Medical Ransomware Attack Could Spell Disaster, Deaths During Pandemic

Universal Health Services is working to get back online after facing what could be the largest medical system cyberattack in U.S. history. UHS officials have not confirmed it was ransomware but did issue a statement that its system is currently down due to an IT security issue.

Two Syracuse University professors and cybersecurity experts offer comments on the latest developments.

********************

Shiu-Kai Chin is a professor of electrical engineering at Syracuse University’s College of Engineering and Computer Science. His research interests include computer security, cybersecurity and systems assurance. He says now is not the time to play the blame game. Instead, officials should do a system-wide assessment to match safety and security expectations.

Chin says:

“Hospital operations epitomize mission-critical functions. There is a real danger of unacceptable losses happening in terms of patient injury and death.

“The key to preventing future losses is to adopt a mission-assurance mindset combined with systems thinking.  What a mission-assurance mindset means is: Avoid the blame game, which focuses on finding the one person whose head will go on a platter, or the single component responsible for the entire denial of access to patient records. Safety and security emerge out of the combined efforts of all involved. Safety and security cannot be created by one component or subsystem. At a minimum, it requires a controlled process and a controller operating together within system-wide constraints that match the safety and security expectations of the system’s stakeholders.

“We need to stop admiring the problem, i.e., stop focusing entirely on ransomware. Fixing ransomware alone will not assure the hospital’s mission. We need to identify mission-essential functions, e.g., timely, accurate, and precise knowledge of patient and hospital status, identify scenarios where these functions could be compromised, i.e., wargame the scenarios, and devise mitigations and/or adjust operations and decision-making processes prior to the next attack or accident.

“Moving forward, necessary questions are: What circumstances combined with hospital operating conditions can bring about the loss of mission-critical functions leading to unacceptable losses?; What are early indications and warnings that we are operating in a hazardous state that could lead to unacceptable losses; And based on wargaming, what mitigations or plans do we have to manage ourselves out of a hazardous state to prevent or minimize unacceptable losses?”

********************

Lee McKnight is an associate professor at the Syracuse University School of Information Studies (iSchool) whose research specialty includes cybersecurity. Prof. McKnight, who will present at the 2020 Cybersecurity Symposium for Smart Cities Oct. 14-16, says architectures and new community awareness efforts are needed to build cyber-physical security resilience.

McKnight says:

“I felt sick to my stomach when I learned of the Universal Health Services ransomware attack.

Turning hospitals back to 1950s paper-based operations, during a pandemic, will cause people to die in spite of best efforts ad back-up plans. UHS is a huge operation with 90,000 employees now working on their penmanship.

“The need for a new secure cloud architecture approach for security, privacy, rights and ethics cloud to edge as we have been developing in public-private partnership with City of Syracuse, NIST, and many firms and community organizations nationwide and worldwide, becomes more obvious every time poorly architected (for 2020) legacy systems without access control and least privileges by design bring down a company.

“The consequences of non-compliance with ransomware attackers’ demands are growing more extreme. Even as Universal Health Services struggles to restore systems, the Clark County (Las Vegas) School District is also suffering a ransomware attack. Students’ grades and personal information has been released to the Dark Web as punishment for the District not complying with their financial demands.

“Fortunately, data backups of medical information limit the damage in the UHS case. And patient records are kept in a separate system that was not accessed, so their systems do have some cyber-physical resiliency by design. But that’s not enough in the UHS case to regain control of key healthcare systems from hackers.

“Since for both schools and healthcare systems like Universal Health Services, as well as city governments, and small and large businesses, cyber-business as usual is just too easy for the hackers to take over. New architectures and new community awareness efforts are needed to build cyber physical security resilience.”

To request interviews or get more information:

Daryl Lovell
Media Relations Manager
Division of Marketing and Communications

M 315.380.0206
dalovell@syr.edu | @DarylLovell

The Nancy Cantor Warehouse, 350 W. Fayette St., 4^th Fl., Syracuse, NY 13202
news.syr.edu | syracuse.edu

Syracuse University