Episode

What do Human Viruses and Computer Viruses Have in Common? The Doctor’s View of Cyber Threats in Healthcare

What do Human Viruses and Computer Viruses Have in Common? The Doctor’s View of Cyber Threats in Healthcare

About Christian Dameff:

Dr. Christian Dameff is an Emergency Physician, Clinical Informaticist, and researcher. Published clinical works include post-cardiac arrest care including therapeutic hypothermia, novel drug targets for acute myocardial infarction patients, ventricular fibrillation waveform analysis, cardiopulmonary resuscitation (CPR) quality, and optimization, dispatch-assisted CPR, teletoxicology, clinical applications of wearables, and electronic health records.

About Jeff Tully:

Dr. Jeff Tully is a security researcher with an interest in the intersections between medical technology and patient safety. His work on 911 infrastructure vulnerabilities, exploitation of HL7 protocols, and simulations of hacked medical devices have been featured at RSA-C, DEF CON, Black Hat, and in the national media. He is a co-founder of the CyberMed Summit, a clinically-focused healthcare cybersecurity conference, and during his day job as an anesthesiologist focuses primarily on the delivery of oxygen to various tissues.

 

Outcomes Rocket_Christian Dameff & Jeff Tully_Cyber Awareness: Audio automatically transcribed by Sonix

Outcomes Rocket_Christian Dameff & Jeff Tully_Cyber Awareness: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Saul Marquez:
Hey everybody! Saul Marquez with the Outcomes Rocket. I want to welcome you back to this amazing podcast series on cybersecurity in healthcare. Just an amazing lineup of guests, and today I’ve got two extraordinary guests that I’m going to present to you, two physicians that are deep into the research, deep into the practice of cybersecurity, and keeping us all at the top of our cyber safety game. First, I want to introduce Dr. Christian Dameff. He is an emergency physician, clinical informaticist, and researcher. Dr. Dameff is also a hacker and security research specialist interested in the intersection of healthcare, patient safety, and cybersecurity. He has spoken at some of the world’s most prominent hacker forums and is one of the co-founders of the CyberMed Summit. We’ll be learning more about that in this podcast. It’s a novel multidisciplinary conference with an emphasis on medical device and infrastructure cybersecurity. Published cybersecurity topics include Hacking 911 systems, HL7 messaging vulnerabilities, and malware. We also have the outstanding Dr. Jeff Tully with us. He is a security researcher with an interest in the intersections between medical technology and patient safety. He’s also worked on 911 infrastructure vulnerabilities, exploitation of HL7 protocols, and simulations of hacked medical devices. He is also co-founder of the CyberMed Summit, the clinically focused Healthcare Cybersecurity Conference, and during his day job as an anesthesiologist, focuses primarily on the delivery of oxygen to various tissues. So doctors Dameff and Tully, welcome to the podcast.

Jeff Tully:
Saul, thank you so much. It’s great to be with you. We really appreciate the opportunity to speak with you and your audience and Happy October, Cybersecurity Awareness Month.

Christian Dameff:
Yeah, we’re just really thankful for this. I think we’re going to touch on some cool topics today and again, just thankful for the invitation.

Saul Marquez:
Yeah, no, it’s such a pleasure to have you both on. And you know, I do have to start with the question. You know, both of you guys are rocking and rolling, you know, renowned physicians. What inspired your interest in cybersecurity?

Christian Dameff:
That’s a great question. You know, we actually grew up in the hackerspace kind of before we turned our attention towards medicine. And, you know, back in the day, we never really imagined that we would be able to have a job in cybersecurity. It was just something you would do with your friends, right? You were a hacker, you explored systems, you know, maybe some of which you shouldn’t have, but at the end of the day, it was about curiosity and more of an identity or a lifestyle or just kind of a not really a hobby, but just part of who we were. And then when we both went to medical school, that’s when we met and realized that our passions for cybersecurity and medicine were able to come together into some really cool work, right? So that’s what we’re here to talk about today. But at the heart of it, you know, we were kind of hackers long before we were doctors.

