Hospitals are among the most profitable targets for ransomware attacks. The ability of their systems to work as they should can literally mean the difference between life and death.
There’s crucial monitoring equipment, of course. Further, the electronic health record (EHR) systems are necessary to keep patient data current and to allow staff to access this data as needed to treat patients. Hospital systems also house confidential patient information subject to Health Insurance Portability and Accountability Act (HIPAA) regulations.
Unfortunately, that means hospitals sometimes pay up to six-figure ransoms to keep everything running – even though that’s not recommended. Unfortunately, sometimes they don’t even report the attack to authorities.
The problem of ransomware attacks on hospitals has gotten so bad that the Centers for Medicare & Medicaid Services (CMS) has announced a plan to include a facility’s “cyber hygiene” as a factor in determining whether it gets funding. That plan is scheduled to go into place later this year. This will likely include things like having digital security tools such as multi-factor authentication. One Biden administration official said it’s “homing in on those key cybersecurity practices that we really do believe bring a meaningful impact.”
When can a hospital be held liable for patient harm during a ransomware attack?
There’s no way to know how many patients have been harmed or have died because of ransomware attacks – in part because the attacks aren’t always reported. Whether a hospital can be held liable for this harm can depend on a number of factors. For example:
- Did it neglect to put protections in place that would have prevented the attack?
- Did it have back-up systems in place to protect patients during the attack?
- Did staff notify patients and families of the issue and what was being done?
- Did it notify the appropriate authorities and agencies so that ambulances could be rerouted?
Sometimes, a ransomware attack occurs despite a hospital’s best efforts to prevent it, and it has a plan in place to help minimize the effect on patient safety. However, if that’s not the case and a patient suffers harm or worse, it’s worthwhile to find out whether a malpractice claim is possible.