Lawmakers at a hearing Tuesday explored ways to beef up punishments for ransomware attacks against hospitals, possibly by labeling them as more severe crimes.

One proposal floated at the House Homeland Security Committee hearing, to treat ransomware attacks as terrorism, is an idea Congress has flirted with before. Another would be to press prosecutors to pursue homicide charges in attacks on hospitals where death resulted — something German authorities also once pondered.

A former top FBI cyber official, Cynthia Kaiser, put forward both ideas at the hearing, a joint meeting of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection on cybercrime, drawing questions and interest from members.

“I believe there are no penalties too severe for individuals that would target our health care system,” said Mississippi Rep. Michael Guest, chair of the border subcommittee, whose home state of Mississippi’s health care clinics closed following a February ransomware attack.

The suggestions stem from a growing focus by ransomware attackers on the health care sector, with incidents doubling from 238 in 2024 to 460 in 2025 according to FBI statistics, making it the top targeted sector.

Kaiser, now senior vice of the Halcyon ransomware research center, said terrorism designations from the State, Treasury and Justice departments could lead to further sanctions, restricted travel and other punishments. Justice Department guidance on homicide charges could clarify its authorities, she said.

“It sounds like the language is there, it just has not been applied in these circumstances,” said Rep. Lou Correa of California, the top Democrat on Guest’s subpanel.

The notion of more closely entwining cyberattacks and terrorism is something both Congress and the executive branch have examined recently.

The fiscal 2025 Senate intelligence authorization bill would have directly linked ransomware to terrorism, although the final version of the bill that became law was less explicit than the original Senate language. The Treasury Department last month asked for public feedback on changing a terrorism risk insurance program to address cyber-related losses.

A University of Minnesota study from 2023 estimated that hospital ransomware attacks were responsible for dozens of deaths of Medicare patients. German authorities in 2020 opened a negligent homicide investigation following a death in the aftermath of a ransomware attack, but ultimately decided against charges.

The Trump administration’s national cyber strategy advocates for taking a more offensive approach to hackers. It released an executive order on cybercrime and fraud the same day it published the strategy. Kaiser said the proposals are in line with those approaches.

Hackers know their attacks could end lives, she said. “They have simply decided these deaths are someone else’s problem,” Kaiser said.

The post Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks appeared first on CyberScoop.

The Treasury Department is soliciting public feedback on whether it should change a terrorism risk insurance program to address cyber-related losses.

In a Federal Register notice set for publication Wednesday, Treasury seeks comment from the public for a mandatory report it must deliver to Congress this summer on the effectiveness of the terrorism risk insurance program (TRIP) created by the 2002 Terrorism Risk Insurance Act. That law arose from the Sept. 11 terror attacks and provided a federal backstop to make terrorism risk insurance more available and affordable.

Some experts have suggested that the cyber insurance industry should also get a federal backstop as the industry struggles to develop fully. With the law set to expire at the end of 2027, tying it to the reauthorization of the terrorism risk insurance law could be one way to get Congress to create such a cyber backstop.

Among the topics Treasury hopes commenters will address before it sends the report to Congress in June is the interaction between the terrorism risk insurance law and program, and cybersecurity. The agency will accept comments until May 8.

That includes: “Any potential changes to TRIA or TRIP that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including, but not limited to the potential modification of the lines of insurance covered by TRIP and revisions to any of the current sharing mechanisms for cyber-related losses, such as, for example, the individual insurer deductible or the federal share percentage.”

In 2021, Treasury issued a rule making it clear that TRIP could cover cyber losses when written in a TRIP-eligible line of insurance. However, a Government Accountability Office report last year outlined some of the limitations there.

“Because TRIA was designed specifically as a federal backstop for losses from acts of terrorism, only losses from cyberattacks certified by Treasury as acts of terrorism would have TRIA coverage,” it states. “As a result, even large cyberattacks that result in catastrophic losses would not be covered under TRIA if they were not certified as acts of terrorism.”

Treasury said in its Federal Register notice that it wants feedback on cyber-related terrorism losses within TRIP and losses outside of it.

Cyberattacks would need to meet definitions under the terrorism risk insurance law to be certified. They need to be violent or otherwise dangerous to life, property or infrastructure, and designed to influence the U.S. population or government. Damage to U.S. organizations outside the United States still might not qualify.

Medical device maker Stryker recently suffered a wiper attack, with the pro-Palestinian, Iranian government-linked group Handala taking credit. It said the attack was in retaliation for U.S. and Israel military strikes against Iran, specifically a U.S. missile strike on a school that killed 175 people, according to Iran’s government.

The post Treasury asks whether terrorism risk insurance program should bolster cyber coverage appeared first on CyberScoop.