Podcast Summary
To The Point – Cybersecurity
Episode: How Cybersecurity Impacts Patient Care in Hospitals with Christian Dameff
Date: November 18, 2025
Host(s): Rachael Lyon and Jonathan Knepher
Guest: Dr. Christian Dameff, Medical Director of Cybersecurity, UC San Diego Health
Episode Overview
This episode explores the unique intersection of cybersecurity and patient safety in hospitals. Host Rachael Lyon and co-host Jonathan Knepher are joined by Dr. Christian Dameff—the nation’s first Medical Director of Cybersecurity at UC San Diego Health, ER physician, clinical informaticist, and long-time hacker—to discuss how cyber risks directly impact patient outcomes. They break down the cultural and technical challenges of securing healthcare, the pressing need for clinical-cyber translation, major incidents, and research illustrating real-world consequences of hospital cyberattacks.
Key Discussion Points & Insights
1. Bridging the Gap: Clinicians & Cybersecurity
- Christian Dameff’s Unique Role: As both a medical doctor and cybersecurity expert, Dr. Dameff acts as a “translator” between IT/security teams and frontline healthcare providers, a gap traditional CISOs often struggle to bridge.
- “What we really need to be doing is applying science, evidence-based interventions, and then applying that to the cybersecurity domain.” (04:47, Dr. Dameff)
- Communication Challenges:
- Security is typically viewed as a compliance checkbox—not an integral part of patient safety.
- Many clinicians lack meaningful cyber training: “We don't teach doctors and nurses about cybersecurity to any meaningful depth as well.” (03:49, Dr. Dameff)
- High-level decisions often lack input from the clinical side, leading to adversarial relationships.
2. Adoption of the Medical Director of Cybersecurity Role
- Slow but Growing Recognition:
- While Dr. Dameff’s position is still rare, he notes a growing network of clinicians with security backgrounds.
- “I think we will eventually get to a place where there's always a medical director of cybersecurity for a medium or large size hospital system... It’s just going to take a little bit longer before they recognize how valuable that position is.” (07:29, Dr. Dameff)
- Resource Constraints:
- Financial and operational pressures, including hospital closures and underfunded IT departments, hamper proactive security investments.
3. Cultural & Operational Challenges in Healthcare Security
- Sector Cultural Inertia:
- Healthcare is “one of the least dynamic, least agile sectors to try to defend against these new attacks.” (09:29, Dr. Dameff)
- Unlike finance or other industries, healthcare rewards caution and is often reactive rather than proactive.
- Clinical Culture & Urgency:
- Emergency care requires rapid, sometimes instant, access to systems and data; heavy-handed controls (like mandatory MFA delays) can impede care.
- “If I had to wait for my security token before I could defibrillate someone, that’s a bad approach. But that's very typical for the way that many people approach securing healthcare.” (12:08, Dr. Dameff)
- Security Product Misalignment:
- Security solutions are often designed for other industries, bolted onto legacy medical infrastructure, or too expensive for health systems.
4. Finding the Right Balance: Security vs. Clinical Workflow
- Need for Nuanced Collaboration:
- True risk management requires “bringing stakeholders who actually use the technology into the conversation—not through a game of telephone.” (13:46, Dr. Dameff)
- Vendors and technologists sometimes design features clinicians don’t need; clinicians often want minimal barriers to access.
- Examples:
- Cloud-connected devices may offer remote monitoring, but most clinicians would prefer on-premises control.
- “…the secret sauce is that translation and understanding each other's position and being able to call bs, but also compromise... that is a human skill that is not always a technical skill.” (15:44, Dr. Dameff)
- Interdisciplinary Education: Advocated for more joint training between clinical staff, technologists, and security professionals.
5. The Connectivity Dilemma: Cloud & Medical Devices
- Trend Toward Connectivity:
- Most new medical devices are now internet-connected; offline options are becoming rare. (17:10, Dr. Dameff)
- Select connectivity can save lives (e.g., instant notification for heart device malfunctions), but introduces new failure points.
- Design for Failure:
- Cyber incidents are inevitable; focus must be on fail-safes ensuring compromised devices cannot harm patients.