Saul Marquez:
Very cool, very cool. Any twist on that, Dr. Tully?

Jeff Tully:
I think the telling gets grander and grander each time we go through it and the myth grows and grows, but the reality of the situation is that, you know, when Christian and I met in med school, we very quickly learned that a lot of the same technologies and systems that we were familiar with in our hobbies as hackers, we know we use those same types of tools to take care of patients. And that’s when we put two and two together and said, hey, wait a minute, is cybersecurity something that we need to be worried about from the perspective of patient safety? And so we’re really excited to further explore that with you.

Saul Marquez:
That’s fantastic, appreciate that. So the title of this podcast is what do human viruses and computer viruses have in common? Let’s start with that one.

Jeff Tully:
Yeah, sure, so the analogy isn’t quite perfect, but it can be useful in a couple of ways when we think about healthcare cybersecurity. So first, you know, you’ve heard the adage that an ounce of prevention is worth a pound of cure, and that’s true in both cases, right? We constantly want to do everything that we can to reduce the risk of a cyber attack like a ransomware infection, and we often employ basic cyber hygiene practices to do that, and I think of those as like the equivalent of washing our hands, right? Things like secure passwords, using multifactor authentication, or being on guard against phishing emails. But we do know that, however, just like in real life, we will never be totally free from the common cold or flu. We unfortunately can’t prevent 100% of cybersecurity incidents. They’re going to happen and we need to be ready to respond to and recover from them. And so here we can think about kind of parallels between our immune systems and the policies and contingencies that healthcare delivery organizations can employ to make sure that the damage is minimized, our patients are protected, and the disruptions to operations in business are as brief as possible.

Christian Dameff:
You know, I think there’s also an interesting analogy about how our immune systems work. Our bodies have protections against novel pathogens, so if there’s some newly mutated influenza virus that’s circling every year, our body has some innate ability to deal with those pathogens, even though they’ve never seen them before. And that’s what I think is also what Jeff alluded to, that’s the cyber hygiene. That’s kind of the basic protections that an organization or medical device should employ to keep itself more resilient at baseline. But our immune system does something pretty amazing, and when it is introduced to a new pathogen, it learns from it. It’s able to take some of those generic protections that might keep you alive, and then so after you live, it needs to build better, more specific protections against that virus, and so it develops more specific antibodies, for example. We want to draw the analogy that we need more of that learning to be shared among individuals who have unfortunately suffered certain attacks, right? Why should every organization be reinventing the wheel when they respond to attack instead of listening to how another organization had to deal with that and proactively protect themselves against more specific attacks, particular strains of ransomware, for example, or new novel methods of attacking healthcare? What we really should be doing is kind of sharing our more specialized immune system in cyber, if you will.

Saul Marquez:
Yeah, some great analogies there and a good way to frame it all. So, you know, it’s one thing to think about it as physician and healthcare as well as administrative leader, it’s another thing to flip the script and think about cybersecurity as a patient. Is there actually something patients need to do about cyber when they’ve got a stethoscope against their back?

Jeff Tully:
Yeah, that’s a great question too. And I think it comes from a place where we’re really witnessing an exciting period where we have Internet-connected medical devices that are revolutionizing the care for a number of chronic conditions like diabetes or abnormal heart rhythms. You can think of a pacemaker that’s able to send your doctor information about how your heart is functioning. You know, that type of connectivity really allows us to more closely monitor patients, and in many cases, the patients have a greater insight into their own data too. And then even outside of that, we’re all patients in a healthcare system that is becoming increasingly reliant on technological infrastructure like the electronic medical record or imaging systems. So our point here is that it’s really important for both patients and clinicians to be aware of cybersecurity as really a component of holistic medical care these days. And one of the areas that Christian and I are working on exploring is a concept that we’re calling cybersecurity informed consent. And so you may be familiar with informed consent as this very important aspect of the physician-patient relationship, where we discuss therapies in the settings of potential risks, benefits, and alternatives, right? So if we need to take you back for surgery, we want to make sure that you understand the potential risks of the surgery, how the surgery is going to help you, and what other options we may have. And so both clinicians and patients don’t really have experience in discussing the potential cybersecurity vulnerabilities that a patient maybe experienced in the context of getting a new medical device or patients may not know what types of questions to ask about how their data is protected or stored. So how to best educate both of these parties and uncover shared values is something that we’re looking into with our research.

