A

Welcome to to the Point Cybersecurity podcast. Each week, join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now, let's get to the Point. Hello, everyone. Welcome to this week's episode of to the Point podcast. I. I'm Rachel Lyon, here with my co host, John Neffer. John, gearing up for a trip to Granada? Ah, wow.

B

Yes, indeed.

A

That's like two weeks.

C

It's gonna be lots of fun, right?

A

What does one do in Granada for fun?

B

I have no idea. Out there visiting and I guess it's a small town, so we'll figure it out when we get there.

A

I love that. I love that. It's good to just experience it as a local and, you know, find local culture and I mean, Spain. Come on.

B

Exactly.

A

Not too shabby. Not too shabby. Well, I'm really, really excited to welcome this week's guest, Dr. Christian Damip. He's medical director of cybersecurity at UC San Diego Health, the first in the nation to hold this title. He also serves as an emergency physician, clinical informaticist, and researcher. His roots are notably in hacking and security research that looks at the intersection of healthcare, patient safety, and cybersecurity. He's also spoken at a number of renowned security events, including defcon, rsa, Black Hat, Bsides. Very cool. And on. Welcome, Christian.

C

Oh, thank you for having me. I appreciate that with that introduction. My mom is so proud.

B

She should be. Okay. So, Christian, as the first nation's first medical director on cybersecurity, tell us about the perspective you bring to everybody that a traditional CISO might not have.

C

I think if you talk to a lot of CISOs that work for healthcare, they have several recurring themes in the problems that they face. And one of those is the problems with interfacing with clinical staff. I mean, that's how they talk constantly about how important it is to engage your nurses and your doctors and to talk about that in that cybersecurity is a patient safety thing. It's not just a compliance. It's not just an annoying yearly training that you take online, but that the consequences of a breach or the consequences of something like a ransomware attack could impact your care of patients. And so a lot of CISOs talk about how important that is. That is a hard thing to foster. It's not generally within the wheelhouse of most CISOs. It's not in the training. And unless you practice in healthcare, developing that Skill of talking the language of clinicians is hard. You have to learn all the language of cyber, you have to do all of the compliance stuff and all the technical stuff. And you also have to go talk to the clinical side of it. And it's often seen as a power dynamic. Clinicians are very powerful in health systems generally. And so when you go to them saying we need to implement this control and physicians push back, for instance, it's a hard thing to navigate as you're trying to do your best to secure your enterprise. So what we saw was a gap, really. There's not a lot of that in medical training either. I went to medical school, I went to residency fellowship training. The most cybersecurity training we had was the enterprise security training again once a year, or the simulated phishing test. Right. We don't teach doctors and nurses about cybersecurity to any meaningful depth as well. So we have this horrible problem then, that CISOs in healthcare generally have a hard time convincing developing those relationships with the clinical side. The clinical side doesn't really understand any of the cyber side. And it's almost an adversarial perspective. So what? I grew up basically a hacker. So I've been going to DEFCON for 25 years now. Well before I ever went into medicine. I never thought it'd be a job I didn't think I could do. I didn't think of security. Maybe I would have gone a different path if I thought that growing up as a hacker I could have actually had a job in security. But I didn't. And so I pursued medicine and then I was able to take that background, both languages. That was the kind of foundation of this medical director for cybersecurity role. Medical directors are common in medium sized to larger size health systems. Their goal is to work with administrative sides of the house on their particular clinical domain. Typically there are medical directors of emergency medicine. That's my specialty. I'm an ER doc, but I'm the medical director of cybersecurity. I interface with the ciso. I help the CISO accomplish goals I communicate to clinical staff. And I take that cyber resiliency and patient safety perspective back to both sides of the house at the same time. It's really allowed me to do a lot of really great research. So before I started doing healthcare cybersecurity research, I did a lot of cardiac arrest research. What happens when your heart stops and you have to do the cpr? And in that training, I recognize how important using science is to help us figure out solutions to problems. And so what my role also allows me to do is to study some of these things too. And we can talk about this later, but what we really need to be doing is applying science, evidence based interventions, and then applying that to the cybersecurity domain. So in my role, I do a lot of, like, operational, I do a lot of research. And at the end of the day, I'm just like, I feel like the luckiest guy in the world. I get to both do the cybersecurity stuff and get to take care of patients and. And I'm just so happy to be here at my institution where they support that.

A

It's wonderful. So are other healthcare networks, I guess, embracing this kind of role? Because it sounds quite critical. Christian, you're the translator, right? Which in healthcare is absolutely critical to patient safety between the two, because if security, everything gets shut down due to ransomware, there are serious implications of that which we can talk about a little bit more. But are you seeing other hospital networks embrace this kind of role that you have?

