A

Welcome to to the Point Cybersecurity Podcast. Each week join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now let's get to the Point. Hello everyone. Welcome to this week's episode of to the Point podcast. I'm Rachel Lyon here with my co host Joe John Nefer. We're excited to welcome back for a part two conversation Dr. Christian Damif. He is medical director of cybersecurity at UC San Diego Health. He's the first in the nation to hold this title. He also serves as an emergency physician, clinical informaticist and researcher. His roots are notably in hacking and security research. Looking at the intersection of healthcare, patient safety and cybersecurity, he now without further ado, let's get to the Point.

B

What do you guys think it was during the month of the ransomware attack? Say it's 45% the month before the attack. What do you guys think it was the month of the attack?

A

I'm scared.

C

You know, if you're saying volumes increased threefold, I would expect it to be a third of that 12%, give or take, right?

B

Yeah. 4.5% of our patients were able to come back from a cardiac arrest with a meaningful neurologic outcome. That's like a tenfold decrease. That's ten fold decrease. Just because there was a ransomware attack around us, we weren't even ransomed. So this type of research, and then Dr. Hanana Prash, one of the most amazing cybersecurity researchers in healthcare of the age, has also recently published published a paper that said that you have a 30% higher chance of dying in a hospital under ransom or attack than otherwise. You know, it's this type of research that takes years to do that comes out that really helps us let policymakers and other people aware of the scope of the problem. But we're just at the tip of the iceberg. I guarantee you there are so many more harms to patients that we can't calculate or measure at this point. That happened because of cyber attacks and not just breaches of data, but really meaningful impacts to patients lives that we can't even detect and are going to require a lot more research to do. I'm going to highlight one last thing and that's we have a colleague, Dr. Isabelle Straw, who is one of our research fellows at our center for Healthcare Cybersecurity. I co direct a center at UCSD for this and she has spent the Last year doing a whole literature search, all the scientific literature about cyber harms on patients. But she also worked with a team to go through thousands of Reddit posts and get information about what people were saying was happening to them during a cyber attack. And she's put this all on a website. It's a free open access website, it's got a GitHub, you can get all the data yourself. I'll share it with you folks, you can put it in the show notes if you're interested. And this is called the Cypher platform. And Isabel has just done, Dr. Strauss just done an amazing job showing you what can happen in people's own words. And you, I promise you, once you go to this website and you start reading some of these Reddit posts that people have placed, you're going to just be so saddened and honestly shocked at how widely cyber attacks like ransomware can impact patients lives. A couple examples, you know, patients that had a biopsy, you know, they had a concerning lump or they had something in their, in their lung, they went to a hospital, got a biopsy, the hospital gets ransomed and then their report for what that was, you know, was it cancer, was it not, gets delayed by weeks, you know, the mental torment of that patient. There are cases where patients say I'm in very time sensitive medications, I have psychiatric illness, if I don't get my medicines then I'm going to have very serious issues including suicidality. And the ransomware attack that impacted pharmacy patients are reporting that they couldn't get their meds filled. Now these are some of the stories that we're seeing that are all on this platform that I just really encourage your audience to take a listen to or sorry to take look at because they'll recognize just how dependent we are on this technology.

C

What should patients or the public do in the case of, of some of these cases? Right, Like I'd hate for our, our listeners to come out with the, the wrong thing message from that. Like if there is a regional ransomware going on, what, what do you do? Do you, do you still go, do you still. Right, like what's, what's the right answer?

B

Yeah, I think always, if you are having a medical emergency, always seek care. What I have encouraged people to do is have their medical records in a non digitized form that they can take with what your medications are, your medical history so that you can bring that in case the hospital doesn't have your records so you can bring your own medical history. So empower yourself, know that hospitals, it depends on where you live. If you're in a small town and you've got one hospital and the next hospital is 500 miles away, you don't have a choice. If that hospital is ransomed, you should still seek care. But know that maybe you go to a couple hospitals in your town, one's ransomed, one's not. The other hospital's gonna be really busy, and that can be dangerous too. So I don't want to discourage anybody from seeking care. I think you have to do that. But empower yourself to be able to bring your own information and recognize that a lot of what is normally executed without a problem, you know, sending prescriptions to your pharmacy or communicating lab results to your primary care doctor, that might not happen. So the more that you can rely on manual paper processes to continue your care and communicate those things, that's going to help you. And then again, if you're ever in a medical emergency, you should call 911 and get to help as soon as you can.

