“You just have 10 days to send us the Bitcoin. After 10 days we will remove your private key and it's impossible to recover your files.” Message to Medstar employees. Within a span of just a few months in the spring of 2016, fourteen hospitals (four hospital systems) experienced ransomware attacks resulting in an inability for the hospitals to access any of their electronic medical records, including necessary patient data. Knowing that hospitals must have access to this data in order to appropriately treat and monitor patients, those responsible for the attacks requested a bitcoin payment as ransom for the ability to regain access to the data. At least one hospital, Hollywood Presbyterian Medical Center in Los Angeles, California, publicly acknowledging to paying the asking price of 40 bitcoin, which is equivalent to about $17,000. While these hospitals are not the only ones experiencing these ransomware attacks, the potential consequences of such attacks in the health care context are severe. With the enactment of the Health Insurance and Portability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, hospitals and other health care providers are required to adopt and meaningful use electronic health records. Thus, in order to comply with federal law, all patient health records and all patient health information that might be necessary to treat, monitor, or even admit and triage patients is tied to an electronic record keeping system. While the ultimate goals of better efficiency and better coordination (and, thus, better patient care) demonstrate the need for this push towards electronic health records, the manner in which these laws have been implemented has left hospitals and other health care providers with some challenges that were never faced in a system of paper records. This article examines recent attacks and addresses why hospitals and health care providers might be especially vulnerable to these sorts of attacks. It further surveys the various hospital responses and analyzes whether such responses may be helpful or hurtful for avoiding future attacks. This article concludes that the fractured approach to data exchange in the healthcare industry leaves hospitals and other providers open to attack, and thus, hospitals and providers need to move quickly towards a more coordinated and uniform approach to electronic health records. This can be accomplished either through federal regulations that will obligate a movement towards more coordinated systems or a grass roots movement of providers themselves in an effort to stave off these attacks, which can be devastating to providers, both operationally and financially.
40 Seattle U. L. Rev. 937 (2017)