First in U.S. Healthcare: UC San Diego Health Appoints a Medical Director of Cybersecurity

Sept. 17, 2019
In July, emergency physician and medical informaticist Christian Dameff, M.D., became the first medical director of cybersecurity at any U.S. patient care organization

In July, senior clinician and IT leaders at the University of California San Diego Health system (UC San Diego Health) broke new conceptual ground when they appointed an emergency physician with accreditation in clinical informatics to be that health system’s medical director of cybersecurity—in their understanding, the first such appointment in U.S. healthcare.

Christopher Longhurst, M.D., UC San Diego Health’s chief information officer and associate chief medical officer, and Ted Chan, M.D., chair of emergency medicine, announced that Christian Dameff, M.D., had been named medical director of cybersecurity for the health system. Dr. Dameff is the first graduate of the ACGME-accredited fellowship in clinical informatics at UC San Diego, and completed his fellowship training while working clinically in the emergency department (ED). Prior to his fellowship, Dr. Dameff had graduated from medical school at the University of Arizona and completed his residency training in emergency medicine at Maricopa Medical Center in Phoenix.

In the announcement, Drs. Longhurst and Chan wrote to their colleagues at UCSD Health that, “In his role as medical director of cybersecurity, Christian will work closely with the security team in the Information Services (IS) department, to continue defending the enterprise from cyber threats. He will also contribute to future enterprise cybersecurity strategy and liaise with the clinical department leadership to strengthen the organization’s cybersecurity posture. Christian is also a researcher focused on the intersection of healthcare, patient safety, and cybersecurity,” they added. “He has spoken at some of the world’s most prominent hacker forums and has published about cybersecurity topics, such as hacking 911 systems, HL7 messaging vulnerabilities, and malware.”

Shortly after the appointment was announced, Drs. Longhurst and Dameff spoke with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the new role and its context. Below are excerpts from that interview.

Tell me about the most recent developments in your professional preparation for this new position?

Dameff: I was board-certified as an emergency physician two years ago, and just finished my clinical informatics training here at UC San Diego.

What led you to this moment?

It’s probably a bit of a cliché, but when I was 12, a neighbor got his first computer. And of course, I was entranced by that. So during my influential years as a teenager, I developed a passion for security. I did have a company in my late teens building compliance solutions for mortgage companies. Then I discovered my love for medicine. I worked in the ED of a community hospital, and that translated into my desire to go into medicine. And all along, I continued to be involved in the hacker community, as my friends were doing that.

Then I found that I was able to combine the two, and apply my knowledge to clinical care. I was able to apply my expertise as a hacker and security researcher, and now as a doctor—and we really need to change our paradigm of thinking. When I talk about security in informatics, nine times out of 10, people think about HIPAA. And that’s all well and good. But we need to be concerned not just about data security, but also about patient safety and care quality. There’s a uniqueness in healthcare that allows the vulnerabilities outside the hospital to come into the hospital. Malware and ransomware don’t stop at the border of the hospital. And the malicious threats are growing. I’m concerned about the impact to patient care. What are we going to be doing with emergency patient care, such as stroke care, if we’ve been hacked by ransomware?

Have you been talking about medical devices and hacking?

Dameff: Yes. Everyone thinks about IoT [Internet of Things] security. And everyone talks about how they’re lower-cost devices that are quickly designed and are vulnerable. And that’s true, but it’s a shallow understanding. For a company like Siemens, BD, or Abbott, when they bring a device to market, and are looking to bring a value-add to healthcare, they start designing a product that won’t come to market for seven or eight years. So they’ll go with the latest and greatest, which years ago was Windows 7. Windows 7 is about to sunset its support. So you might have a new or newer device that is completely unacceptable in terms of its data security. No other industry would tolerate that, but we do in healthcare out of necessity.

And we assume that we have very quick access to devices we need. When a heart attack comes in, we need to have immediate access to its use. Banks don’t need that level of immediacy. And this area is a concern that’s shared in a lot of organizations—that medical devices are vulnerable, that we aren’t getting timely patches for them, or that they have been developed by smaller companies that don’t have the capability of releasing timely patches. And it’s not true that you have to go through FDA approval to develop a patch. The next generation of medical devices will be connected pretty much no matter what. We need to develop new concepts, in order to be successful in that area.

