The Growing Toll of Ransomware on Patient Safety
Ransomware attacks on U.S. hospitals have surged dramatically, with 460 incidents reported last year alone, up from 238 the previous year. These attacks force hospitals to divert ambulances, cancel surgeries, and revert to paper records, directly disrupting patient care. Research from the University of Minnesota, analyzing Medicare claims data from 2016 to 2021, found that ransomware attacks were linked to at least 47 patient deaths. The study revealed that in-hospital mortality increases by 34% to 38% for patients already admitted when an attack begins, due to care delays and inability to access critical information.
The Case for Terrorism and Murder Designations
Former FBI cyber division official Cynthia Kaiser testified before a House Homeland Security committee that federal law defines terrorism as “violent acts or acts dangerous to human life” intended to intimidate a civilian population. She argued that ransomware groups encrypting hospital systems and demanding payment, knowing patients are being diverted and surgeries canceled, fit this definition. Kaiser also suggested the Department of Justice consider prosecuting patient deaths from ransomware under the felony murder rule, which allows first degree murder charges for deaths resulting from dangerous felonies, even if not directly caused by the defendant. This approach could unlock additional government tools, including sanctions and asset seizures against ransomware groups.
Challenges and the Need for Stronger Defenses
Prosecuting such cases presents significant hurdles. Legal experts note that clinical outcomes are influenced by many factors, including underlying patient conditions and real time medical decisions. Successful prosecution would require detailed technical forensics, correlation with medical records, and expert testimony from both clinicians and cybersecurity specialists. While terrorism or murder designations could deter some attackers, experts stress these are not substitutes for stronger cybersecurity. Recommended measures include identifying and protecting systems critical to patient care, segmenting clinical networks, strengthening access controls, maintaining tested backups, and practicing incident response with clinician involvement. A multi layered approach combining legal deterrence with robust technical defenses is essential.
Source: Healthcareinfosecurity
