A clinical approach: How UCSD is boosting healthcare cybersecurity

Healthcare cybersecurity remains a complex challenge without a universal solution. Despite ongoing efforts by the cybersecurity community to develop industry guidance, advocate for regulatory reforms and unveil new products, hospitals worldwide continue to face relentless cyberattacks and breaches. 

"We have by no means made any real progress on this issue year after year. Millions of records keep getting breached despite a lot of people paying attention to the cybersecurity of patient data," Christian Dameff, M.D., an emergency physician and co-director of the University of California San Diego (UCSD) Center for Healthcare Cybersecurity, said in an interview. 

Dameff and his colleague, anesthesiologist and fellow co-director Jeff Tully, M.D., launched the center in 2023, after witnessing the persistent challenges in healthcare cybersecurity. 

"We care about patient safety and care quality in the era of hyperconnected healthcare and what happens when that's no longer available because of cyberattacks," Dameff said. "There wasn't anyone really doing much in this space. We saw the need and started a center so that we can raise awareness, do research and advocate in a nonpartisan way for policy changes so that we can help protect our patients." 

As clinicians themselves, Dameff and Tully understand the realities of how technology integrates with patient care, and what can happen when that technology fails. The center's clinically oriented approach to healthcare cybersecurity is what sets it apart from other industry initiatives, they emphasized. 

"Our research is both very epidemiologic, in that we're trying to characterize the underlying problem in the space, but also very applied as far as developing tools that people can use," Tully said. 

The center's academic, clinician-led efforts to understand the real-world impacts of healthcare cyberattacks and improve incident response have added valuable evidence to a sentiment now widely accepted in the healthcare cybersecurity space: cyber safety is patient safety.  

While conducting this research over the past few years, the UCSD Center for Healthcare Cybersecurity has sought to identify data gaps in healthcare cybersecurity, study and challenge accepted industry best practices and advocate for more research into a problem that continues to plague the healthcare sector.

Healthcare cybersecurity has a data gap 

To Tully and Dameff, one of the strengths of their center at UCSD lies in its ability to bring a perspective from evidence-based medicine and academic research into a space historically populated by research from an echo chamber of well-meaning vendors. 

The physicians suggested that there is a severe lack of a robust body of evidence to guide resource allocation and determine which interventions are most effective in preventing cyberattacks. 

"Hospitals oftentimes do not want to share data with us for understandable reasons," Tully noted. "There are reputational impacts that they have to worry about. There are potential regulatory fines and penalties. There are even sometimes class-action lawsuits from patients."  

This reality has created barriers to accurately measuring the impact of cyberattacks in healthcare. 

What's more, while the link between cybersecurity and patient safety has been studied and accepted by the industry, that is only one part of the awareness issue. Understanding how to translate that reality into actionable insights and proven best practices remains a struggle. 

"Although people are saying cybersecurity is patient safety, what we're not doing is trying to better understand with science how we make that better, how we actually protect patients," Dameff said. 

Filling in data gaps where vendor-led research falls short is paramount to understanding the extent of the damage a healthcare cyberattack can cause, as well as how to prevent and mitigate it, the researchers suggested. 

"Now we have to start to really roll up our sleeves and do a better job, as the industry as a whole, to determine which of the cybersecurity interventions and best practices give us the best bang for our buck, which tools are actually going to make our patients safer?" Dameff added. 

Efforts to measure cyberattack fallout, rethink best practices 

The UCSD Center for Healthcare Cybersecurity has conducted several studies since its founding that shed light on the industry's enduring cybersecurity problems, gradually adding more data to the conversation. 

For example, in 2023, Dameff, Tully and fellow researchers published a study in JAMA Network Open examining two academic urban emergency departments adjacent to a healthcare organization during a month-long ransomware attack. 

The study showed that healthcare cyberattacks were associated with disruptions at neighboring hospitals. 

"The wait times in the emergency department were much longer. The overall number of patients was higher, the number of patients who left without being seen was higher," Tully said. "And all of these measures were compared statistically to periods of regular operations." 

Essentially, the research found that a ransomware attack at one hospital can create a ripple effect across a region. 

Data describing the regional impacts of healthcare cyberattacks had not been previously researched, to the authors' knowledge. It provided a meaningful rationale to view cyberattacks from a disaster perspective, such as a hurricane or earthquake, rather than as isolated incidents. 

In another study led by UC San Diego researchers, an analysis of phishing training for nearly 20,000 personnel at UCSD Health found limited security improvements, even though phishing training is a well-established best practice. 

The researchers split the employees into randomized groups and gave some groups long anti-phishing training, some short training and others context-specific training. The results showed that these training programs did not offer significant reductions in phishing risk. 

"Why are we spending millions of dollars? Why are we spending millions of our employees' hours on something that is not effective? And why are we building systems where if one of our employees clicks a phishing email, the whole system can get ransomed?" Dameff asked. "That's the type of approach in research that we hope can change the conversation about resiliency, about what tools and security actually work." 

Current projects 

As the UCSD Center for Healthcare Cybersecurity enters its third year, it continues not only to add more scientific data to support healthcare cybersecurity but also to craft solutions to some of the industry's most pressing issues. 

For example, the center is working on the Healthcare Ransomware Resiliency and Response Program (HR3P), an effort that was bolstered by $9.5 million in funding from the HHS Advanced Research Projects Agency for Health's (ARPA-H) Digital Health Security (DIGIHEALS) project in 2023. 

"This project is focused on this idea that you're not going to be able to prevent a 100% of the attacks from happening, so what can you do for a hospital that's already been hit by ransomware?" Tully explained. 

The center has developed a real-time monitoring system that rapidly identifies ransomware threats using detection algorithms. One ongoing project, known as CIPHER, is an open-source platform for modelling Cyberattack Impacts, Patient Harms and Emergency Response. 

The team has also worked on a prototype called CRASHCART, a deployable emergency response system that provides hospitals under cyberattack with a reliable backup platform, enabling them to maintain operations even when primary systems are down. 

"We're going to continue to polish those and further develop those over the next year," Tully said. "We're also interested in medical device cybersecurity. We'll be looking at ways that we can build trustworthiness into some of the very fundamental aspects of medical device design, like firmware." 

As the industry continues to suffer from crippling cyberattacks and data breaches, additional research into the effects of cyberattacks on patient care, well-tested best practices and response and recovery efforts will remain crucial to informing policy and protecting patients. 

"There's no security panacea. There's not going to be a set of tools that, if we put them in place, our patients and our hospitals are going to be 100% cybersecure," Dameff cautioned.  

"So, what do we do when things fail? How do we build robustness and resiliency and downtime procedures so that when the inevitable cyberattack takes a hospital offline, we can respond appropriately and fail gracefully so that in that failure, we minimize harm to patients?" 

Jill Hughes has covered health tech news since 2021.