Calif. legislation addresses ransomware in healthcare

California is leading the charge for healthcare cybersecurity by passing legislation that outlaws ransomware and specifies how the crime should be prosecuted.

The California Senate Public Safety Committee passed the ransomware legislation written by Sen. Robert Hertzberg and co-sponsored by Los Angeles County District Attorney Jackie Lacey and TechNet.

SB-1137 amends existing law that “establishes various crimes relating to computer services and systems” and defines extortion as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.

The ransomware legislation defines the introduction of such malware on a computer system, computer or data in a computer system, or computer as extortion. As such, it will be punishable by imprisonment in a county jail for either two, three or four years and a fine not exceeding $10,000.

“Sadly, ransomware attacks are increasingly common,” Hertzberg said in a statement. “Basically, this is an electronic stickup. We need to make clear that intentionally using ransomware is a very serious crime that will not be tolerated and will be prosecuted, just like any stickup. That’s what this legislation does.”

More than $209 million has been paid in ransomware payments in the U.S. in the first three months of 2016 alone, according to an FBI report cited on Hertzberg's website. In comparison, $25 million ransomware payments were made for all of 2015.

The bill includes the following definition of ransomware:

‘Ransomware’ means a computer or data contaminant or lock placed in or introduced into a computer system, computer or data in a computer system, or computer that restricts access to the system, computer, or data in some way, and under circumstances in which the person responsible for the ransomware demands payment of money or other consideration to remove the contaminant, unlock the computer system or computer, or repair the injury done to the computer system, computer, or data by the contaminant or lock.

An individual that either places a lock onto a computer system or directs another individual to do so, with the intent of demanding payment to unlock the computer or system, will be held responsible.

The legislation is designed to deter potential offenders. “SB 1137 provides a clear code section to prosecute this specific type of computer crime,” the Los Angeles County District Attorney’s Office said in a statement. “SB 1137 also provides prosecutors a much needed tool to prosecute attackers who use ransomware because California’s existing extortion statute may not properly cover the type of harm caused by ransomware.”