Below, Josephine Wolff, an assistant professor of cybersecurity policy at the Tufts University Fletcher School of Law and Diplomacy, examines the recent medical cybersecurity-related lawsuit and shares her thoughts on the subject.
If Springhill should be held accountable for anything it was allowing its systems to get compromised in the first place and not having a robust restoration plan in place to get its network back online faster (it took three weeks for the hospital to restore its computer systems). But the complaint barely mentions these issues.
It alleges that Springhill withheld information about its “lack of adequate preparation and training for a cyberattack” and that the hospital “wantonly fail[ed] to have adequate rules, policies, procedures, and/or standards related to cyberattacks,” but it never actually describes in any detail the ways that the hospital had failed to adequately prepare and defend against ransomware. Without knowing more details about how the ransomware infected the hospital and what technical remediation steps the hospital management took in the aftermath of the attack, though, it’s difficult to know exactly how at fault it was.
Read the full article on Slate.