C

I think so. This is a strange time in healthcare. I'm just gonna be frank. Yeah, we're in a very interesting, I would say not interesting. We're in a very sad time in healthcare when it comes to a lot of forces that are making healthcare more expensive, making healthcare more inaccessible, that there's a lot of hospitals closing. These forces that are acting on health care are making it very difficult for health care to strategically plan for cyber resiliency and make investments like a medical director for cybersecurity. So I have seen a couple other people reach out to me and say, I'm interested in this role. How do I get my CIO or CEO to resource this? And there's been some success with that. But I want to say one of the most gratifying parts of this is just to learn about other clinicians that also have a security background. So there isn't a conference I go to nowadays where I don't have some doctor or nurse come up to me and say, hey, I grew up on irc. I know about buffer overflows. I'm also a nephrologist or I'm an obgyn. And, you know, I also share your concerns about how these types of attacks can hurt my patients. And so the network of doctors and nurses and clinicians that are cyber aware and can act as that translator are growing. I think we will eventually get to a place where there's always a medical director of cybersecurity for a medium or large size hospital. System. It's just taking a little bit of time. We've been taking the last 10, 15 years to really convince the C suite that this was a thing, and, and we've seen some commensurate investments in this space. It's just going to take a little bit longer before they recognize how valuable that position is. Right.

B

What do you see as kind of like the difference in mentality, though? Like with clinicians, like in medicine, you hear about all the rigorous testing, clinical trials and so on. But yet on the cybersecurity side, while you need rigor around policy and controls, you also have to be very dynamic. The threats are changing constantly. How does that fit? And are the right things happening?

C

Yeah, great question. So if the kind of meta question is, is healthcare doing a good job responding to these dynamic threats? The answer is absolutely not. And I think I'm a little biased just given my proximity to health care. But it's one of the sectors I feel that is least dynamic in its approaches and that has to do with the culture of healthcare. These are huge systems, lots of people, lots of sensitive data, lots of connected medical devices, huge networks that have to work 24 7. Right. We cannot tolerate downtime because inpatients suffer. We also generally do not pay very well when it comes to cyber cybersecurity talent. We just don't have those resources. So you have on one hand a huge mission, a huge network, lots of legacy antiquated systems, but you don't have, on the other hand, the workforce and the resources to secure it. So with these ever dynamic cybersecurity challenges that change, I think healthcare is in one of those really unfortunate positions where they are just probably one of the least dynamic, least agile sectors to try to defend against these new attacks. I don't know how much that's going to change. I hate to be a downer. We started off talking about Granada, and that's going to be one of them. At the end of the day. I hate to say this, but the future of healthcare cybersecurity looks slightly better than it did 10 years ago, but not like many other sectors. We're not the finance sector, where people feel comfortable doing banking on their phone from a Starbucks. Now, we're not gonna get there anytime soon with healthcare unless we see some serious policy changes. We see some serious kind of much larger changes in this nation's how we deal with healthcare.

A

And I think about kind of layering on that as well. Right. Kind of the nature of the work. Emergency medicine, which you work in, in cyber awareness, Right. When you're in a hurry, when something's urgent, you know, and we saw this during COVID people were freaked out, looking for information, clicking on anything that they could. Right. To find something out, you know, for all these unknowns. I imagine in healthcare similar.

C

Right.

A

I mean, it's. You're not having time. Like, is this the right link or did it come from. I need to get this thing done now for my patient, which I think maybe exacerbates.

C

Right.

A

Some of the challenges or cyber challenges for people in health care.

C

I agree. Just like we don't have a lot of workforce to handle these problems. The culture of medicine is there needs to be an urgency to doing a particular action. Trust is pretty high. Right. So clinicians, nurses, doctors, they trust these systems. They don't think they're not going to be there.

A

Exactly.

C

And the consequences of failure are pretty high as well. So to your point, when I'm on in the emergency department, one o' clock in the morning on a Saturday and a patient comes in really sick and I need a piece of information or I need to leverage a piece of technology that has to happen quickly and without MFA wrapped around it. Right? That's an interesting kind of constraint. If I had to wait for my security token before I could defibrillate someone, that's a bad approach. But that's very typical for the way that many people approach securing healthcare because they bolt on security products that are meant for other industries and that nuance in health care and the developing niche products that generally doesn't pay well for companies. It's much easier to use something that's already another. Another organization or another vertical and bolt it on than it is to develop a unique health care product. And then it gets so exp that healthcare systems can't afford it anyway. So in some ways, this problem that we have of legacy systems bolting on security after the fact is in tension with what we need to do as clinicians, which is sometimes act really, really fast with very little information. Right.

B

So what's the right balance? Right. Because like, I feel like there's this compromise, right. You need the information quickly, you need it well distributed, but yet you need to be secure. You don't want to be reliant on some distant cloud service to do something. You don't want security stuff in your way. How do you figure out what goes where and what's a reasonable control for any given thing?

