The White House is considering a rule that would ban companies from paying hackers' ransoms, but for hospitals and health systems, this rule could result in delays in care, Politico reported May 11.
For hospitals and health systems, paying ransoms may not always be a choice. As healthcare organizations are loaded with troves of sensitive patient data, sometimes paying is the only option to get it back.
In 2021, Attleboro, Mass.-based Sturdy Memorial Hospital fell victim to a data breach and decided to pay the ransom. Hackers demanded an undisclosed amount in exchange for destroying all protected health information it acquired during the breach.
Additionally, when hospitals and health systems are hacked, this can cause crucial IT systems to be taken offline, with a ransom payment being the only promise of getting it back online.
In 2019, Edison, N.J.-based Hackensack Meridian Health said it paid an undisclosed amount in ransom to stop a cyberattack that had caused a two-day shutdown of its computer network.
And in October 2019, Tuscaloosa, Ala.-based DCH Health System said it had paid hackers an undisclosed ransom to restore access to locked systems at its three hospitals.
But, according to Anne Neuberger, President Joe Biden's deputy national security adviser for cyber and emerging technology, the rule could provide some flexibility for organizations that provide emergency care or are necessary to daily life.
For instance, Ms. Neuberger said hospitals could ask for government approval to pay the ransom to decrypt their systems.