A

So it's, I mean, so what are some of the, I guess I say solves, but for lack of a better word. But you know, is there a way to put like a ransomware playbook in place for these organizations or should they be thinking about these kind of things? You know, so in the event something does happen, right, Everyone kind of knows roles, responsibilities, you know, incident response plan, you know, maybe there's a call line, right, for the other hospitals, like, hey, this just happened, or how, you know, information sharing, I mean, you know, how can this be at least maybe better managed when it happens?

B

Great point. Folks listening. I did not pay Rachel to say that I did not as completely. So we recognize that exact same need, right? So most medium large size hospitals, their IT teams are going to have some type of technical response plan to a ransomware attack, right? They're going to. It's pretty typical. It's going to be like, cut your network to stop exfil, do your forensics to look for IOCs. They're going to have a standard and somewhat respectable ransomware response plan. That's on the technical side. I go to hospitals and I ask you, what's your clinical ransomware plan? And they don't have it. So about two years ago, we put in a proposal for federal funding and were successful in getting it to develop exactly that. And I'm a big Dungeons and Dragons nerd. So I was thinking of like, what would I call this book? Like, we're going to make this giant book of ransomware, clinical playbooks that Clinicians, like nurses and doctors are going to read. They're not going to have a lot of techno babble. It's going to have a lot of like, you have a patient that's laboring, you may not have monitors. This is what you should do. Hey, you're a trauma surgeon. You're probably going to run out of blood because the blood bank isn't going to be very efficient. Like, hey, you're a nephrologist. You're not going to be able to rely on your medica or sorry, your laboratory values quickly. So be careful. For hyperkalemia, this giant encyclopedia, like clinical ransomware playbook guide, we call it the tome, It's a dungeon ninja, whatever. You guys get it. Your audience is going to totally get it. But a lot of like cool people don't appreciate that we're calling it the tone. But in any case, we spent like the last year and a half interviewing doctors and nurses and developing these playbooks and we're refining them now. And the goal is to release this as an open source document that any hospital across the world. We hope to have it translated into languages. We hope to have iterations of it so other doctors that if we didn't cover your medical specialty or if we said something wrong and you want to like help us make the resource better, we were going to release this and iterate on it. So we hope it becomes kind of an international standard for how clinicians respond to a lot of different types of failures. But the way we're talking about right now is things like large technology failures like ransomware. But that's what we've been working on. We are probably going to release it early next year and I'll be traveling to talk to a few other folks, like big stakeholders to see how interested they are in adopting this big health systems. But Rachel, that was like spot on for a big gap that we're hoping to fill. We want to say thank you for ARPA H. So if you know darpa, there's a new one called ARPA H, the Advanced Research Project Agency for help. They funded that work and so we're forever thankful for them. We wouldn't be able to do it without them.

C

So I have in my notes here that this goes on to prescribe some things like cyber response fans, to support in some of these cases. How do you see that in the resiliency module?

B

Yeah, so this is a. People have very strong feelings about this one way or the other. I want to say most people think about ransomware like a. Let's quickly try to restore the technology that exists. And that's our plan. Some folks have amazing like in other industries and other verticals that have like cutover systems, like they have replacement redundant systems. In healthcare, we don't have that. So when a hospital system gets hit with ransomware, that's why it's lasting weeks to months, is because they have to rebuild a lot of things. They have to do all of that work. And in the meantime, all the doctors and nurses are taking care of patients using paper, using slow inefficient processes. So our work was to try to see if it was possible to build a hospital IT system that you could put in the back of a truck and deploy to a ransomed hospital within five hours of it being hit so that the doctors and nurses could work on the electronic health records they were used to instead of the paper down times, which are very unsafe. So that's the kind of concept behind this. Your IT teams will still work to get the systems up. In the meantime, let's bring something to them. What does that mean, bring something to them? Well, it's laptop computers that are hardened, that connect. You buy cellular instead of wi fi because we can't use their infrastructure. It's all compromised. We can't touch their switches, we can't use their wall jacks, we can't use their fiber backhaul, we can't use any of that stuff. So we have to bring it all to a hospital. So we leverage a lot of satellite Internet backhaul things like Starlink. We leverage a lot of 5G bonding so we get a really big Internet backhaul. We deploy private cellular, we don't do WI fi, so it's kind of cool. We bring our own mini cell towers and we can deploy them in portions of the hospital to get coverage. We bring our own pre provisioned laptops that connect by cellular. We bring our own laboratory devices to run labs. We bring our own radiology devices. This all fits in the back of like a nine foot van. And our current prototype supports a 20 bed emergency department so we could drive it. And I'm really happy to say our team's gotten really good at deploying it. Our record is 34 minutes. So from the time we opened the back of the truck to when our full system was deployed, it was 34 minutes. So they're getting really good at it.

