Calif. legislation addresses ransomware in healthcare

California is leading the charge for healthcare cybersecurity by passing legislation that outlaws ransomware and specifies how the crime should be prosecuted.

The California Senate Public Safety Committee passed the ransomware legislation written by Sen. Robert Hertzberg and co-sponsored by Los Angeles County District Attorney Jackie Lacey and TechNet.

SB-1137 amends existing law that “establishes various crimes relating to computer services and systems” and defines extortion as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.

The ransomware legislation defines the introduction of such malware on a computer system, computer or data in a computer system, or computer as extortion. As such, it will be punishable by imprisonment in a county jail for either two, three or four years and a fine not exceeding $10,000.

“Sadly, ransomware attacks are increasingly common,” Hertzberg said in a statement. “Basically, this is an electronic stickup. We need to make clear that intentionally using ransomware is a very serious crime that will not be tolerated and will be prosecuted, just like any stickup. That’s what this legislation does.”

More than $209 million has been paid in ransomware payments in the U.S. in the first three months of 2016 alone, according to an FBI report cited on Hertzberg's website. In comparison, $25 million ransomware payments were made for all of 2015.

The bill includes the following definition of ransomware:

‘Ransomware’ means a computer or data contaminant or lock placed in or introduced into a computer system, computer or data in a computer system, or computer that restricts access to the system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock.

An individual that either places a lock onto a computer system or directs another individual to do so, with the intent of demanding payment to unlock the computer or system, will be held responsible.

The legislation is designed to deter potential offenders. “SB 1137 provides a clear code section to prosecute this specific type of computer crime,” the Los Angeles County District Attorney’s Office said in a statement. “SB 1137 also provides prosecutors a much needed tool to prosecute attackers who use ransomware because California’s existing extortion statute may not properly cover the type of harm caused by ransomware.”

 

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.