UC San Diego Awarded $9.5 Million to Enhance Cybersecurity in Health Care

In 2019, Dameff became medical director of cybersecurity for UC San Diego Health, a first-of-its-kind appointment in the United States. Now, he joins co-principal investigator Jeff Tully MD, assistant clinical professor at UC San Diego School of Medicine, as heads of a newly-established Center for Healthcare Cybersecurity at the university. 

“UC San Diego is a world leader in health care cybersecurity, and this new center will keep us on the cutting edge of this critically understudied field for years to come,” said Christopher Longhurst, MD, chief medical officer and chief digital officer at UC San Diego Health. The new center is enabled and supported by the Joan & Irwin Jacobs Center for Health Innovation, for which Longhurst also serves as executive director. 

Ransomware attacks affecting health care delivery have been increasing in frequency and sophistication in recent years. Because so many parts of modern health care delivery are computerized, these attacks pose a significant and direct threat to patients’ lives, not just their privacy.

“When I talk about cybersecurity most people only think about protecting patient data,” said Dameff. “That’s all well and good, but we need to be just as concerned about care quality and patient outcomes. The impacts of malware and ransomware don’t stop at the digital border of a hospital.”

In addition to the risk they pose to patients, ransomware attacks are also extremely costly. The average cost incurred by health care systems recovering from a cyberattack was $11 million dollars according to IBM’s 2023 Cost of a Data Breach report.

“Some smaller systems can’t absorb the costs of a major ransomware attack, so when there is one, we ultimately lose those critical hospitals permanently,” said co-principal investigator Jeffrey Tully, MD, an assistant clinical professor at UC San Diego School of Medicine. “This is a worst-case scenario for patients who live in remote areas where there may not be another hospital for miles.”

The researchers will focus on identifying early indicators of cyber threats through simulated ransomware attacks, and will also create and test an emergency healthcare technology platform to be used in the event of an attack to ensure continuity of health care services.

“During a ransomware attack, hospitals often have to switch back to inefficient pen-and-paper methods of administration, and this slows down health care delivery and introduces additional risks to patient safety,” said Dameff.

In addition to Dameff and Tully, the project will also leverage the expertise of cybersecurity expert and MacArthur fellow Stefan Savage, PhD, who holds the Irwin and Joan Jacobs Chair in Information and Computer Science at UC San Diego Jacobs School of Engineering and is a professor in the UC San Diego Department of Computer Science and Engineering. Ramesh Rao, PhD, director of the UC San Diego Qualcomm Institute and professor in the Electrical and Computer Engineering Department of the Jacobs School of Engineering, will also contribute to the team.

Though studying and preventing ransomware attacks are the researchers’ most pressing priorities, the project is expected to be the first of many groundbreaking initiatives that will emerge from the new Center for Healthcare Cybersecurity.

“Cybersecurity in health care is a huge problem that can affect each and every one of us, but few health care systems are prepared for the consequences of cyberattacks,” said Longhurst. “The new center is designed to address this unmet need, and this new research is just the beginning of that effort.”