Universal Health Services is working to get back online after facing what could be the largest medical system cyberattack in U.S. history. UHS officials have not confirmed it was ransomware but did issue a statement that its system is currently down due to an IT security issue.
Two 鶹ƵUniversity professors and cybersecurity experts offer comments on the latest developments.
Shiu-Kai Chin is a professor of electrical engineering at 鶹ƵUniversity’s College of Engineering and Computer Science. His research interests include computer security, cybersecurity and systems assurance. He says now is not the time to play the blame game. Instead, officials should do a system-wide assessment to match safety and security expectations.
Chin says:
“Hospital operations epitomize mission-critical functions. There is a real danger of unacceptable losses happening in terms of patient injury and death.
“The key to preventing future losses is to adopt a mission-assurance mindset combined with systems thinking. What a mission-assurance mindset means is: Avoid the blame game, which focuses on finding the one person whose head will go on a platter, or the single component responsible for the entire denial of access to patient records. Safety and security emerge out of the combined efforts of all involved. Safety and security cannot be created by one component or subsystem. At a minimum, it requires a controlled process and a controller operating together within system-wide constraints that match the safety and security expectations of the system’s stakeholders.
“We need to stop admiring the problem, i.e., stop focusing entirely on ransomware. Fixing ransomware alone will not assure the hospital’s mission. We need to identify mission-essential functions, e.g., timely, accurate, and precise knowledge of patient and hospital status, identify scenarios where these functions could be compromised, i.e., wargame the scenarios, and devise mitigations and/or adjust operations and decision-making processes prior to the next attack or accident.
“Moving forward, necessary questions are: What circumstances combined with hospital operating conditions can bring about the loss of mission-critical functions leading to unacceptable losses?; What are early indications and warnings that we are operating in a hazardous state that could lead to unacceptable losses; And based on wargaming, what mitigations or plans do we have to manage ourselves out of a hazardous state to prevent or minimize unacceptable losses?”
is an associate professor at the 鶹ƵUniversity School of Information Studies (iSchool) whose research specialty includes cybersecurity. Prof. McKnight, who will present at the Oct. 14-16, says architectures and new community awareness efforts are needed to build cyber-physical security resilience.
McKnight says:
“I felt sick to my stomach when I learned of the Universal Health Services ransomware attack.
Turning hospitals back to 1950s paper-based operations, during a pandemic, will cause people to die in spite of best efforts ad back-up plans. UHS is a huge operation with 90,000 employees now working on their penmanship.
“The need for a new secure cloud architecture approach for security, privacy, rights and ethics cloud to edge as we have been developing in public-private partnership with City of Syracuse, NIST, and many firms and community organizations nationwide and worldwide, becomes more obvious every time poorly architected (for 2020) legacy systems without access control and least privileges by design bring down a company.
“The consequences of non-compliance with ransomware attackers’ demands are growing more extreme. Even as Universal Health Services struggles to restore systems, the Clark County (Las Vegas) School District is also suffering a ransomware attack. Students’ grades and personal information has been released to the Dark Web as punishment for the District not complying with their financial demands.
“Fortunately, data backups of medical information limit the damage in the UHS case. And patient records are kept in a separate system that was not accessed, so their systems do have some cyber-physical resiliency by design. But that’s not enough in the UHS case to regain control of key healthcare systems from hackers.
“Since for both schools and healthcare systems like Universal Health Services, as well as city governments, and small and large businesses, cyber-business as usual is just too easy for the hackers to take over. New architectures and new community awareness efforts are needed to build cyber physical security resilience.”
To request interviews or get more information:
Daryl Lovell
Media Relations Manager
Division of Marketing and Communications
M315.380.0206
dalovell@syr.edu |
The Nancy Cantor Warehouse, 350 W. Fayette St., 4th Fl., Syracuse, NY 13202
news.syr.edu |
鶹ƵUniversity
A new study looks at the physical forces that help shape developing organs. Scientists in the past believed that the fast-acting biochemistry of genes and proteins is responsible for directing this choreography. But new research from the College of Arts…
Baobao Zhang, associate professor of political science and Maxwell Dean Associate Professor of the Politics of AI, has received a National Science Foundation Faculty Early Career Development (CAREER) Award for $567,491 to support her project, “Future of Generative Artificial Intelligence…
When materials are forced into new shapes, a tipping point can shift them from flexibility and resilience to failing or breaking. Understanding that tipping point is at the core of Jani Onninen’s research. He has received a three-year grant from…
When we are young and healthy, our cells successfully monitor and manage our worn-out or damaged proteins, keeping things working properly. But as we age, this cleanup system can falter, leading to protein clumps linked to neurodegenerative diseases such as…
A new nationwide study reveals that ozone pollution—an invisible threat in the air—may be quietly reducing the survival chances of many tree species across the United States. The research, published in the Journal of Geophysical Research: Atmospheres is the first…
If you need help with your subscription, contact sunews@syr.edu.
