Part I of this Article describes how the healthcare industry has arrived in this place of vulnerability, including (1) the history of the movement toward EHRs through HIPAA, (2) HIPAA’s meaningful use regulations and the background of current ransomware attacks, and (3) the distinctions between these attacks and other security breaches that have plagued large insurers and health systems within the last five years. Next, Part II will examine current industry culture when it comes to cybersecurity and review current legal and business approaches to address this growing threat. Then, Part III will argue that, while the current laws—including HIPAA and HITECH—are a good start, they do not go far enough to curb the current ransomware attacks and thus, should be amended. It will further argue that such amendments cannot be the only solution. Rather, the healthcare industry has to spur its own movement toward better and tighter security over its healthcare technology. Lastly, this Article will conclude with some suggestions and recommendations for how industry and government regulators can work together to assure that hospitals and health systems are not faced with the dilemma of having to choose between patient safety and the payment of a bitcoin ransom.
Deborah R. Farringer, Send Us the Bitcoin or Patients Will Die: Addressing the Risks of Ransomware Attacks on Hospitals, 40 SEATTLE U. L. REV. 937 (2017).