Christian Dameff:
And I also think just prompting these types of questions before things happens, maybe not even in a forum of an official informed consent conversation, but more, hey, how is this going to impact the storage of my data or the connectivity of this device may impact my attack surface? And these types of things are just important conversations to have, because what we’ll need is a significant culture change in medicine, right? We’re going to need to be able to convince people that they are doctors and patients, they should both care about this. And, you know, fortunately, or unfortunately, depending on how you look at it, there really is no other forum where a patient may easily get this information. You go to your doctor because you have health questions. If you have cyber health questions, there’s no cyber health clinic where you can bring in some pen tester and some doctor and they can talk about this. There really is no kind of precedent for this. So when we look at what the future looks like, we’re going to be left with this really interesting question, which is should you teach doctors to be cybersecurity aware and have those conversations with patients, or should we be pursuing something else? Because at the end of the day, you know, doctors don’t, right now, speak any cyber.

Saul Marquez:
Yeah, you know, these are some really great points. That’s actually where my head was going, Christian, is, in the universities and the medical schools. Does this become part of that, the track?

Christian Dameff:
Yes.

Jeff Tully:
That’s a great question, Saul, you know, medical education is something that is so dynamic and changes on almost a year-to-year basis. And with everything that a physician has to know, it can be very hard sometimes to get into the conversation with educators and say, hey, can you make a little bit of time for us to talk about some of these cybersecurity issues? And I think that really gets into some of the other topics that we’re going to discuss today. You know, how do we take the average physician and/or nurse, or physician assistant? You know, the care team encompasses a whole host of different professionals, all who have incredibly important roles in patient care. How do we bring them all to the table and say, look, cyber is something that you should care about?

Christian Dameff:
And I think you were just alluding to this. You know, should we take some time out of a very busy medical school curriculum to teach them about things like vulnerabilities in medical devices or cyber informed consent or what happens to patients’ data and why you should be a good steward of this? You know, I think Jeff and I obviously being really exposed to cyber and researchers in this space, you know, we fall on the side that we do believe this is an important topic and will become increasingly important as we become more dependent on connected technology. And if you’re a doctor, you can’t, or a clinician or all the other people that we mentioned in the care team, you can’t afford to just be users of the technology, you’re also a steward of the technology. And so we advocate adding this type of content, you know, in inappropriate doses and at the appropriate level in medical school curriculums or in graduate medical education, like residents and fellows, we think that we should teach doctors that are out there in practice about these topics. The balance truly ends up being is how deep do you go to be effective in teaching them this and at what expense? You know, at the end of the day, do you want to teach them cyber at the expense of teaching them about some brand new drugs that are coming out that will really help revolutionize the care of diabetes? There’s only so many hours in the day. And so what ends up happening in the future, we’re really excited to see, we have seen some traction in this and some people reaching out to us. So in this regard, it may end up being a standard thing in the curriculum, but we’ll just have to wait and see. It’s really, though, an exciting time right now because we’re just trying to formulate this, and so there’s a lot of opportunity and a lot of really important voices that need to come together to figure this out.

Saul Marquez:
Some great, great thoughts there, guys. And so, you know, you’ve got this dynamic, and I think if it goes anywhere, you guys are at the helm of it. You guys are doing some really great work specific to, and I think this is a good opportunity to talk about the CyberMed Summit, right? Doctors should care about cybersecurity, you’ve highlighted a couple of those. The IT team, of course, they need to be focused on it. Within the context of CyberMed Summit, I want to give you guys a chance to talk about that, and why should doctors care about cybersecurity?

