UC San Diego Medical School
UC San Diego School of Medicine. Courtesy of the university

UC San Diego School of Medicine researchers have been awarded $9.5 million from the Advanced Research Projects Agency for Health to develop better cybersecurity for health care systems, it was announced Tuesday.

The funding, from ARPA-H’s DIGIHEALS initiative, is the first for any UC campus and is focused on how to prevent and mitigate ransomware attacks, a type of cyberattack in which hackers attempt to extort money from organizations by blocking access to essential computer systems, a statement from the agency read.

“Health care systems are highly vulnerable to ransomware attacks, which can cause catastrophic impacts to patient care and pose an existential threat to smaller health systems,” said Dr. Christian Dameff, emergency medicine physician at UCSD Health and assistant professor at UCSD’s School of Medicine and Jacobs School of Engineering. “Developing protocols to protect health systems, especially rural and critical access hospitals, will help save lives and make health care better for all of us.”

In 2019, Dameff became medical director of cybersecurity for UCSD Health. He joins Dr. Jeff Tully, assistant clinical professor at UCSD School of Medicine, as heads of the new Center for Healthcare Cybersecurity at the university.

“UC San Diego is a world leader in health care cybersecurity, and this new center will keep us on the cutting edge of this critically understudied field for years to come,” said Dr. Christopher Longhurst, chief medical officer and chief digital officer at UCSD Health.

According to the university, ransomware attacks affecting health care delivery have been increasing in frequency and sophistication in recent years — posing threats not only to privacy, but to safety if medical records are altered or withheld.

“When I talk about cybersecurity most people only think about protecting patient data,” Dameff said. “That’s all well and good, but we need to be just as concerned about care quality and patient outcomes. The impacts of malware and ransomware don’t stop at the digital border of a hospital.”

In July 2021, UCSD reported that a data breach involving unauthorized access to employee email accounts might have led to personal information being compromised for the health care system’s patients and employees.

The breach followed a ransomware attack earlier that year involving Scripps Health, which the health care system later announced might have compromised the personal information of more than 147,000 people.

The average cost incurred by health care systems recovering from a cyberattack was $11 million, according to IBM’s 2023 Cost of a Data Breach report.

“Some smaller systems can’t absorb the costs of a major ransomware attack, so when there is one, we ultimately lose those critical hospitals permanently,” Tully said. “This is a worst-case scenario for patients who live in remote areas where there may not be another hospital for miles.”

According to the university, the researchers will focus on identifying early indicators of cyber threats through simulated ransomware attacks, and will also create and test an emergency health care technology platform to be used in the event of an attack to ensure continuity of services.

–City News Service