American hospitals and healthcare systems were hit with 460 ransomware attacks last year — up from 238 the year before — a surge that, experts told a congressional committee, is producing diverted ambulances, canceled surgeries and measurable harm to patients.
The human toll: 47 deaths and higher in‑hospital mortality
Research from the University of Minnesota, published in February, concluded that ransomware attacks on hospitals caused at least 47 patient deaths between 2016 and 2021. The study found that among patients already admitted when an attack begins, in‑hospital mortality rises by 34% to 38% because of delays in care, inability to access patient information and related breakdowns in clinical workflows.
Joshua Corman, former chief strategist for the Cybersecurity and Infrastructure Security Agency's COVID Task Force, summarized the stakes plainly: "This is not just about data or money, this is about delayed, degraded care affecting patient care and even loss of life." He added that the literature has grown: "We've now got 20 peer‑reviewed papers, or more, that show different aspects of how these attacks, degrade and delay care and worsen outcomes."
Cynthia Kaiser’s case for a terrorism designation
Cynthia Kaiser, former deputy assistant director of the FBI cyber division and now senior vice president at Halcyon's ransomware research center, testified before the House Homeland Security Committee that the federal terrorism definition — which includes "violent acts or acts dangerous to human life" that "appear to be intended to intimidate or coerce a civilian population" — could encompass some ransomware campaigns.
Kaiser argued that when a gang encrypts a hospital's systems and demands payment "knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled," there is "a serious legal argument" that the conduct fits those terrorism elements. She said a terrorism designation could unlock tools such as sanctions, asset seizures and diplomatic pressure to pursue groups operating from permissive jurisdictions.
She cautioned, however, that such a designation would not be a cure‑all: "They would not capture every ransomware actor. Nor should they."
Prosecuting patient deaths as homicide: legal options and limits
Kaiser also urged the Department of Justice to consider prosecuting some ransomware‑linked patient deaths under federal felony murder theory — where a defendant can be charged with first‑degree murder if a dangerous felony they commit results in death, even absent an intent to kill. She said: "Homicide charges in appropriate cases … would send a signal to ransomware actors that is long overdue."
Joshua Corman pushed back on the need for new authorities, noting that prosecutors already have tools to pursue manslaughter, murder and related charges: "There’s not new authorities required," he said. The practical hurdle is whether such cases are prioritized and whether prosecutors can marshal proof.
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, spelled out why prosecutions would be complex: clinical outcomes are influenced by underlying conditions, staffing and real‑time medical decisions. He said successful prosecutions would require tracing an attack to disabled systems, linking that to specific delays or errors, and proving those problems affected survival odds — tasks that demand detailed forensics and expert testimony.
Nitin Natarajan on additional tools and deterrence
Nitin Natarajan, founder of NN Global and a former deputy director at CISA, argued that a terrorism label could expand the government's toolkit and make ransomware less attractive as a target. He listed extra levers a designation could unlock, including "sanctions, asset seizures and diplomatic pressure on countries harboring cybercriminals."
But Natarajan and Corman both noted limits tied to geopolitics and prosecution: attackers often operate from jurisdictions that tolerate or indirectly support them, and even high‑profile arrests may be seen by other actors as isolated "mistakes" rather than a meaningful deterrent. Natarajan allowed that deterrence would not be universal, but said a "multi‑pronged approach" that raises consequences and raises the difficulty of attack could make healthcare "a less desirable target."
Operational defenses hospitals must still prioritize
Experts emphasized that legal and diplomatic moves cannot substitute for hardened hospital defenses. Errol Weiss urged a layered technical and operational program: "Identifying and protecting the systems whose downtime directly impacts patient care, segmenting critical clinical networks, strengthening identity and access controls, maintaining tested and isolated backups, and exercising incident response with clinicians at the table so care can continue safely when IT is degraded."
Joshua Corman warned against focusing solely on criminal labels at the expense of remediation: "I think sometimes people look at this as, 'yeah, yeah, let's go after them, they're terrorists,' and then we take our eye off other things we can do to fix the bigger problem." He said addressing the issue will require "many investments and mind shifts within existing authorities, and possibly some new authorities."
Experts from across federal, private and clinical spheres agree on two basic propositions reflected in recent testimony: ransomware against hospitals is producing real, measurable harm, and any effective response will mix law enforcement tools, diplomatic pressure and substantial improvements in hospital resilience. How far the Justice Department and administrations will go in treating certain attacks as terrorism or pursuing homicide charges remains an unsettled — and consequential — policy choice.