C

That's a great question. And I think that leads back to the prior thing that you guys were mentioning. About this role, you have to bring the stakeholders in on the conversation that are actually using the technology and have that conversation with them, not through a game of telephone, not presuming that they want something or that they need something, have a conversation with them, but bring to the table someone who will back you up against the clinician pushing back on something so you can get that really nuanced, meaningful discussion. I'll give an example. There are a lot of device manufacturers now that are making medical devices connecting to the cloud, allowing for remote monitoring, allowing for remote control of certain medical devices. And I just find it, I find it so much of a little bit of an echo chamber, because when I go ask docs that use these devices, like, do you want to see this from your phone in your living room? And they go, no. Why are you spending all this money developing this platform so that people can check it on an app on their phone where they're never going to do that, only going to check that in the ICU next to the patient. So that to me ends up being this echo chamber where sometimes security does this. Clinicians do this. It's like, oh, you know, the technologists, they say they want apps, they want cloud connectivity, they want this, and they just talk to each other and then everyone's convinced. And then the clinicians are like, we want no controls, we don't want any meaningful security. I want a password that's 1, 2, 3, 4, 5. And then they all talk about it, but no one's talking together and no one can help push back on one side or the other. I think it goes both ways, where sometimes CISOs come in pretty hard and they say, this is exactly what we're gonna do. This is the control I need to ensure this data privacy. And it does impact clinical workflow. And these kind of hard line in the sand can cause issues with patient care. At the same time I mentioned the cardiologists say they want it easy and they don't want any security and no one pushes back on them. And that's how we get all this information security debt that lingers on for 15 years. So I guess to say the secret sauce is that translation and understanding each other's position and being able to call bs, but also compromise, that is a human skill that is not always a technical skill and is very hard to teach by PowerPoint when we're learning about our disciplines, when we're training. So the other thing I'd advocate for is we do need more interdisciplinary education in this space where it's Clinicians and technologists, security folks at the elbow, learning together.

B

I mean, this part fascinates me. So like, you know, in my personal life, I don't even want my light bulbs connected to the cloud. They're on their own air gapped network. Right. Like I couldn't imagine being reliant on a medical device that needed Internet connectivity. To me that just feels so wrong. But like what needs to happen to make the right decisions, right? Like these light bulbs, every light bulb you buy has to be cloud connected. You have to go through a lot of work to replace firmware to make them local. Like it sounds like from what you're saying, like a lot of the manufacturers want to go down that cloud route. How, how do you find the compromise in what's even available?

C

Yeah, I have bad news for you. The new devices, they're all going to be connected, right? Like that's the, you're not going to be able to get the version that's disconnected, unfortunately. And I would say some of that's because clinicians, some, some small amount of clinicians have said they wanted that. But you know, patients are interested in that. I will say, being in this space for 10 or 15 years, I've been called a Luddite. Oh, let's remove everything off the Internet and let's not have power. Let's go back. I've been called a medical device apologist when I say that it's hard to make a medical device that's secure. I've been called all this stuff and I don't have a horse in the race. But I will say the following. There are definitely some medical devices that can have life saving benefits from connectivity. You know, there are some. But do we need them on like a wearable that tells you what your heart rate is? Probably not. Right. Do we need it on an lvad? You know, a device that is literally pumping blood through your body and deviations in flow of 5 or 10% in one way or the other can be meaningful and can really harm you. Do I want to know as a cardiologist like three minutes after that happens? Absolutely. I can save that patient's life. And the only way that's going to happen is if it's connected to some network. And I'm getting an alert with that. But that balance of what and how much and what's contained. But more importantly, this is the thing I really want to stress. What happens when the cloud connectivity fails.

A

Right.

C

I am, the last five years of my work have all been working under this paradigm where we can't secure it, it's going to fail. And when it does, when it's compromised, when it's exploited, what are the physiological consequences to my patient and how do I prevent that failure, that cybersecurity exploit, from hurting my patient? That's what we need to focus on. Because if we can guarantee that or get very close to that, that even if it's compromised, it will never give more medicine than the patient can tolerate. It will never. If we can get to those assurances, like we do in a lot of. There are some security controls where we can do formal proofs of certain security. Like if we can get to that level, then we can work on securing the top side of it. But I know it's going to fail. I know you put a medical device, any modern medical dev, in front of a well equipped team, a smart group of hackers, they're going to pop it.

A

Of course they pop it.

