billion people age 0 to 14 years of page and children are a vulnerable population by definition.  My first question is cyber security protocols should be the same for adults and children or do we need extra layers of protections for children?  How do we discuss sign err security in the context of new technology and the meta verse being developed including the use of expended reality and Internet of medical things, so the metaverse is coming.  How is going to be the cybersecurity discussion on the meta verse?  Thank you, Roxanna.

>> ROXANA RADU: That will make for stimulating discussion and then I will ask these questions to the whole panel.

This links back to Klara's point about a change in the mentality and how we approach sign err security more generally.  So Klara, if you would like to come in on this question, what are some of the solutions that we need to look at in terms of collective action?

>> KLARA JORDAN: I think from the perspective of the institute, you know, I will start there, it's really to think about how we can bring the perspective of the victims of these cyber attacks into the conversations, you know, whether it is through the diplomatic community and also how do we better share at the national level with decision and policymakers and they make informs decisions and where to focus the measures being taken and how to prioritize action.  I think that's very important.  I also think that it's important to realize that no matter how much we invest in Brazillians which is totally important and key, we will never defend our way out of this problem.  It is unreasonable to think that every small ‑‑ where we are with technology today and I think that we are moving ‑‑ there's really positive steps where technology is moving, and we can do a lot of things at scale that we can right now do at the level of institutions whether it's cloud or other things.  Why want to charter into those territories.

I think overall if we think about it, it's hard to think that resilience will be achieved only through oppression measures.  I think that's where we really have to work on the diplomacy and connecting diplomacy to the realities on the ground and bringing really the law enforcement, the industry, and the not‑for‑profit community and the civil society into these conversations.

And I think the other key action in organizing ourselves and Paolo did mention this but reiterate the points.  They have to be actionable.  I will feel that states have to lead the conversations knowing where they should lead their action and what it actually means.  Of course, every country has different get up that sort of understanding, what is the cob Crete goal that we are trying to achieve and what are the objection or the recommendation is very important and I think that the multi‑stakeholder effort, it's not something that we can overstate.  We know that the inclusion of the perspectives many processes are still a challenge and so I think that really working with those governments who understand the develop ewe and are willing to promote the value will be key in helping others see and understand that, you know, that the industry of civil society is there to provide valuable input into the discussions.

When we have the discussions on the normative frameworks, again, they are very concrete and actionable and practical and they can only be, you know, like that if they are informed by the realities, you know whether from the industry or the civil society.

>> ROXANA RADU: Thank you.  A very dark perspective, we will never defend our way out and we will not do it standing alone we need this collective power and multiple actors who come together.  You mentioned concerted diplomacy.  I will turn to Pavel now to see what solutions are explored by governments at the moment and where is the Czech Republic contributing in particular?

>> PAVEL MRAZ: Thank you, Roxana. and I have to say it's always a challenge to go after Klara, because, you know, I can subscribe to everything that she was saying and on the diplomatic front, I think we as diplomats we are limited in our toolbox of what we can do.  So for this question, essentially, we can do ‑‑ because the solutions are not with us, but we can do three things.  We can build bridges.  We can empower the right voices.  And we can bring the right people into the room.  On empowering the right voices I think what Klara said on really emphasizing the victim perspective, when it comes down to cyber attacks on the healthcare system, tremendously important.

When the UN was negotiating the land mine convention, 20 years ago, nobody believed there could be an agreement they showed what the impact was of land mines on individuals.  It pressure governments to do more.  I think if we can empower the right voices as the Cyber Peace Institute, it's important.

One concrete idea is recently in our workshops on healthcare sector we had this one IT specialist in a hospital saying he's tries to raise awareness about how a hospital IT system is inadequate, but unfortunately the doctors were in charge of the hospital are not necessarily listening.  To one good idea may be to take leading specialists around the world, to basically change the dynamics and change the thinking of other doctors in the feel.

So I think this is something where diplomats can contribute.  And bringing the right people into the room, Klara already mentioned this and I mentioned it as well, but we need technical specialists.  We need people from national CERTS and industry and debate these things and come to solutions together and we do have this mechanism.  I think the intergovernmental panel on climb a change is a good example where policy, political and diplomatic come together to really agree on something specific.  Another example is the ITU that has sectoral members.  It has governments but it also has industry, and they do debate technical solution.  I think on cybersecurity and cyber resilience, it will be a mix of political, financial, diplomatic measures on the one hand but also technical solutions on the other.

