Researchers at University of California San Diego School of Medicine’s newly established Center for Healthcare Cybersecurity have been awarded $9.5 million in federal funding to develop better ways to prevent and mitigate ransomware attacks.
Ransomware attacks affecting healthcare delivery have been increasing in frequency and sophistication in recent years. Because so many parts of modern healthcare delivery are computerized, these attacks pose a significant and direct threat to patients’ lives, not just their privacy.
“Healthcare systems are highly vulnerable to ransomware attacks, which can cause catastrophic impacts to patient care and pose an existential threat to smaller health systems,” said co-principal investigator Christian Dameff, M.D., emergency medicine physician at UC San Diego Health and assistant professor at UC San Diego School of Medicine and UC San Diego Jacobs School of Engineering, in a statement. “Developing protocols to protect health systems, especially rural and critical access hospitals, will help save lives and make health care better for all of us.”
In 2019, Dameff became medical director of cybersecurity for UC San Diego Health, a first-of-its-kind appointment in the United States. Now, he joins co-principal investigator Jeff Tully M.D., assistant clinical professor at UC San Diego School of Medicine, as heads of a newly established Center for Healthcare Cybersecurity at the university.
“UC San Diego is a world leader in health care cybersecurity, and this new center will keep us on the cutting edge of this critically understudied field for years to come,” said Christopher Longhurst, M.D., chief medical officer and chief digital officer at UC San Diego Health, in a statement. The new center is enabled and supported by the Joan & Irwin Jacobs. Center for Health Innovation, for which Longhurst also serves as executive director.
“When I talk about cybersecurity, most people only think about protecting patient data,” added Dameff. “That’s all well and good, but we need to be just as concerned about care quality and patient outcomes. The impacts of malware and ransomware don’t stop at the digital border of a hospital.”
In addition to the risk they pose to patients, ransomware attacks are also extremely costly. The average cost incurred by health care systems recovering from a cyberattack was $11 million dollars according to IBM’s 2023 Cost of a Data Breach report.
“Some smaller systems can’t absorb the costs of a major ransomware attack, so when there is one, we ultimately lose those critical hospitals permanently,” said Tully, in a statement. “This is a worst-case scenario for patients who live in remote areas where there may not be another hospital for miles.”
The researchers will focus on identifying early indicators of cyber threats through simulated ransomware attacks, and will also create and test an emergency healthcare technology platform to be used in the event of an attack to ensure continuity of healthcare services.
“During a ransomware attack, hospitals often have to switch back to inefficient pen-and-paper methods of administration, and this slows down health care delivery and introduces additional risks to patient safety,” said Dameff.
In addition to Dameff and Tully, the project will also leverage the expertise of cybersecurity expert and MacArthur fellow Stefan Savage, Ph.D., who holds the Irwin and Joan Jacobs Chair in Information and Computer Science at UC San Diego Jacobs School of Engineering.
Funding for the research comes from the Advanced Research Projects Agency for Health (ARPA-H) as part of the Digital Health Security (Digiheals) project to protect health systems' data infrastructure. The project is soliciting proposals for proven technologies developed for national security and apply them to civilian health systems, clinical care facilities, and personal health devices.
“The Digiheals project comes when the U.S. healthcare system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives,” said Renee Wegrzyn, Ph.D., ARPA-H director, in a statement in August 2023. “Currently, off-the-shelf software tools fall short in detecting emerging cyberthreats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative.”