Jeff Tully:
Yeah, thank you, Saul. So we really view cybersecurity in the healthcare setting very similar to how we think of patient care teams. And there is an important role for the physician, absolutely, but nothing would get done if it weren’t for the bedside nurses and nothing would get done if it weren’t for the folks who helped transport patients from one area to the next, and nothing will get done if there weren’t folks working hard in the cafeteria to get people food, right? So it’s really about a team dynamic. And so in healthcare, cybersecurity, we take a stakeholder perspective where we want to bring everybody into the conversation. So yeah, absolutely, we want to bring in the clinician because we are physicians. We also want to bring in the hacker, we also want to bring in the medical device manufacturer, the healthcare delivery organization, and the federal regulator. You know, there are many different stakeholder groups that are not really served all the time in some of the conversations that are happening at the more technical conferences or some of the more industry-focused conferences, and that’s great. Those are important spaces as well, but when we started CyberMed Summit, we really wanted to bring as many people to the table as possible and say, how can we talk about cybersecurity in a patient safety-oriented fashion, which is kind of a little bit new back in 2017 when we first founded the conference. So this is something that we feel very strongly about. We put a lot of volunteer work into putting on a conference that is free to attend, we don’t charge anything, and we really try and do our best to provide an interesting and novel perspective on some of the topics that are consuming the space. So this year we’re going to be meeting at UC San Diego in beautiful La Jolla on Friday, November 18th, and Saturday, November 19th. We’re going to be focusing on the last couple of years we’ve had and the spate of ransomware attacks that have affected healthcare delivery organizations and how do we prepare for and respond to and recover from those types of events from a resiliency perspective. We’ve also got some content on medical devices and some other related issues, but really going to be focusing on sort of this concept of cyber disaster preparedness that Christian can speak more on. It’s a really cool conference. We have a lot of really non-traditional events and I encourage anybody who’s interested, definitely come and check it out with us. We have a registration link on our website, CyberMedSummit.org, and we hope to see as many people there as possible.

Saul Marquez:
That’s really amazing. And it sounds like a fantastic opportunity to dig deep into it. I also understand that part of it involves like a real live scenario where you take med students or, help me understand that, I don’t want to get it wrong here. Tell us more about that, because that seemed really interesting.

Christian Dameff:
Yeah, it’s one of the things that we’re most known for at CyberMed Summit are these things called high-fidelity clinical simulations, and nothing new, we stole it from not, we, not Jeff and I, but medicine and medical education stole it from aviation. So you don’t want your pilot to learn how to take off and land a plane in a real plane, you want to use something like a simulated flight environment to teach those kind of crucial, high stakes, low tolerance of risk or downturn or impact in a simulation. We want the same thing in medicine. You don’t want your intern to take care of their first heart attack patient on a real person. So we build these simulation centers that look like real hospital rooms or real operating rooms or real emergency departments, and we run simulated patient cases where they’re able to see an example of a patient, examine them, look at the labs, and all these in more of a simulated environment, respond to it as they would, and when they make mistakes, we give feedback and so they can harness their skills. We took that same concept for CyberMed and then we inject it into the scenarios that are doctors that are, these are people these are doctors that don’t know what they’re about to witness this is an experiment. They come into this scenario completely unaware of how it’s going to unfold. We write the scenario to reflect real security research. So is this a hacked pacemaker or an infusion pump or an insulin pump? Is it a ransomware scenario? We take those, we build out these cases and we see how these kinds of unexpected doctors deal with taking care of a patient when they don’t have technology, for example, to do it. These are very lightbulb-turning-on moments for many of our clinicians, right? So they get at the end that this is not just an issue of patient data, it’s not just a breach. The cybersecurity is not just about HIPAA, but truly because we are so dependent on this technology when they’re no longer available, we can’t take good care of patients. And so that’s, it’s a patient safety issue, and we drive that message home with these high-fidelity clinical simulations. They’re also very just experiential. People like to watch them. They’re sometimes dramatic and require people to witness firsthand a very clinically accurate scenario. And for a lot of people, they’ve never seen something like that before, they’ve just seen what it is like on TV. And we’ve been very successful in, again, changing people’s minds and getting them to really buy into the importance of this just by getting them to watch one of these simulations.

