NEWS: A sobering look at how cyberattacks on healthcare systems affect patients 

Women in hospital bed Stephen Andrews Unsplash

If you attended the virtual August 14th Information Technology Policy and Security (ITPS) meeting, you heard a startling and informative presentation from a UC San Diego physician about cyberattacks and healthcare.  

In his presentation Leeches, Mercury, and Bloodletting, OH MY: Improving Healthcare Cybersecurity Evidence by Following the Data, Christian Dameff, MD, MS, FACEP, an emergency physician, assistant professor of emergency medical services, medical director of cybersecurity and co-director: UCSD Center for Healthcare Cybersecurity, discussed how modern medicine is critically dependent on connected technology, and the devastating effects cyberattacks can have on patient care.  

It’s important to note that Dr. Dameff is a hacker and security researcher who focuses on the convergence of healthcare, patient safety, and cybersecurity. He has presented at leading hacker conferences such as DEFCON, RSA, Black Hat, DerbyCon, and BSides: Las Vegas. Additionally, he co-founded the CyberMed Summit, a unique multidisciplinary conference dedicated to cybersecurity in medical devices and infrastructure. His published work covers a range of topics including hacking 911 systems, HL7 messaging vulnerabilities, and malware. 

Key Takeaways

Takeaway #1: Data privacy is still the predominate paradigm in healthcare cybersecurity.  
Cybersecurity training/awareness is just one way healthcare systems attempt to educate healthcare administrators and providers around cyber risks and security. Phishing campaigns and password breaches that result in data leaks are especially damaging due to HIPPA. HIPPA compliance is a U.S. federal law establishes standards for the protection and confidential handling of Protected Health Information (PHI), ensuring that healthcare organizations and their partners protect patient information from unauthorized access and breaches. According to the HIPAA Journal, there were 741 healthcare breaches of 500+ records in 2023.  

Takeaway #2: Modern medicine is critically dependent on connected technology.  
If you’ve spent any time in a hospital setting in the past few years, you may have noticed that to there is near total technological dependence in these environments. Physicians and nurses rely on digital devices and technology to communicate with one another around test results, imaging, pharmaceutical records, and so much more. In fact, with these modernized systems, according to PubMed.gov, emergency department physicians spend more time entering data than on any other activity – 44% of their time.  

Takeaway #3: Cyberattacks impact these technologies and cause patient safety concerns. 
Using an example of a real-life scenario, Dr. Dameff illustrated what the ramifications of a system downtime due to a cyberattack could look like for a person having a stroke. Doctors have about 90 minutes to administer clot busters to stroke victims having an Ischemic stroke. Response time is of the essence. Any delay in testing and treatment can be catastrophic.

UC San Diego Health image showing sequence of events for medical emergency
Image from Dr. Dameff’s ITPS Presentation/UC San Diego Health

Dr. Damoff then discussed the risk of electronic devices being hacked. There have been cases where insulin pumps have been hacked, and this security flaw meant that the hackers could raise dose limits without the patient’s knowledge or consent. He also touched on a few cyberattacks that have caused chaos for health services, including the 2014 cyberattack on Boston’s Children’s Hospital by the hacktivist group, Anonymous, the Scripps ransomware attack in San Diego, and the attack on Ascension in 2024.  

Takeaway #4: Data is hard to come by
The number of ransomware trends from 2016-2021 more than doubled, with the number of patients whose PHI was exposed, increased at an even higher rate.  

What are the patient safety and care quality effects of healthcare ransomware attacks? A study done by a group of physicians, including Dr. Dameff, found that, when a hospital was flooded with patients because neighboring health systems were experiencing a cyberattack, meant that more patients left the ER without being seen, left against medical advice, and cardiac arrest patients had a low 4.5% favorable neurologic outcome (vs. 41.2%). That’s a 4.5% vs. 41.2% chance that the victim was able to walk, talk, and feed themselves after a cardiac arrest. That is because, with more patients and less time, their care was compromised. It’s clear: Ransomware degrades, delays, disrupts, and decays the digital systems that power timely life saving medical care.  

Takeaway #5: Most healthcare delivery organization are not ready or resourced to prepare for ransomware attacks.  
This last takeaway delved into cybersecurity efforts now in play that are being developed to help protect the digital health care infrastructure, such as the Biden-Harris Administration’s ARPA-H initiative to address cybersecurity threats to U.S. health care. Last year, UC San Diego was awarded a $9.5 million federal contract to help protect health care information technology from cyberattacks. Read the story here:  https://health.ucsd.edu/news/press-releases/2023-10-03-uc-san-diego-awarded-$9.5-million-to-enhance-cybersecurity-in-health-care 

In conclusion, Dr. Dameff discussed the goals of future protection, including better ways to predict incidents, detect attacks, and respond quickly. And, though digital risks are a reality, we need to remember that technology has revolutionized healthcare. It has enhanced patient care, advanced research, and improved outcomes for millions.  

Learn more about Dr. Christian Dameff on his UCSD Profile page: https://profiles.ucsd.edu/christian.dameff 

Dr. Christian Dameff

Are you a UC information security professional? Join the UC Information Technology Policy and Security (ITPS) group and join them on their monthly meetings – it’s a great way to hear case studies from peers throughout UC! https://security.ucop.edu/get-involved/itps-community.html 

Contact

Wendy Rager
Wendy Rager
Manager
Cyber Risk Coordination Center
UC Office of the President
Judi Baker
Judi Baker
Digital Risk Communications and Events Manager   
UC Office of the President

Header photo by Stephen Andrews on Unsplash