UCSD gets $9.5M for healthcare cybersecurity center

The University of California San Diego (UCSD) School of Medicine has secured a $9.5 million grant from the Advanced Research Projects Agency for Health (ARPA-H) as part of the DIGIHEALS initiative. This is the first ARPA-H contract granted to any University of California campus and will be used to research and develop methods to fight against ransomware attacks in healthcare. 

Ransomware attacks, in which hackers demand payment to restore access to critical computer systems, have almost doubled in healthcare since 2021 and they pose a significant threat to patient care and healthcare facilities’ ability to operate effectively. 

“Health care systems are highly vulnerable to ransomware attacks, which can cause catastrophic impacts to patient care and pose an existential threat to smaller health systems,” said Christian Dameff, MD, emergency medicine physician at UC San Diego Health and assistant professor at UCSD School of Medicine and UCSD Jacobs School of Engineering, in a statement. “Developing protocols to protect health systems, especially rural and critical access hospitals, will help save lives and make healthcare better for all of us.” 

Dr. Dameff is set to lead the university’s newly established Center for Healthcare Cybersecurity, alongside Jeff Tully, MD, an assistant clinical professor at UCSD School of Medicine. This initiative comes on the heels of Dameff’s appointment as the first-ever medical director of cybersecurity for UCSD Health in 2019. 

“UC San Diego is a world leader in healthcare cybersecurity, and this new center will keep us on the cutting edge of this critically understudied field for years to come,” said Christopher Longhurst, MD, chief medical officer and chief digital officer at UCSD Health, in a statement.  

Cyberattacks becoming more common, sophisticated, and costly

The frequency and sophistication of ransomware attacks targeting healthcare delivery have risen significantly in recent years – 54% of healthcare organizations reported they were the target of a ransomware attack in 2023 compared to 41% in 2022, according to data from Proofpoint and the Ponemon Institute.  

Given the extensive computerization of healthcare processes, these attacks pose a direct threat to patient lives, extending beyond the scope of data privacy. 

“When I talk about cybersecurity, most people only think about protecting patient data. That’s all well and good, but we need to be just as concerned about care quality and patient outcomes,” said Dameff.  “The impacts of malware and ransomware don’t stop at the digital border of a hospital.” 

An attack on one healthcare system can negatively impact neighboring hospitals and healthcare organizations, according to a study led by Dameff and published in JAMA earlier this year. The study investigated the 2021 cyberattack on Scripps healthcare and found that neighboring hospitals experienced a significant increase in patients, waiting room time and overall patient length-of-stay.  

Aside from the peril they pose to patients, ransomware attacks inflict substantial financial burdens on healthcare systems. The average cost of a cyberattack was $5 million, according to data from Proofpoint and the Ponemon Institute. The cost has increased by 13% since last year.  

“Some smaller systems can’t absorb the costs of a major ransomware attack, so when there is one, we ultimately lose those critical hospitals permanently,” said Tully, a co-principal investigator on the study. “This is a worst-case scenario for patients who live in remote areas where there may not be another hospital for miles.” 

The research team’s primary focus will revolve around pinpointing early warning signs of cyber threats by conducting simulated ransomware attacks. They will also work on the development and validation of an emergency healthcare technology platform, to ensure the continuity of healthcare services in the event of an attack, mitigating disruptions to patient care. 

“During a ransomware attack, hospitals often have to switch back to inefficient pen-and-paper methods of administration, and this slows down healthcare delivery and introduces additional risks to patient safety,” explained Dameff. 

A hospital shutting down its electronic health system can put even the most routine patients at risk. During a cyberattack that disrupted operations at Springhill Medical Center in Alabama in 2019, healthcare providers lacked the necessary technology to monitor signs of a nuchal cord birth, resulting in a failure to perform a crucial cesarean section.  

In addition to the expertise of Dameff and Tully, the project will benefit from the contributions of cybersecurity expert and MacArthur fellow Stefan Savage, PhD, who holds the Irwin and Joan Jacobs Chair in Information and Computer Science at UCSD Jacobs School of Engineering and is a professor in the university’s Department of Computer Science and Engineering. 

“Cybersecurity in healthcare is a massive problem that can affect each and every one of us, but few healthcare systems are prepared for the consequences of cyberattacks,” Longhurst shared. “The new center is designed to address this unmet need, and this new research is just the beginning of that effort.”