Major Health Care Delivery Outage as PCAST Recommends Presidential Strategy for Cyber-Physical Resilience

The Presidential Council of Advisors on Science and Technology (PCAST) released recommendations for strategic national changes to curb cyber-physical risks to resilience of 16 critical infrastructure sectors, including public health. At risk is the resilience of clinical operations, drug and vaccine distribution, and other crown jewels at health care delivery organizations, medical device manufacturers, and pharmaceutical manufacturers.

Welcome to the latest post from Prof. Kevin Fu’s UTOT (UnTrustworthy Operational Technology) Cybersecurity Blog. Today marks some highs and lows in health care and pharmaceutical cybersecurity for cyber-physical systems and Operational Technology (OT). For the 7th day in a row, a ransomware attack at Change Healthcare and UnitedHealth Group's Optum Unit has disrupted the resilience of hospitals, pharmacies, and clinics where many systems remain offline.

PCAST Working Group on Cyber-Physical Resilience

Today, the President’s Council of Advisors on Science and Technology (PCAST) released its report to the President: "Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World." I am a member of the PCAST Working Group on Cyberphysical Resilience, where I provide advice related to the public health and health care sector. This sector includes health care delivery organizations (e.g., hospitals) and industry such as manufacturers of medical devices, pharmaceuticals, and vaccines. I previously served as the nation's first Acting Director of Medical Device Security at the U.S. Food and Drug Administration. I am a Professor at Northeastern University in Boston where I lead the Archimedes Center for Health Care and Medical Device Cybersecurity and supervise PhD students and undergraduates on interdisciplinary and experiential cybersecurity research at the SPQR Lab.

Resilience is More than Reliability or Security

The PCAST report explains that, "Resilience entails the ability of a system to anticipate, withstand, recover from, and adapt to cyberattacks and natural or accidental disruptions." Key to cyber-physical resilience is, "the core functioning of systems must continue despite failures of one or more computational or physical components." In the medical device manufacturing world, this means maintaining essential clinical functions (e.g., diagnostics and therapeutics) even if components or subsystems or external interfaces to the medical device fails.

Sadly, the outage at Change Healthcare and Optum due to ransomware is not new or unique. In fact, the medical device community experienced a similar incident three years ago when a cancer radiation therapy company suffered an outage from ransomware that infected its private cloud that stored patient dosimetry. Just like the case of Optum, the company disconnected its cloud services to clean up the ransomware. The ransomware did not cause the outage, but the temporary remedy of disconnecting the cloud service from the Internet caused a global outage.

The cancer therapy product was advertised to have 4 nines of reliability (i.e., 99.99% uptime), which means outages of no more than 52 minutes per year. This metric was likely designed for defending again mother nature, not ransomware causing prolonged, intentional outages. The radiation therapy product was unavailable for weeks, not just 52 minutes.

Summary: Resilience is Fundamental

If a health care cloud service becomes unavailable, whether due to mother nature or malicious intent, the pharmacy and radiation therapy should continue to function. Let's focus on designing in cybersecurity for resiliency and graceful, recoverable failures rather than prolonged systemwide outages that put patients at risk.

You can find more information about FDA regulatory expectations and statutes for medical device security here and here. You can read about the Healthcare and Public Health (HPH) Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), which announced today its revised “Health Industry Cybersecurity Strategic Plan” (HIC-SP).

The UTOT Cybersecurity Blog is the personal opinion of Dr. Kevin Fu, Ph.D. This blog does not represent official U.S. Government policy or guidance. My opinions do not necessarily represent the official views of, nor an endorsement by my past or present employers, FDA/HHS, or the U.S. Government.

Register for Archimedes Health Care Security Week

Want to learn more about medical device cybersecurity and regulations to better prepare for FDA cybersecurity pre-market reviews of your product? Join Dr. Kevin Fu and other experts at the training and Archimedes 101 Workshop at Health Care Security Week in New Orleans April 30-May 2, 2024. Register by March 3, 2024 to receive the early bird discount: https://www.secure-medicine.org/events/2024healthcaresecurityweek