C

I don't want to kill my patient. That is what we should be focusing on right now. And that is really under recognized. There was a horrible case of a company that is involved in cancer care and their latest platform required cloud connectivity to deliver cancer care to patients. They had a ransomware attack. They actually volitionally cut their own cloud connectivity. And when they did that, hundreds of devices instantaneously became bricks and couldn't take care of patients. And if someone had thought about that, so much of cloud gives you more resiliency. The downtime's going to be much less, it's much more secure. Those things can be true. But if you engineer your entire platform to require that all we are is one grid failure or one data center away from patients dying, that is poor design.

A

I mean, do you feel like the patient safety aspect is being discussed enough? I remember for years it was more like death by cyber attack to a hospital is theoretical. And then you start hearing. No, actually that the pregnant woman example we were talking about earlier, where, you know, the hospital she was going to en route to had a. I think it was a ransomware attack and all the systems were shut down and so they didn't do a scan, you know, before labor, and had they, they would have found that the umbilical cord was around the neck and if they just rerouted her to a nearby hospital.

C

Right.

A

It would have been a different outcome. And I don't know. I mean, this is real, right? These things are happening and I don't, I mean, are people talking about them enough? I mean, it seems like these kind of outcomes, right? It's antithesis to why healthcare exists? I don't know the answer, Christian. I guess. And that's where we're getting at. Why isn't there more funding? Because everything with cyber, right, they don't invest until there's a problem. But in healthcare, you can't wait for that to happen.

C

So to your first question, we talk about this a lot more than we used to. So I do think that the awareness has grown. People are now just wrestling with the complexities and the practicalities of actually trying to move forward, of which there are many. So to your point, there is maybe one really great success story that I want to talk about and then I'll talk about some other bad cases. But the fda, in my opinion, has done more for healthcare cybersecurity than any other organization, group of folks on the planet, you know, more than any group of hackers. More than. And why? Because they did what you said and what they should have done, which is they didn't wait for a case of someone dying before they said, cybersecurity is something we can regulate you on and you better start giving us more cyber safe devices or we're not going to approve them. And that took bravery. That took Jessica Wilkerson and Suzanne Schwartz and Nastasia at the FDA and many others standing up to people who are saying, I want to see someone that's died before, you regulate me on this. And they said, no, we're going to do the right thing and prevent these attacks from hurting people now and not wait. So that's one of the success stories. There are many other failures. You mentioned a horrible case. You know, this case alleges that a fetus had distress that was not recognized because the hospital was under ransomware attack. Their monitors were functioning, the actual medical devices were working, but the networks that communicated between them and could deliver those alerts to the people who needed them, that wasn't there. And as a consequence, this baby ends up dying. There's a case alleged in, in Europe of another patient who had an aortic aneurysm that had to be transported to another hospital because the hospital closest to them was under ransomware attack.

A

Right.

C

And that person died. You know, these stories are heartbreaking, but what we need. I'll harken back to something earlier. I said is we need high quality research studies.

A

Yes.

C

And I am. It has been the labor of the last 10 years of my research career to try to do that. I'm proud, but also, you know, saddened to say the last 10 years of my Life has been to try to develop that research base to try to get us that evidence that we need. And I think the tide is shifting. You know, research takes a long time, it's difficult to do. But we've published two papers I want to talk about real quick. The first is what happened in an emergency department. Actually two emergency departments next to hospitals under ransom were attacked. And we published this in jama. Happy to share the link. It's an open access article. You can read it without having to pay anything. Please don't ever pay anything for academic papers. That's my opinion. Get them other means. Not a fan of closed science, but that paper looked at what happened to the emergency department patients just in hospitals next to ransomed hospitals. Because I've tried desperately for years to get data what happens at ransomed hospitals, but they won't share. They don't have good high quality data because the systems to record don't work very well. But I recorded what happened at my hospitals and we saw 40% longer weight room times for emergency department patients. We saw more times sick patients coming into the emergency department. We saw on several days three times the number of ambulances that we normally saw because all those hospitals were on diversion. We saw more stroke patients. We saw all these like really bad impacts to our emergency department care because of a regional attack. About a year later we published another paper that gets to this heart of what happens. And I mentioned earlier, I started my career off doing cardiac arrest research. You know, CPR research and how to bring someone back when they're in cardiac arrest. This paper done by amazing group of folks here at UC San Diego. They looked at patients, we all looked at patients that had cardiac arrest either outside the hospital or in our hospitals. And we measured it the month before the attack. And if you had a cardiac arrest, you had about a 40 something percent chance of coming back with an intact brain. That was our success, was about 40 something percent of the time we were able to resuscitate you and do so in a way where you still had meaningful neurologic outcome.

A

And I hate to do this everyone, but we're going to pause today's discussion right here and pick back up next week. Thanks for joining us this week and as always, don't forget to smash that subscription button and we'll see you next week. Until next time, stay safe. Thanks for joining us on the to the Point Cybersecurity podcast brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast. And don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.