So I would say, as a government, we support the French‑Egyptian proposal, which would actually allow us to bring all of these stakeholders together to have thematic solution‑oriented discussions and to also facilitate capacity building on cyber resilience, including in the healthcare sector and if this happens the Czech Republic would be willing to contribute a lot but right now it's very difficult to contribute there.  So that's for us.

>> ROXANA RADU: Indeed, we need this coordinated approach and I think we do need global responses.  We had a lot of fragmentation in terms of regulatory action and even private sector initiatives, but unless we approach this as a global problem, we are probably not going to get closer to the solutions we are looking for.

And I would like to open the conversation now to everyone in the room, including physically in the room at the IGF, if there is somebody joining us from Katowice and ask you ask your questions in the chat or ask for the microphone.

I see a hand up from Liga.  Yes, please Liga.  Go ahead.

>> ROZENTALE LIGA: Yeah, I don't want to jump ahead if there's other questions.  I was just collecting some ideas and comments from what was already addressed from Gil's first question to the panelists up until some of the last comments and maybe I just start with Pavel's remarks.  I was saddened when you said the solutions are not with us.  I think, you know, we all have solutions.  We just have to find where our niche is to deliver on those and some may have more or less resources, but I think that's what the whole multi‑stakeholder model, that's the benefit of it is find resources because they are very scattered.  So that's one thing.

>> ROXANA RADU: We can't hear any more, Liga.

>> ROZENTALE LIGA: Do children need more protection.  However, I think all patients deserve the highest level of protection when they put their information in the digital space and ensuring that should not be in the hands of only their doctor.  So how can you match the rapid advancements of what can be done in the healthcare sector with the healthcare providers ability to absorb that type of technology and that goes to the training skills and awareness that's definitely throughout the psych the pest thing is that if we could address early education on cybersecurity that would go already a long way, and I think that we are definitely in the position of kids often knowing more than we do in the digital space and this should be certainly something that's considered.

At the EU side, we have difficulty because education is a national competency.  On a regional scale, we can't necessarily do that, but we do look for ways with many countries to see how we can improve the healthcare sector and a bit about cybersecurity and the metaverse.  One other thing is from the operator perspective and provider of services perspective, you know, when the digital world started ‑‑ you know, the initial surges of the Internet did not have security built in.  There was a responsible approach for developing new technologies and we have seen this in the sector of AI where we have responsible AI principles packaged in from the beginning when we start working on new technology rather than having to be in the difficult situation where if you are working in cyber space, that it was not security by design at the origin of the whole system.

>> ROXANA RADU: Thank you, Liga.  The question we got from Gil, were the follow, would cybersecurity protocols be the same for adults and children and how do we discuss it in the context of new emerging technologies.  I see that Klara also has a hand up.

>> KLARA JORDAN: I think that I agree with Liga.  The privacy implications of any health care data or I mean any data period, I think can be so ‑‑ so tragic and so impactful, that the argument can be that the period of victimization is long because they will live longer, and now we look into the psychological impact.  I think about scale, and I spend a lot of time, actually working in the industry.  And I thought it's wonderful that this one organization has this technology and can buy this but how do we do these things at stale.?  This goes into the development of technology.  It's giving us solution where we can pull resources or have expertise or work on security issues at scale.

It doesn't have to be managed at the level of every single hospital.  That's the issues in many countries the digitalization was not doing as protecting the sector.  It was really to protect one organization.  And I think the development of technology is now giving us really an opportunity to think, should we have a cloud for the healthcare sector and what would be the benefit and how would it work?  And what is the role of the government?  And, you know, so as we are thinking about the report of the operation, how do we do it at scale and not at the level one organization.  It's so important, sort of for the individuals but also for the national resilience.  For me, the responsible development of any technology goes into the way we bring the multi‑stakeholder community in it, that you have the civil society.  Look, if you do this, five years from now, you will not be able advance it or adapt it because I will get locked into something.

I think the dialogue between these communities is improving but I think we still don't do enough, and I think it can't be overstated that community needs to be there no matter what we are doing.

>> ROXANA RADU: Thank you very much for these comments and it's also important to think about what comes this from the beginning what standards we design from the beginning and what comes as an off thought and privacy and data protect ‑‑ afterthought and privacy and data protection need to be implemented from the beginning.  I will go back to Guilherme to see if this answers his questions and if he would like to add anything.  Keeping in mind that we are approaching then of the session.  So I will ask everybody to have very short interventions, please Gil.

>> GUILHERME ROSSO: Thank you, Liga and Klara for your reflections.  I don't have anything to add, Roxana.  I think it's more a question of reflection and I would like to hear more questions from the group.

Thank you.