C

That's impressive. Have you had to deploy it in real life or were those test deployments?

B

They're all test deployments. So I think we're gonna have to talk to, unfortunately talk to a lot of lawyers before we actually deploy that. I'm sorry, you folks aren't lawyers, are you?

A

No.

B

No. Okay, I'm sorry. I've been having to talk to a lot more lawyers recently and I've been realizing that a lot of them are really cool people. That was an unfair lawyer joke. But I will say we've deployed it eight times now in practice deployments, including at a hospital about two hours away. We've been increasingly successful. I think what you're talking about now is the next step. How do we scale this to more than a 20 bed emergency department to like a 200 bed hospital? And how do we operate under like legal restrictions about is this a disaster? Is this not a disaster? Because that changes a lot of this also. What does this look like? Is this a national thing? Is this like a FEMA thing where it's. The federal government will deploy it if there's an issue? Hospitals aren't really going to be able to afford an entire backup system in a closet. So these are the types of things that we're wrestling with right now. But we have been. The first problem was showing technical feasibility. Is this possible? Is this a good idea? Do nurses like it? Can doctors actually use it? Is it safer for patients? Now that we've kind of proven technical feasibility, the next step is, all right, let's operationalize this, right?

A

That's really cool. I can't imagine though, I mean, to your point, you know, it all, obviously there's legal ramifications for anything, you know, related to such things. And navigating those waters can take a lot of time and effort to get there. But yeah, I love it. I love these kind of fixes. It's. And I'd be interested in your kind of thoughts here. There are some things that are just so hard, right? And you think about all these resource constraint hospitals, particularly smaller ones. And I think about critical infrastructure too. I mean, really, really old systems and the lift to get them to where they need to be in terms of security resilience is quite significant. And I think a lot about the crowdstrike outage. And I think Southwest, I think was the only one not affected because they're like on Windows 95 or something and hadn't made updates in 20 years and they were fine. But that got me thinking. I mean, is there, and you mentioned this earlier, right? I mean, is there like, do some people just need to unplug until the resources are there to help them leapfrog and get where they need to be. I know that's quite disruptive, but in the absence of the security you need, just being offline really helps a lot. I'd be interested in your thoughts there.

