Universal Health Services is working to get back online after facing what could be the largest medical system cyberattack in U.S. history. UHS officials have not confirmed it was ransomware but did issue a statement that its system is currently down due to an IT security issue.
Two ϲ professors and cybersecurity experts offer comments on the latest developments.
Shiu-Kai Chin is a professor of electrical engineering at ϲ’s College of Engineering and Computer Science. His research interests include computer security, cybersecurity and systems assurance. He says now is not the time to play the blame game. Instead, officials should do a system-wide assessment to match safety and security expectations.
Chin says:
“Hospital operations epitomize mission-critical functions. There is a real danger of unacceptable losses happening in terms of patient injury and death.
“The key to preventing future losses is to adopt a mission-assurance mindset combined with systems thinking. What a mission-assurance mindset means is: Avoid the blame game, which focuses on finding the one person whose head will go on a platter, or the single component responsible for the entire denial of access to patient records. Safety and security emerge out of the combined efforts of all involved. Safety and security cannot be created by one component or subsystem. At a minimum, it requires a controlled process and a controller operating together within system-wide constraints that match the safety and security expectations of the system’s stakeholders.
“We need to stop admiring the problem, i.e., stop focusing entirely on ransomware. Fixing ransomware alone will not assure the hospital’s mission. We need to identify mission-essential functions, e.g., timely, accurate, and precise knowledge of patient and hospital status, identify scenarios where these functions could be compromised, i.e., wargame the scenarios, and devise mitigations and/or adjust operations and decision-making processes prior to the next attack or accident.
“Moving forward, necessary questions are: What circumstances combined with hospital operating conditions can bring about the loss of mission-critical functions leading to unacceptable losses?; What are early indications and warnings that we are operating in a hazardous state that could lead to unacceptable losses; And based on wargaming, what mitigations or plans do we have to manage ourselves out of a hazardous state to prevent or minimize unacceptable losses?”
is an associate professor at the ϲ School of Information Studies (iSchool) whose research specialty includes cybersecurity. Prof. McKnight, who will present at the Oct. 14-16, says architectures and new community awareness efforts are needed to build cyber-physical security resilience.
McKnight says:
“I felt sick to my stomach when I learned of the Universal Health Services ransomware attack.
Turning hospitals back to 1950s paper-based operations, during a pandemic, will cause people to die in spite of best efforts ad back-up plans. UHS is a huge operation with 90,000 employees now working on their penmanship.
“The need for a new secure cloud architecture approach for security, privacy, rights and ethics cloud to edge as we have been developing in public-private partnership with City of ϲ, NIST, and many firms and community organizations nationwide and worldwide, becomes more obvious every time poorly architected (for 2020) legacy systems without access control and least privileges by design bring down a company.
“The consequences of non-compliance with ransomware attackers’ demands are growing more extreme. Even as Universal Health Services struggles to restore systems, the Clark County (Las Vegas) School District is also suffering a ransomware attack. Students’ grades and personal information has been released to the Dark Web as punishment for the District not complying with their financial demands.
“Fortunately, data backups of medical information limit the damage in the UHS case. And patient records are kept in a separate system that was not accessed, so their systems do have some cyber-physical resiliency by design. But that’s not enough in the UHS case to regain control of key healthcare systems from hackers.
“Since for both schools and healthcare systems like Universal Health Services, as well as city governments, and small and large businesses, cyber-business as usual is just too easy for the hackers to take over. New architectures and new community awareness efforts are needed to build cyber physical security resilience.”
To request interviews or get more information:
Daryl Lovell
Media Relations Manager
Division of Marketing and Communications
M315.380.0206
dalovell@syr.edu |
The Nancy Cantor Warehouse, 350 W. Fayette St., 4th Fl., ϲ, NY 13202
news.syr.edu |
ϲ
A new nationwide study reveals that ozone pollution—an invisible threat in the air—may be quietly reducing the survival chances of many tree species across the United States. The research, published in the Journal of Geophysical Research: Atmospheres is the first…
A friendly competition is brewing in the corner of a basement classroom in Link Hall during the annual STEM Trekkers summer program, where students are participating in a time-honored ritual: seeing who can build a paper airplane that travels the…
Not too long ago, generative artificial intelligence (AI) might’ve sounded like something out of a sci-fi movie. Now it’s here, and it’s ready to help you write emails, schedule meetings and even create presentations. In a recent Information Technology Services…
University researchers with groundbreaking ideas in semiconductors, microelectronics or advanced materials are invited to apply for an entrepreneurship-focused hybrid course offered through the National Science Foundation (NSF) Innovation Corps (I-Corps) program. The free virtual course runs from Sept. 15 through…
The College of Engineering and Computer Science (ECS) is excited to announce that Professor Jianshun “Jensen” Zhang has been appointed interim department chair of mechanical and aerospace engineering (MAE), as of July 1, 2025. Zhang serves as executive director of…
If you need help with your subscription, contact sunews@syr.edu.
