UC San Diego’s Center for Healthcare Cybersecurity Protects Patients and Keeps Hospitals Running

“Project CRASHCART is  a hospital IT system in a box,” said Tully, assistant professor of anesthesiology and co-director of the UC San Diego Center for Healthcare Cybersecurity. The system is designed to keep a hospital’s networked systems running in the wake of a malicious cyberattack.

“What we're seeing more and more are cyberattacks on critical hospital infrastructure, attacks like ransomware — where hackers lock down internet connected systems and demand payment to restore access — or the theft of protected health information,” said Dameff, the center’s co-director and associate professor in the Departments of Emergency Medicine and Computer Science and the Division of Biomedical Informatics at UC San Diego.

A massive ransomware attack in 2024 on a medical technology corporation disrupted health care operations around the U.S., leading to delays in care. The malicious hackers exacted $22 million from the company. Hundreds of other cyberattacks occur every year in the U.S. health care sector, costing billions of dollars.

“ We take care of patients — often very sick patients — every day in the hospital, and we rely on dozens or even hundreds of tools and technologies connected to the internet,” said Tully.

Sometimes, the stakes are life-or-death.

“Ransomware and other attacks on national critical health care infrastructure are a serious patient safety problem,” said Tully. “They can disrupt the care of patients with time-sensitive medical conditions like stroke, heart attack, or sepsis and lead to worse outcomes.”

That’s where Project CRASHCART comes in.

“We can bring Project CRASHCART to hospitals that have been affected by ransomware and set up many of the same types of technologies that doctors and nurses are using to safely take care of patients, including electronic health records, radiology, and laboratory systems,” Tully said. “The project has the potential to reduce hospital downtime from weeks or months to days or even hours, helping keep patients safer and saving the hospital from significant financial impacts. It could make our national health care system more resilient.”

During the test deployment of Project CRASHCART, Tully collects vital signs like blood pressure and oxygen saturation levels and performs ultrasounds on the project’s team members, while Dameff checks that the medical equipment is transmitting the biometric data through the temporary network.

The team also tests the system’s limits by simultaneously running real-time video chats on as many laptops as possible. Failure to crash the network is a sign of success.

The development of Project CRASHCART is a testament to UC San Diego’s interdisciplinary research ecosystem, uniting experts from the health system, computer science and engineering toward a common goal.

“The team that we're using to build the system and other innovative solutions for ransomware is an example of what makes UC San Diego so special,” said Tully. “We have doctors like Christian and myself in the health system, we have world expert computer scientists at the Department of Computer Science and Engineering, and an amazing group of graduate students that show up every day.”

“All of these folks come together to accomplish what had previously been thought to be an impossible task: to build a system that could be rapidly deployed anywhere within several hours,” said Dameff.

Safeguarding health care in the digital age

With initiatives like Project CRASHCART, the Center for Healthcare Cybersecurity is taking a leading role in tackling a growing challenge in modern medicine: how to ensure patient safety and safeguard patient data in an increasingly digital world.

“The critical health care services that we depend on as human beings in society are predicated on connected technology,” said Dameff. “A core mission of the center is to understand the risk so that we can focus our efforts on securing the most vital systems."

As clinicians working in the operating room and the emergency department, respectively, Tully and Dameff have witnessed firsthand how ransomware and other cyber threats can disrupt patient care and compromise safety. A need for evidence-based research into the real world consequences of the problem inspired them to establish the center in 2023.

“We need to advance our understanding and where the evidence lies so we can make the best recommendations,” said Tully.

For example, the center found that during a months-long ransomware attack on one hospital, the emergency departments of two surrounding hospitals experienced spikes in patient load, ambulance arrivals, waiting room times, demand for stroke care and other care metrics. What’s more, the chance that patients at these nearby hospitals would survive cardiac arrest with favorable neurologic outcomes decreased by a factor of 10.

“Our research has shown that even a single attack can have regional impacts, overwhelming nearby hospitals with an influx of patients. It’s not just a local issue—it’s a national security concern,” said Dameff.

“This research is some of the first in the world to truly address how cyberattacks impact patient safety,” said Dameff. “We envision a future where cyber attacks on hospitals are of little consequence where we can rapidly respond to them and take care of patients in a safe manner.”

Tully says rural, resource-constrained and critical access hospitals are some of the most vulnerable to cyberattacks.

“They often lack the resources or technologies that can help keep them safe and secure,” he said. “When we think about resiliency, you're only as safe as the weakest link in the chain, and a lot of our work is to develop really beneficial resources that can be given to these types of hospitals as they work to grapple with some of these challenges in order to get them back to doing what they need to do for their communities, which is care for the sickest patients around.

Phishing — where cybercriminals pretending to represent legitimate companies send messages to health system staff in order to access protected patient data and IT systems — is a major cause of cyberattacks on health care organizations. In response, these organizations require their personnel to go through regular cybersecurity awareness and phishing training. The center’s researchers studied the efficacy of the training to inform evidence-based cybersecurity practices.

ldquo;We did the world's first randomized controlled trial  on whether or not that training actually works,” said Dameff. Nearly 20,000 employees at UC San Diego Health received 10 different simulated phishing attempts via email over an eight-month period. To their surprise, the researchers found that this type of training probably doesn't make IT systems safer: participants who had recently completed cybersecurity awareness training were no more likely to identify phishing attempts than their colleagues; in fact, for some types of content, they were less likely to catch subsequent phishing attempts.

While the researchers are still trying to understand why the training is ineffective, they urge health care organizations to bolster their cybersecurity at the institutional level by requiring two-factor authentication to access IT systems and domain-specific password managers.