B

Yeah, I would say the cat's out of the bag. I think that hospitals are unfortunately so dependent on this that there's no way they're going to be able to go back. And in a lot of ways they financially can't. So there was the High Tech act of 2009, wherein hospitals are reimbursed based on using electronic health records, and that's how they actually get money from insurance companies, is that the records of care contained within the electronic health record are what are transmitted and that's how hospitals get paid. So I don't think we're going to be able to go backwards. But to your earlier point about kind of critical infrastructure and linchpin vulnerabilities, critical dependencies. Oh, healthcare is in trouble, very much in trouble. And I think we cannot, I cannot think of a better contemporary example of that than change healthcare that happened. So if you guys aren't familiar with this, this is easily the largest healthcare breach and cyber attack of all time. When all's done, it's probably gonna cost $4 billion. And it's the saddest thing because I didn't even know what change healthcare was until the attack. I've been in this space, I never heard of the company, but it turns out that they are so critical for hospital operations for some 30 plus 40 plus percent of clinics and hospitals in this country. And when they fail, when they got hit with ransomware, the cascading failures and the rippling was immense. We had practices close, we had patients who couldn't get care, we had patients who couldn't get prescriptions. We had just a whole smattering of really awful things just because a single vendor got hit. And when I ask myself, you know, how do we find the linchpin in healthcare? It's almost like there are probably so many linchpins that we have yet to even identify that it really speaks upon us. It really impresses upon me the need for us to try to seriously map this sector. We need to do deep dependency mapping. We need to make this dynamic, we need to update it in real time. And we need to do it more than what we do right now, which is just a whiteboard. Like, let's get a bunch of people who are familiar with the technology and write on a whiteboard. This uses this, and this uses this. This is how we're doing sector mapping for a critical sector like healthcare. No. There's gotta be better ways for us to actually map the dependencies so that we can find the most important linchpins in a pile of linchpins, secure them first, because the consequences are national healthcare failures. Right. Can you imagine not just five hospitals getting hit with ransomware and having impacts hundreds. What about all the trauma centers on the west coast? What about the critical blood resource centers for which there are only a handful? How about the fact that there are only, you know, it's not well known, but there are only a handful of data centers that support 90 plus percent of the electronic health records in this country. You know, these are the things that keep me up at night in the era of hybrid conflict and national security concerns is that healthcare is such a soft target and our dependencies are so deep and we don't recognize them, that we are incredibly vulnerable for a catastrophic healthcare system failure. Wow.

A

Processing what you just said. Wow.

B

Sorry.

A

No, but that's why we do this podcast, because these are important conversations too, that maybe aren't getting as much airtime as they should. Right. So we love to have these conversations and start conversations as well. I do want to be mindful of time. I know we're coming up on it, but I do like to end on a personal question sometimes and kind of harking back to where we began. If somebody wanted to pursue the kind of path that you have or become, take on a role that you have, how would they even go about that? I mean, should they start in medicine and learn cyber? Should they just be a hacker then get medicine skills? I mean, how do you. It's such a unique kind of hybrid level of skills. How could someone aspire and achieve kind of where you're at today?

B

That's very kind of you to say. I would say if anyone wants to be careful. It's not. It's hard. Medicine is really hard nowadays. I've really struggled with this on a personal level. Like, it's. I wonder if I. If I would really. I wonder what would happen if my children came and asked me, like, hey, I want to be a doc, and how I would struggle with that because in a lot of ways, we're incredibly privileged people. Like, being a doctor is like. It's an amazing. I'm not trying to say an unfortunate thing, but it's changed quite a bit. And like I mentioned, a lot of the unfortunate macroeconomic conditions, the changes in healthcare policy, the thing that we're trying to do to help patients and how hard that is sometimes given things like insurance and other things that just really get in the way of good patient care, it makes it a pretty difficult career path. And I know this is probably not the answer that you wanted for this, but what I would say is that I think the same thing could be said with burned out sisos. Right? Like it's not all rosy and there's a lot of mental health issues in medicine and insecurity. It's a lot of stress and pressure. You're responsible for these networks. These things weigh on us. So they are two pretty stressful jobs. So my only thing is, if someone really wants to combine two stressful jobs, tell you're a gun for punishment. But I would say if you really still want to do that, then my encouragement would be to definitely work on the cyber component first. Training for medicine requires four years of undergrad, four years of medical school, and anywhere between three and 15 years of residency training afterwards. So you can learn the cyber and the networking and all of that stuff well before you go into medicine. But once you commit to the healthcare side of it, it's 100% of your life studying for 10 plus years type of thing and you can't do it really the other way around. If you become a doctor, you want to go into cyber after, it's just too hard. So that would be my encouragement. Cyber first.

A

Wonderful. It's all about going in eyes wide open, right? If you know in advance what's your what the mountain you're about to climb, I think then it kind of gives you the gumption that I'm going to conquer this mountain and make it happen. So thank you for those insights. And you know, to all of our listeners, again, thanks for joining us for yet another amazing, amazing guest. I just absolutely love this conversation. I could talk to you, Christian, probably all week and that would be a long chat, but it would be fascinating, I think, for everyone. And then, as always, Jonathan, I'm going to let you do the drum roll.

B

Please smash that subscribe button.

A

And you get a new episode every single Tuesday. So again, thank you, Christian for joining us and thank you to all of our listeners. And until next time, stay secure. Thanks for joining us on the to the Point Cyber Security podcast, brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.