- “But more importantly...what happens when the cloud connectivity fails? ...when it's compromised, what are the physiological consequences to my patient and how do I prevent that failure...?” (18:50, Dr. Dameff)
6. Real-World Impact: When Cyber Attacks Harm Patients
- Direct Patient Harm is No Longer Theoretical:
- High-profile cases:
- A cancer care company’s devices became unusable during a ransomware attack (20:00, Dr. Dameff).
- A laboring pregnant woman diverted from a ransomed hospital, leading to a fatal outcome (21:08, Rachael Lyon).
- A European patient dying en route to a hospital due to diversion from ransomware (23:50, Dr. Dameff).
- “...if you engineer your entire platform to require that all we are is one grid failure or one data center away from patients dying, that is poor design.” (20:36, Dr. Dameff)
- High-profile cases:
- Research & Evidence Building:
- Dr. Dameff’s team published studies showing regional ED impacts during ransomware attacks:
- “We saw 40% longer wait room times for emergency department patients. We saw on several days three times the number of ambulances that we normally saw because all those hospitals were on diversion.” (24:24, Dr. Dameff)
- Advocates for more evidence-based (not just anecdotal) approaches to influencing policy and investment.
- Dr. Dameff’s team published studies showing regional ED impacts during ransomware attacks:
7. Policy & Progress
- FDA’s Proactive Stance:
- The FDA now requires evidence of cybersecurity in device approvals—not waiting for fatalities before action.
- “They didn't wait for a case of someone dying before they said, cybersecurity is something we can regulate you on, and you better start giving us more cyber safe devices or we're not going to approve them. And that took bravery.” (22:23, Dr. Dameff)
Notable Quotes & Memorable Moments
- “It's not just a compliance… but that the consequences of a breach or the consequences of something like a ransomware attack could impact your care of patients.”
— Dr. Christian Dameff (02:27) - “We cannot tolerate downtime, because inpatients suffer.”
— Dr. Christian Dameff (09:07) - “The future of healthcare cybersecurity looks slightly better than it did 10 years ago, but not like many other sectors.”
— Dr. Christian Dameff (10:29) - “That is a human skill that is not always a technical skill and is very hard to teach by PowerPoint when we're learning about our disciplines, when we're training.”
— Dr. Christian Dameff (15:54) - “We need high quality research studies... It has been the labor of the last 10 years of my research career to try to do that.”
— Dr. Christian Dameff (24:11)
Key Segment Timestamps
| Timestamp | Topic / Quote | |------------|----------------------------------------------------------------------------------------------| | 01:46 | The value of a Medical Director of Cybersecurity—bridging clinical & IT | | 05:55 | Slow adoption of cyber-clinical translation roles; funding and resource challenges | | 08:22 | Why healthcare lags in dynamic cyber response; workforce and cultural constraints | | 11:47 | Emergency care urgency vs. security controls; bolted-on security complications | | 13:39 | How to balance security and operational needs—need for interdisciplinary conversations | | 17:10 | Ubiquity (and risk) of internet-connected medical devices | | 18:50 | Designing for device failure: “What happens when the cloud connectivity fails?” | | 20:36 | Real-world consequences—case of bricked cancer care devices | | 22:23 | FDA as an example of proactive regulation | | 24:11 | Stressing the need for evidence-based policy and investments in healthcare cybersecurity | | 24:24 | Published research findings: longer wait times and increased ambulance loads during attacks |
Episode Tone
The conversation is candid and insightful, blending technical clarity with real-world urgency. Dr. Dameff brings a passionate, pragmatic perspective rooted in frontline clinical work—emphasizing both scientific rigor and humanity in cybersecurity. The hosts engage with empathy and curiosity, pushing the discussion toward actionable awareness.
Summary
This episode delivers a clear-eyed analysis of the urgent, complex intersection of cybersecurity and patient care. Driven by Dr. Dameff’s unique background, it highlights why bridging the gap between IT and clinical worlds is critical—not just for privacy or compliance, but for saving lives. The hosts and guest call for more funding, education, and evidence-based policies, sharing stories and studies that make the stakes, challenges, and opportunities in healthcare cybersecurity real and tangible for all listeners.