Calif. legislation addresses ransomware in healthcare

California is leading the charge for healthcare cybersecurity by passing legislation that outlaws ransomware and specifies how the crime should be prosecuted.

The California Senate Public Safety Committee passed the ransomware legislation written by Sen. Robert Hertzberg and co-sponsored by Los Angeles County District Attorney Jackie Lacey and TechNet.

SB-1137 amends existing law that “establishes various crimes relating to computer services and systems” and defines extortion as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.

The ransomware legislation defines the introduction of such malware on a computer system, computer or data in a computer system, or computer as extortion. As such, it will be punishable by imprisonment in a county jail for either two, three or four years and a fine not exceeding $10,000.

“Sadly, ransomware attacks are increasingly common,” Hertzberg said in a statement. “Basically, this is an electronic stickup. We need to make clear that intentionally using ransomware is a very serious crime that will not be tolerated and will be prosecuted, just like any stickup. That’s what this legislation does.”

More than $209 million has been paid in ransomware payments in the U.S. in the first three months of 2016 alone, according to an FBI report cited on Hertzberg's website. In comparison, $25 million ransomware payments were made for all of 2015.

The bill includes the following definition of ransomware:

‘Ransomware’ means a computer or data contaminant or lock placed in or introduced into a computer system, computer or data in a computer system, or computer that restricts access to the system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock.

An individual that either places a lock onto a computer system or directs another individual to do so, with the intent of demanding payment to unlock the computer or system, will be held responsible.

The legislation is designed to deter potential offenders. “SB 1137 provides a clear code section to prosecute this specific type of computer crime,” the Los Angeles County District Attorney’s Office said in a statement. “SB 1137 also provides prosecutors a much needed tool to prosecute attackers who use ransomware because California’s existing extortion statute may not properly cover the type of harm caused by ransomware.”

 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”