Hospitals throughout the country have been the targets of cyberattacks. These are commonly known as ransomware attacks because those who perpetrate them demand a ransom to give them the use of their systems back.
While ransomware attacks are bad for any organization, they’re particularly harmful for hospitals – and the patients who rely on them. Multiple systems can be affected by a ransomware attack. Critical monitoring equipment can become useless.
Patient data can become inaccessible if electronic health record (EHR) systems are down. Of course, that can cause Health Insurance Portability and Accountability Act (HIPAA) violations. Even though law enforcement agencies warn against paying ransom, hospitals have been known to pay hundreds of thousands of dollars to get their systems back.
Could tying CMS funding to “cyber hygiene” help?
While there’s no way a hospital can guarantee it won’t be the victim of a ransomware attack, there are steps they can and should take to minimize the likelihood. Now they have an additional incentive to practice good “cyber hygiene.”
The Biden Administration is pushing to include cyber hygiene as a factor in determining how much funding a hospital gets from the Centers for Medicare and Medicaid Services (CMS). That means looking at what digital security tools a hospital has in place. One administration official said they are “homing in on those key cybersecurity practices that we really do believe bring a meaningful impact.”
Can a hospital be held liable for patient harm?
The practice of holding hospitals liable when a patient is harmed due to a ransomware attack is still relatively new. Even data on fatalities isn’t reliable since attacks too often go unreported.
A number of factors need to be considered in determining liability. For example:
- Did the attack occur because the hospital lacked proper digital security?
- Were there back-up systems or processes in place for things like patient monitoring equipment?
- Were patients and families notified of the attack?
- Were the appropriate authorities notified?
Even if a hospital did everything possible but was still attacked, how they handled it can be a big factor in the amount of patient harm done. All of these things need to be considered. If you or a loved one was harmed due to a ransomware attack on a hospital or other medical facility, it’s wise to get legal guidance as soon as possible to determine your best course of action.