UCSD Center for Healthcare Cybersecurity fights attacks on multiple fronts

With projects like the creation of “a hospital IT system in a box” and studies on the impact of ransomware attacks on hospitals and the effectiveness of employee cybersecurity training, researchers at UC San Diego in La Jolla are trying to make hospitals more resilient in the face of cyberattacks.

The Center for Healthcare Cybersecurity was launched in 2023 by Dr. Jeff Tully, an assistant professor of anesthesiology at UCSD, and Dr. Christian Dameff, an associate professor in the departments of Emergency Medicine and Computer Science & Engineering and the Division of Biomedical Informatics.

Though they lack a building with the center’s name on it, their interdisciplinary work involves people from “a bunch of different domains,” including in the clinical field, technologists and cybersecurity experts.

“Basically everybody who has a stake in safe and secure patient-care technology all come to the center as sort of a way to convene research, education, innovation and advocacy that has a very clinically oriented but very technically rigorous focus,” Tully said.

“We really wanted an entire gambit of folks there, because our research is very practical and applied,” Dameff said. “We don’t just stop when we publish a paper. If the cybersecurity doesn’t make the patient at the bedside safer, then there’s a gap. And that’s the gap we want to fill with this center.”

Dameff and Tully came up studying medicine in Arizona. Today, one of their main focuses at the UCSD center is collecting better data to aid in cybersecurity decisions.

“We grew up as doctors, and we, in medicine, require a pretty rigorous amount of data before we can recommend a treatment or a surgery,” Dameff said.

“We subscribe to the belief that many cybersecurity problems and their solutions that are proposed are actually based on pretty poor data. When you make decisions based on bad data, you get bad outcomes.”

The center’s drive for better data was shown in a pair of studies — one on the burden hospitals bear during cyberattacks and another showing that cybersecurity training may not be as effective as people think.

The former paper, released via JAMA Network Open, evaluated two hospitals adjacent to but separate from a health-care organization victimized by a months-long cyberattack. The results, according to the study, were increased patient load, wait times and length of stay.

In the latter study, simulations of 10 different “phishing” attacks were sent to nearly 20,000 UCSD Health employees over eight months as a training exercise. The study determined those efforts did not make employees likelier to identify phishing attempts (using deceptive messages such as emails, texts or phone calls to trick people into revealing sensitive information or downloading malware). In some cases, their ability to sniff them out decreased with training, according to the study.

Tully noted the center’s growth and breadth of study since its inception.

“I would say we have built a community over the last two years,” he said. “Our faculty bench has gotten deeper, we have more projects and initiatives that have gotten underway, the papers have come out at an increasing pace. So we’ve been very pleased with how we’ve been able to scale and grow this.”

As the center grows, the researchers have made an effort to take a proactive approach to ransomware attacks, which use malicious software to encrypt or lock up a victim’s files, making them inaccessible until a ransom is paid.

“Most people think that when you get hit with ransomware, you can’t do much,” Dameff said. “You have to just put your head down and … take care of patients without technology, which is really, really disruptive.”

One of the center’s recent projects, Crashcart, challenges that assumption and raises the question: Could you place critical technology in a portable package, drive it to medical centers and immediately deploy it to help doctors, nurses and patients amid a cyberattack?

Early returns are largely positive, Dameff said.

The project, which Tully calls “a hospital IT system in a box,” can greatly reduce hospital downtime by pulling up electronic health records, radiology and laboratory systems off the grid, according to UC San Diego.

Crashcart was built over 1½ years, followed by six months of practice. Each practice run has brought improved outcomes, Dameff said.

The center’s health-care cybersecurity work comes as attacks are increasing, Tully and Dameff said. A paper they published in September 2024 said ransomware attacks on health-care organizations nearly doubled between 2016 and 2021. A 2024 attack on technology conglomerate Change Healthcare took $22 million from the company, the study said, citing a report published by Wired magazine.

That attack, Dameff said, demonstrated the extent to which health care is dependent on technology across the nation, posing national security risks.

The Center for Healthcare Cybersecurity seeks to identify those risks and intervene where possible.

“I’m very interested in trying to find out where those are and try to protect them,” Dameff said. “We’re becoming more and more dependent, and the failures are just getting higher and higher in stakes.”

To learn more, visit cyberhealth.ucsd.edu.