Saul Marquez:
That’s fantastic, and folks, there’s a cool link in the show notes where Jeff and Christian, in the work that they do, were featured on ABC News. And there’s a video there where you can check this out because this event that that they’re sharing with us today, CyberMed Summit you could go to CyberMedSummit.org, that link will also be in the show notes, it’s some really great ways to get exposure to this, get practice, understand what’s coming, because if we’re not staying on top of it, hackers are, and we don’t want to be on the other side of a cybercrime when it comes to patient safety. Thank you both for this. And you know, it’s worth asking the question, guys, like have patients actually been hurt by cyber-attacks? I think that’s a question that we need to validate.

Jeff Tully:
Absolutely, Saul, and that’s one of, if not the most common question that we get when we speak about this to a lot of different folks who aren’t quite up to speed. You know, there has been proven instances of very unfortunate outcomes, right? So WannaCry, back in 2017, we know that affected 84 hospitals in the UK’s National Health Service. We know that there were situations where surgeries were cancelled or, you know, new cancer patients weren’t able to make their scheduled outpatient appointments, and that’s a big deal, right? And you can always, after one of these incidents, scan through the news and hear about these isolated, really terrible, and unfortunate stories. I just want to say, you know, rather than focusing on any one particular incident, the current way that we’re finding out about some of these events through news reports is probably not adequate, right? And, Christian and I are both very focused on developing the systems of the future that are going to help us study these as we would any other type of medical outbreak to really be able to get some useful data so we can kind of more definitively answer this question, because we feel this is very important, we feel that it’s absolutely a patient safety issue, but we also don’t want to spread unnecessary fear or uncertainty without having that sort of data that we rely on to make our medical decisions.

Christian Dameff:
And there are some unique challenges in collecting this type of data, right? So hospitals generally don’t want to talk about these unfortunate ransomware instances, for example. As soon as this happens, no, they say don’t talk to the news, don’t. It’s just very disincentivized to share this type of information. So almost always, healthcare organizations don’t want to talk publicly about this. So that already is a barrier to us uncovering some of these potential harm impacts. And then secondly, the way that hospitals detect, record, and report patient safety issues, are they themselves based in technology, right? So the electronic health record is a great example of a way that we get exposure or signals of patient harm. Well, when you’re hit with ransomware, the technical systems that detect patient safety issues or that report them, those aren’t available anymore. And so we almost get like a 1-2 punch, like the systems that would detect this and be able to report this, they themselves are not available and hospitals don’t want to talk about this. And so I’ll speak for myself, but I bet Jeff will agree with me, is that what we really need is a more robust data-rich reporting requirement for hospitals that get hit with ransomware, to have to report on patient safety implications and to be able to build systems to detect those that are resilient to ransomware, for example. That’s going to be really key for us to get our head around this. And I’ll also like to say it’s not just at the particular organizations that are hit with attacks where we need to look for harm. You know, there are examples of geographic locations regions of hospitals where ransomware can spread from one hospital to another, especially if they’re part of the same healthcare delivery organization, and that can lead to spillover effects. We call this a cyber blast radius, if you will, or cyber ecosystem effects, if you will. Just run with me for a minute, if five hospitals out of ten in a region get hit with ransomware, those hospitals tend to go on diversion, they can’t take care of the same numbers of patients that they would previously, that doesn’t stop people from having heart attacks and strokes and having bad infections and needing surgery. Where do those patients go? They go to the adjacent hospitals that are impacted with ransomware and can often overwhelm those other hospitals. And so we don’t just have to be measuring the impact of patient safety at the places that are under attack, we also need to measure it in regions around to really capture the full effect. This is just a new type of finding that we’ve just discovered in the last year or so is these ecosystem effects. I really would hope that as a nation we can come together to be able to measure this at a much bigger scale. That coupled with these mandatory reporting requirements, I think we’ll get a much better handle on exactly how big this problem is and what the patient safety implications really are.

