Rising Ransomware Attacks and Patient Harm
Ransomware attacks on American hospitals have surged dramatically, with 460 incidents reported last year, up from 238 the previous year. Former FBI cyber division official Cynthia Kaiser testified before a House Homeland Security committee that these attacks strike more than once daily, targeting vulnerable patients during childbirth, cancer treatment, or emergency care. Research from the University of Minnesota analyzing Medicare data revealed that ransomware attacks contributed to at least 47 patient deaths between 2016 and 2021. The study, published in February, found that in-hospital mortality increases by 34% to 38% for patients already admitted when an attack begins, due to care delays and disrupted access to medical information.
Debating Legal Classifications
Cybersecurity experts and policymakers are debating whether to classify hospital ransomware attacks as terrorism under federal law. The legal definition includes violent acts dangerous to human life intended to intimidate or coerce civilians, which Kaiser argued fits when attackers encrypt hospital systems knowing patients are being diverted from care. Former CISA deputy director Nitin Natarajan noted that a terrorism designation could unlock sanctions, asset seizures, and diplomatic pressure against countries harboring cybercriminals. Additionally, Kaiser testified that the Department of Justice should consider prosecuting ransomware related patient deaths as murder under the felony murder rule, which allows charges when a dangerous felony results in death even without direct causation.
Implementation Challenges and Defense Priorities
Experts caution that legal reclassification faces significant hurdles. Ransomware groups often operate from jurisdictions that tolerate their activities, limiting U.S. law enforcement reach. Health ISAC Chief Security Officer Errol Weiss explained that successful homicide prosecutions would require proving a direct chain from encrypted systems to specific patient deaths, accounting for other factors like underlying conditions and staffing constraints. However, I Am The Cavalry founder Joshua Corman emphasized that existing legal tools already allow prosecutors to pursue such cases if prioritized. Ultimately, all experts agreed that legal measures should complement rather than replace stronger healthcare sector defenses, including segmenting clinical networks, maintaining tested backups, and integrating clinicians into incident response planning.
Broader Implications
While terrorism and murder designations could send powerful deterrent messages, Weiss stressed that the most effective path to reducing harm remains layered defenses protecting critical patient care systems. Corman warned against viewing legal reclassification as a complete solution, noting that addressing ransomware requires multiple investments and potential new authorities alongside existing ones.
Source: Healthcareinfosecurity