What percentage of your time are you spending on various duties and activities?

I’m about 50 percent clinical right now; I think it’s very important to stay grounded, and to have the insight, and credibility with clinicians. I’m going to do research about 25 percent of the time, and the remaining 25 percent will be my operational role. And building legitimacy and credibility with the clinical staff will be so important. Leadership that can liaison between the IT and the clinical sides, has been an important area; and historically, there’s been conflict. And one key part of my role will not only be smoothing things over, but focusing on collaboration. How can I take a technical role and liaison with the physicians, so they don’t just see it as another barrier to clinical care, but a real value-add? How can we focus on workflow, so that we minimally impact clinician workflow while initiating improved security?

Longhurst: The operational role is focused on cybersecurity, but he’s one of our physician informaticist team members, reporting to our CMIO, Dr. Brian Clay. This really represents the tip of the spear of development. Having someone like Christian, focused on the cybersecurity space, makes a lot of sense. And we’re still working to keep up with the bad guys, so Christian can help us do that, while respecting and acknowledging the workflow challenges.

In the next few months, what will be your biggest areas of focus and biggest challenges?

Dameff: I think with any new role, understanding how the current team functions, and how the various parts operate, so getting a baseline. Once you understand those dynamics, you’re then able to better strategize the future. So a big goal of mine is to go and meet everyone and look at their pain points. Some people find two-factor authentication to be challenging in practice. So, understanding attitudes around cybersecurity and then identifying where we can really move the security needle.

Another thing I want to focus on is cyber preparedness. Hospitals have plans in place for earthquakes and hurricanes and other natural disasters. There’s a dearth of guidance around what to do when you are hit with ransomware, or by Anonymous, as happened at Boston Children’s. A big element will be table-topping and simulating, so that every person involved in an emergency response, has seen it before and can be prepared. And it’s important not only for us as an institution, but also to do this on a national stage. I think we’ll have a lot of other institutions partnering with us, but I’d imagine we’ll have some federal agencies getting involved with us.

Longhurst: If you think about leaders in the space, you think about Dan Nigrin, who was attacked by Anonymous, or Adam Landman at Partners Healthcare, or people at UCLA who have been hacked. I think that Christian is the leader in the country, along with his peer, Dr. Jeffrey Tulley, a pediatrician and anesthesiologist at UC-Davis in Sacramento.

How did the announcement go among UC San Diego Health physicians?

A communication was sent out to the clinical and IS teams, and the response has been very positive. And most of the anecdotal communications have been around [them saying] that this is what we need. So, it’s been very positive.

How will your role evolve in the next couple of years?

I think it will evolve via a constant stream of projects. So building and maintaining those relationships will be important; and engaging in those projects. And we’ll be doing further groundbreaking cybersecurity research going into the future. It’s a really new field without a lot of academic research. So we’ll be pioneering some academic work around this, and we’ll expand a bit to grow. I can see a natural evolution of this role into further growth.

Is there anything that either of you would like to add?

Longhurst: Academic medical centers are where specialists are trained; I think the same thing will be true in terms of identifying cybersecurity as a subspecialty of medical informatics.

What advice would you offer to CIOs and CMIOs who might consider doing this?

Dameff: That’s a great question. I think that this is a very important part of an overall strategy; but just getting a physician involved part-time without strategizing. If a physician comes to you and says, I’m concerned about all the ventilators in the ICU running on Windows XP—but if you don’t have biomedical engineering support, or other vulnerabilities—then you’re limited in what you can do. So this should be part of a maturing cybersecurity strategy, so that you’re not left with a ton of situations to fix. And we definitely need physician engagement. You don’t need a clinical informaticist with cybersecurity expertise at a small rural hospital. But that doesn’t mean you can’t pull in a physician with some expertise, into your discussions. And even simply breaking down that wall between cybersecurity and clinical informatics, is very important, and I think that anyone can do it.

Sponsored Recommendations

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...