“We're trying to bring more academic rigor to health care cybersecurity, constructing trials that are designed to prove evidence of benefit, in the same way that you would evaluate a new drug or a new surgery,” said Dameff.

Internet surveillance

Another research initiative at the Center for Healthcare Cybersecurity involves continuously monitoring the internet via publicly available digital signals for signs of cyberattacks. The goal is to detect these attacks early to minimize their impact on the health care sector.

This effort also detects internet outages at hospitals due to non-malicious software failures and other network abnormalities.

“Our system picks up a lot of unexpected things,” said Dameff. “Now that it is in place, we can measure all sorts of things. You build a telescope to look at the moon. All of a sudden you get the benefit of looking at Mars, asteroids, and stars — something you never thought possible until you built it.”

Dameff and Tully advocate for expanded research and investment in monitoring tools and AI-powered diagnostic systems that can detect early signs of health care system outages on a national scale. They argue that such systems would better prepare hospitals for digital disruptions as part of their disaster planning.

Tully likens the idea to infectious disease surveillance systems that detect emerging pathogens, identify outbreaks and monitor infection rates at the local, state and national level, and to weather monitoring systems that provide actionable information about hurricanes.

“For a long time, we didn't have that for this incredibly important digital infrastructure that we use to take care of patients both at a local and national level,” he said. “And so, one of our key research questions was, is it possible for us to start to develop those types of systems?”

Building resilience

Other initiatives at the Center for Healthcare Cybersecurity include looking for vulnerabilities in existing medical devices that rely on internet connectivity. Because of its interdisciplinary nature, the center is uniquely positioned to train teams of ethical hackers to find security weaknesses in these technologies.

“Vulnerabilities in medical devices can be very, very concerning,” said Dameff. For example, research has shown that pacemakers to regulate a patient’s heart rhythm can be hacked to make the heart beat too fast or to shock it when it isn’t needed and insulin pumps that control blood sugar levels can be manipulated into releasing too much of the hormone. Infusion pumps, patient EKGs and many other critical health care devices are also at risk. “A lot of them have computers in them, and they run vulnerable software. Connectivity is only increasing and becoming more wireless. Attacking them could translate to patient harm.”

This spring, Dameff testified in front of the U.S. House Oversight and Investigations Committee on the cybersecurity of legacy medical devices — older technology that is not currently supported by the original manufacturer, or that is prone to vulnerabilities from outdated software.

Building better security into the hardware that powers new and emerging digital health tools is also a key priority of the center, especially as patients increasingly adopt wearable biomedical devices such as continuous glucose monitoring systems and or smartphones that continuously collect vital signs.

The center also develops training programs for hospital personnel around building more resilient networks in the case of cyberattacks and other network failures.

Simulation training is an effective tool in medical education, giving students hands-on practice responding to realistic clinical scenarios like end-stage renal disease or respiratory failure. The center recently piloted a simulation exercise requiring a clinician to problem-solve while attending to acutely ill patients in the intensive care unit with no access to networked medical resources such as electronic medical records, imaging or communication systems.

“These exercises can raise awareness among doctors and nurses that technology failure and cybersecurity incidents should remain on their ‘differential diagnosis’ for unexpected or unusual clinical situations involving networked systems,” said Tully.

Dameff and Tully also contributed to a study that used simulation training with hospital leadership, testing a 3.5-hour tabletop simulation exercise to raise awareness of cybersecurity issues and threats. Participants worked in teams to discuss their reactions to a hypothetical ransomware attack on an academic health center. The simulation demonstrated that cybersecurity preparedness was lacking in these institutions compared with threats like natural disasters or epidemics. A 2023 study similarly found that hospital managers are underprepared for cybersecurity failures.

A national priority

The Center for Healthcare Cybersecurity is shaping the future of health care in the digital age by protecting patients as well as national health care infrastructure. Much of the center’s research is part of the Healthcare Ransomware Resiliency and Response Program (HR3P), a nationwide initiative to limit the impact of cyberattacks on health care systems. HR3P is funded by the Advanced Research Projects Agency for Health (ARPA-H), a federal agency.

“ARPA-H is dedicated to solving intractable problems with really creative moonshot style approaches,” said Tully. “The center was very fortunate to receive the first ARPA-H contract within the UC system for (HR3P).”

Project CRASHCART is a prime example of this expansive vision. At the Simulation Training Center, the team debriefs and records the time it took to run the test deployment: 42 minutes. Next time, they’ll aim to best this record to improve the efficiency of the system.

“This project went from idea to functioning prototype in less than two years and was only made possible through federal funding,” said Dameff. “Research sponsored by ARPA-H can fundamentally change the equation when it comes to some of the most vulnerable hospitals because at the end of the day, if we can respond quickly with something like Project CRASHCART, we can restore safe patient care at these hospitals and get them back to doing what they need to do for their communities, which is care for the sickest patients around.”

Co-investigators on the UC San Diego Center for Healthcare Cybersecurity ARPA-H HR3P contract include Stefan Savage, Ph.D., Geoffrey Voelker, Ph.D. and Aaron Schulman, Ph.D., Department of Computer Science and Engineering, UC San Diego; Mike Hogarth, M.D., Division of Biomedical Informatics, UC San Diego School of Medicine; Rodney Gabriel, M.D., Preetham Suresh, M.D. and Claire Soria, M.D., Department of Anesthesiology, UC San Diego School of Medicine; Christopher Longhurst, M.D., UC San Diego School of Medicine; Christopher Kahn, M.D., and Christian Tomaszewski, M.D., Department of Emergency Medicine, UC San Diego School of Medicine; Jay Doucet, M.D., Department of Surgery, UC San Diego School of Medicine; Ramesh Rao, Ph.D., Qualcomm Institute.