Saul Marquez:
Yes, I’m really, learnings there, and we just keep learning. So I think, you know, the, around the topic of should we be digging deep into this and learning more, I think yes, overall. How much physicians need to do it? I think that’s another question. You both are a prime example of being ahead of the game on this, so huge kudos to both of you for what you’re doing, not only for the healthcare community but also for the patient community that is, recipients of the care. I want to remind everybody the CyberMed Summit, CyberMedSummit.org, it happens Friday, November 18th, and Saturday, November 19th. We’ll leave a link to that. So invitation for all of you guys to attend here in San Diego. Listen, Dr. Dameff, Dr. Tully, like what closing thought would you guys leave us with, and what’s the best place listeners could get in touch with you and learn more?

Jeff Tully:
Saul, it’s been a pleasure. We just really, if there’s a one-liner, it’s cybersecurity is a patient safety issue. We need to better study it, we need to better understand it, but I think that has already been unfortunately proven true and it is only going to become more relevant and impactful as we become more and more connected as a health system. So we definitely encourage folks to reframe how they think about this. It’s not necessarily a business or compliance issue, it’s a patient safety issue, in addition to both of those.

Christian Dameff:
Ooh, I totally agree with that. My one-liner is going to be, even if you don’t think you have an important voice in this conversation, you do. Whether you’re a patient, a clinician, someone in security, if you feel like you are so far away from taking care of patients that you don’t feel like you’re really helping, you couldn’t be further, that couldn’t be further from the truth. Really, we need everyone to come together to help us start to make really significant strides in this complex issue. So we welcome all voices from all stakeholders to come to the table to help us figure this out, because it’s not just going to be solved by clinicians, it’s not just going to be solved by cybersecurity experts. The only way we’re really going to get some meaningful change is if everyone comes together and voices their area of expertise. Yeah, that’s my little one line of that.

Saul Marquez:
Love that. Hey, I appreciate that, Christian and Jeff. And folks, just a reminder, we’re going to be sharing these episodes across all listening platforms, but also we’re going to be encouraging conversation. So kind of like the call out if you think you can make an impact, speak up. If you don’t think so, you’re wrong. There is a way you can make an impact and we’re encouraging you to make an impact. Join the conversation. We’re going to post these episodes on LinkedIn, make a comment if something today resonated. If you have a question about where the conference is or what you could do to join, comment. We encourage you to act, not just listen. And with that, I want to thank you both, Dr. Tully, Dr. Dameff, for joining us today. And listeners, appreciate you all tuning in to this series. We’ll talk to you soon.

Jeff Tully:
Thank you, Saul. Thank you to everyone for tuning in and stay safe out there.

Christian Dameff:
Take care.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp3 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including advanced search, automated subtitles, share transcripts, secure transcription and file storage, and easily transcribe your Zoom meetings. Try Sonix for free today.

 

Things You’ll Learn:

  • The CyberMed Summit is a free, novel, multidisciplinary conference emphasizing medical device and infrastructure cybersecurity for cyber disaster preparedness. 
  • This year the CyberMed Summit will be held at UC San Diego in La Jolla on Friday, November 18th, and Saturday, November 19th.
  • Unfortunately, we can’t prevent 100% of cybersecurity incidents; they’re going to happen and we need to be ready to respond to and recover from them.
  • High-fidelity clinical simulations are held at the CyberMed Summit, recreating security-related scenarios written to incite reflection and awareness.
  • Both patients and clinicians need to be aware of cybersecurity as a component of holistic medical care.
  • Hospitals generally don’t want to talk about ransomware instances and the way they detect, record, and report patient safety issues is based on technology, creating a barrier to collecting data on the matter.
  • Ransomware can spread from one hospital to another, especially if they’re part of the same healthcare delivery organization.

Resources:

  • Connect with and follow Christian Dameff on LinkedIn.
  • Connect with and follow Jeff Tully on LinkedIn.
  • Visit the CyberMed Summit website!
  • Begin minute 2:40 for coverage of Tully and Dameff in their simulated hospital hack here!
  • Find the OCCI document for your use here!
  • Visit the Health Sector Coordinating Council’s Website!
Visit US HERE