[SamBam]

Yes. Of course they were supposed to do so, then. But they didn't, and now they've been hit. Now, in the real world, what are they supposed to do: pay, or hold out and let the patients die as punishment for the hospital's mistakes?

[squiggleblaz]

> Of course they were supposed to do so, then. But they didn't, and now they've been hit.

In order for this to be a useful tactic, there needs to be no defection. The only way there can be no defection is if the legislature prohibits defection.

At that point, the hospital is on notice that they have to apply adequate security measures against this kind of attack. For instance, hospitals normally have power supplies that are capable of getting them through foreseeable blackouts. If they're going to rely on computer systems in the treatment of patients, they had better make sure they're secure. Right now, today, it isn't a surprise.

And the hackers are on notice that they are effectively killing the patients. The hackers are after the money. If the threat of death will get them the money, they're all for it. If it won't, they'll move on to a country where it does work.

[kortilla]

Let the patients die. That’s on the hackers hands, not the hospital. Additionally, you’re making a huge assumption that the hackers are willing to escalate themselves to mass murders, which is a big leap most criminals aren’t willing to take.