Researchers at University of California San Diego School of Medicine have been awarded $9.5 million from the Advanced Research Projects Agency for Health (ARPA-H) as part of the DIGIHEALS initiative, which supports innovative research that aims to protect the United States health care system against hostile cyber threats. The new award, the first ARPA-H contract award for any University of California campus, will help the researchers develop better ways to prevent and mitigate ransomware attacks, a type of cyberattack in which hackers attempt to extort money from organizations by blocking access to essential computer systems.
“Health care systems are highly vulnerable to ransomware attacks, which can cause catastrophic impacts to patient care and pose an existential threat to smaller health systems,” said co-principal investigator Christian Dameff, MD, emergency medicine physician at UC San Diego Health and assistant professor at UC San Diego School of Medicine and UC San Diego Jacobs School of Engineering. “Developing protocols to protect health systems, especially rural and critical access hospitals, will help save lives and make health care better for all of us.”
In 2019, Dameff became medical director of cybersecurity for UC San Diego Health, a first-of-its-kind appointment in the United States. Now, he joins co-principal investigator Jeff Tully MD, assistant clinical professor at UC San Diego School of Medicine, as heads of a newly-established Center for Healthcare Cybersecurity at the university.
“UC San Diego is a world leader in health care cybersecurity, and this new center will keep us on the cutting edge of this critically understudied field for years to come,” said Christopher Longhurst, MD, chief medical officer and chief digital officer at UC San Diego Health. The new center is enabled and supported by the Joan & Irwin Jacobs Center for Health Innovation, for which Longhurst also serves as executive director.
Ransomware attacks affecting health care delivery have been increasing in frequency and sophistication in recent years. Because so many parts of modern health care delivery are computerized, these attacks pose a significant and direct threat to patients’ lives, not just their privacy.
“When I talk about cybersecurity most people only think about protecting patient data,” said Dameff. “That’s all well and good, but we need to be just as concerned about care quality and patient outcomes. The impacts of malware and ransomware don’t stop at the digital border of a hospital.”
In addition to the risk they pose to patients, ransomware attacks are also extremely costly. The average cost incurred by health care systems recovering from a cyberattack was $11 million dollars according to IBM’s 2023 Cost of a Data Breach report.
“Some smaller systems can’t absorb the costs of a major ransomware attack, so when there is one, we ultimately lose those critical hospitals permanently,” said co-principal investigator Jeffrey Tully, MD, an assistant clinical professor at UC San Diego School of Medicine. “This is a worst-case scenario for patients who live in remote areas where there may not be another hospital for miles.”
The researchers will focus on identifying early indicators of cyber threats through simulated ransomware attacks, and will also create and test an emergency healthcare technology platform to be used in the event of an attack to ensure continuity of health care services.
“During a ransomware attack, hospitals often have to switch back to inefficient pen-and-paper methods of administration, and this slows down health care delivery and introduces additional risks to patient safety,” said Dameff.
In addition to Dameff and Tully, the project will also leverage the expertise of cybersecurity expert and MacArthur fellow Stefan Savage, PhD, who holds the Irwin and Joan Jacobs Chair in Information and Computer Science at UC San Diego Jacobs School of Engineering.
Though studying and preventing ransomware attacks are the researchers’ most pressing priorities, the project is expected to be the first of many groundbreaking initiatives that will emerge from the new Center for Healthcare Cybersecurity.
“Cybersecurity in health care is a huge problem that can affect each and every one of us, but few health care systems are prepared for the consequences of cyberattacks,” said Longhurst. “The new center is designed to address this unmet need, and this new research is just the beginning of that effort.”
###