The Rising Toll of Ransomware on Patient Care
Ransomware attacks on American hospitals have surged dramatically, with 460 incidents reported in the last year alone, up from 238 the year before. Former FBI cyber official Cynthia Kaiser testified before a House Homeland Security committee that these attacks now occur more than once daily, targeting facilities where patients are receiving critical care such as childbirth, cancer treatment, or emergency services. Research from the University of Minnesota, analyzing Medicare claims data between 2016 and 2021, found that ransomware attacks contributed to at least 47 patient deaths. The study, published in February, revealed that in-hospital mortality increases by 34% to 38% among already admitted patients when a ransomware attack strikes, due to delayed care and disrupted access to medical records.
Debating Legal Reclassification as Terrorism or Homicide
Kaiser testified that under U.S. law, the federal definition of terrorism includes violent acts dangerous to human life intended to intimidate or coerce civilians. She argued that ransomware attacks on hospitals, which knowingly cause patient diversions, delayed dialysis, and canceled surgeries, could fall within this definition. Such a designation would unlock additional government tools including sanctions, asset seizures, and diplomatic pressure on countries harboring cybercriminals, according to former CISA deputy director Nitin Natarajan. Some experts also call for the Department of Justice to apply the felony murder rule, allowing prosecutors to charge ransomware operators with first-degree murder when their actions result in patient deaths, even if they did not cause the death directly. Relevant CVEs include CVE-2023-34362 (used in the MOVEit breach affecting healthcare) and CVE-2024-1709 (ConnectWise ScreenConnect flaw exploited in hospital ransomware campaigns).
Challenges and the Need for Layered Defenses
Prosecuting ransomware operators for terrorism or murder presents significant hurdles. Errol Weiss of the Health Information Sharing and Analysis Center noted that clinical outcomes involve many factors, making it difficult to directly trace a patient death to a specific ransomware attack. Successful prosecution would require detailed technical forensics, medical record correlation, and expert testimony from both clinicians and cybersecurity specialists. Meanwhile, advocacy group founder Joshua Corman emphasized that legal reclassification should not overshadow the need for stronger defenses. Effective protection requires identifying critical clinical systems, segmenting networks, strengthening identity controls, maintaining tested backups, and conducting incident response exercises with clinicians to ensure safe patient care during IT disruptions.
Source: Healthcareinfosecurity