>> ROXANA RADU: And I'm monitoring the chat.  We have the option to raise your hand and take the floor.  Meanwhile, if we have a little bit of time, I could ask Pavel about some of the monitoring that they are doing of the standardization processes because when we look at the emerging technologies and of the challenges it might pose for cybersecurity, we obviously have to talk about standards as well.  Could you tell us a few words about how the diplomatic community is closely monitoring these organizations?

>> PAVEL MRAZ: This is a brilliant question, and it goes to the fundamental issue of data collection and human rights collection.  At least from the standpoint of our government, we really want to have technology standards that human-centric and oriented towards ensures that they are user friendly while protects his or her privacy.  And I have to say in the recent years especially at the International Telecommunication Union, there's been a number of proposals that raise specific concerns as it regards to data privacy and human rights and cybersecurity issues.  So I think that we are increasingly realizing that they have trusted and human centric and we need to focus on security by design in the whole life cycle of these ICT products and services which includes the standards so I think that after a period of sort of withdrawal of certain governments from the standardization sector, we are slowly coming back to also look into this issue to understand that we need to set these standards from the get‑go.

I cannot go into more details at this point because efforts are still ongoing and some of these negotiations are quite sensitive.  I hope this answers the question.

>> ROXANA RADU: It does.  Thank you.  So if we turn around a bit the question, and we say what is difficult society bringing to this conversation, maybe we can ask Klara how we should raise the standard, and some of this fora and relatedly when we should add standards with regard to healthcare and also beyond that.

>> KLARA JORDAN: You know, how we organize the civil society.  I think the key is at least the way I see it and we have done it in some of our work, is to reach out from the civil society from around the world and have them be a part of those conversations.  I think the one ‑‑ one of the challenges, the way I perceive it now is we have well‑established civil society actors would provide a certain perspective, but sort of geographically, they work in one region or two regions.

I think there's lots of important actors who may be smaller and may be outside the North America and Europe sort of ecosystem where we mostly operate, because it's our natural environment.

For me, what civil society can do, we reach out to those partners globally in a civil society and help to bring those voices together and create platform and those who understand the processes who understand how to engage, how to write a letter, how to write a statement, what processes are happening, what expertise is needed, you know, we could ‑‑ we could provide that platform to them.  How we can organize the civil society is by more outreach and more bringing those other ‑‑ you know, other perspective into the conversations.

I will leave it to that Roxanna.

>> ROXANA RADU: Thank you, and I will go back to Liga now to see if she would like to say a few words about some of the ongoing efforts that the private sector is leading at the moment, including a series of workshops on protecting health care from cyber harm, and upcoming report with could expect and what that might bring to practitioners in the field.

>> ROZENTALE LIGA: Yeah, thank you.  As I mentioned that we have been working together very closely with the Cyberpeace Institute to work on different workshops to address cybersecurity and health care and so, on our project of protecting the healthcare sector from cyber harm and maybe I can shamelessly advertise a little bit of these multistakeholder engagement that's going on next week virtually, not quite in New York, on addressing these issues on a meeting margins that will be aims at the diplomatic community and giving the insights that unfortunately we won't be able to bring to the actual table during those discussions.

So I will try to find some links and post them in the chat, if after makes some comments I think not only during this mar project but we worked in the past on ‑‑ through the Paris call for trust and security in cyberspace and finding the best practices and case studies in addressing cybersecurity in the healthcare sector, and this has been ‑‑ resulted in various reports.  Let me see if I can find them and put them in the chat so they can be available to others at this point.

>> ROXANA RADU: Thank you.  Pavel.

>> PAVEL MRAZ: Yes, thank you so much and thanks to Liga for the promo of the rent we are doing, it's a.  I just wanted to clarify that this will actually ‑‑ despite the circumstances or at least we are hoping that it will be an in‑person event.  What we are doing is apart the usual UN procedural stuff where you have a reception and invite the heads of delegations.  We are inviting the whole stakeholder groups, including those who distributed to the contributions.  So it will be an in‑person event and if stakeholders are in New York, they are cordially invited by my boss, the special envoy for cybersecurity to attend the event.

>> ROXANA RADU: Thank you very much.  We have to end here.  We have no more time for our panel, but I would like to thank everybody for their contributions today, including in the chat, thank you once more for making this I lively discussion and for guiding us through some of the convoluted problems we're facing at the moment, you do hope we stay in touch and you can follow up on the links that you wanted to share in the chat so that everybody can have access to that information and that whoever is interested in following our work in this space can ‑‑ can easily access the information and join us in the future.  Thank you very much.  Have a good evening and rest of the day wherever you are in the world.  Good night.