A Conversation With Christian Dameff and Jeffrey Tully: The Regional Impact of Healthcare Attacks

0:00 0:00
Christian Dameff and Jeffery Tully discuss the regional impact of healthcare cyber attacks.

In this episode, Mike welcomes MDs Christian Dameff and Jeff Tully, founders of the CyberMed Summit, a two-day conference that brings clinicians, security researchers, and medical device manufacturers to discuss advances in healthcare cybersecurity. Join us as they discuss the far-reaching and often devastating domino effect created by cybersecurity attacks on medical facilities.


Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In today’s episode of In Scope, host Mike Murray interviews two guests from the CyberMed Summit, Christian Dameff and Jeff Tully. Wearing many hats, Christian is a practicing ER Doctor, an Assistant Professor at UC San Diego, and the Medical Director of Cybersecurity at the university. Jeff is an anesthesiologist and pediatrician by training, and is currently an Assistant Professor at UC Davis.

As the conversation begins, Christian and Jeff share a little bit about this year’s Cybermed Summit, a conference they put together alongside two colleagues in 2017. The event focuses on how issues in healthcare cybersecurity directly affect care given to patients. With three years under their belts, the event has been bigger and better every time. This year’s summit will feature even more simulations centered around cybersecurity and how vulnerable medical devices impact patient care. There will also be more workshops catered to all stakeholders, including biomed. Their goal with the summit is to prepare attendees with the knowledge and skills needed to address these inevitable cyber attacks.

The medical industry is now heavily dependent on technology to deliver patient care, and doctors trust that these devices will work as intended and record data uninterrupted. When that connection is lost, doctors are forced to pull out a sheet of paper and record data manually, constantly. Doctor’s aren’t trained to work like this, which is why Christian and Jeff believe it to be so important to prepare medical staff with the skills in case it were to happen in their hospitals. Otherwise, the results could be fatal for time sensitive conditions. One in four hospitals have been hit with ransomware attacks in the last four years.

Then the conversation pivots to hearing how Christian and Jeff handled caring for patients during the pandemic. This further reinforces the importance of having technology you can depend on in the hospital. They hope to perform their simulations on an even larger scale and provide training to clinicians across the entire healthcare spectrum. Then, Christian touches on the Scripps attack, which lasted over a month and how it directly affected his hospital. Cyber disasters need to be treated as a collaborative effort and be prepared for effectively.

Thank you for joining us for today’s episode and don’t forget to subscribe wherever you listen to podcasts!


– Mike introduces the episode and his guests.

– Christian and Jeff introduce themselves.

– Discussing the upcoming Cybermed Summit.

– How can doctors respond to cyber attacks?

– What’s next on the docket for Christian and Jeff.

– Discussing the effects of the recent Scripps attack.

– Where to find Chrisian and Jeff online.

0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view, on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:21.6 Mike Murray: Welcome to this week’s In Scope, The Healthcare Security Podcast. As always, I’m Mike Murray. And this week, I’m incredibly excited to have two illustrious guests. I’m gonna let them introduce themselves. And frankly, anybody who’s been around cyber security in healthcare for a while, already know who these guys are. Christian Dameff, Jeff Tully from the Cyber Med Summit, and a bunch of other things, but maybe you guys want to introduce yourself. Christian, you’re on the top of my screen, so maybe you should go first.

0:00:47.5 Christian Dameff: Thanks, Mike, for having us on, today. My name is Christian Dameff. I wear many hats. I know it’s a cliche thing to say, but I feel like it’s true in this situation. I am first and foremost, a practicing ER doc. So my day-to-day is, I’m in the thick of it in the emergency department, working as an ER doc. But I also work and do some research. So I am an Assistant Professor of emergency medicine, biomedical informatics and computer science, here at UC San Diego. And I also have an operational cyber security role as medical director of cyber security, for UC San Diego Health. So kinda studying that intersection of patient safety and cyber security, if you will, is one of the things I’m really excited about and passionate about.

0:01:24.9 MM: And Jeff, how about you?

0:01:26.8 Jeff Tully: My name is Jeff Tully. I largely do most of what Christian does, and it’s widely acknowledged, I’m better looking than he is. I do wanna make sure that we didn’t get a schedule mix up. The term illustrious has never really been used with Christian, so are you sure that we’re on the right day here? No, just joking aside, Christian is my best friend. He’s brilliant. He is a security researcher and physician who I look up to be and wanna be when I grow up. So I’m working on stealing his identity, gradually. I am an anesthesiologist and pediatrician by training. I’m currently at UC Davis Medical Center as an Assistant Professor. I’m actually leaving in just a little bit to go down to UCSD to join Christian and really accelerate our research efforts. So, so happy to be here. We love you, Mike. Thanks for the opportunity.

0:02:08.9 MM: Oh, guys, I love having you here. And for the listeners who can’t see what I see, Jeff’s actually doing this interview in scrubs, in what looks like a locker room inside the hospital. So actually in the hospital as we’re having the conversation. So guys, a place to start. I was saying this to Jeff before we started. I’m so excited about this year’s Cyber Med Summit. We didn’t really get to do it last year. We were all in San Diego in 2019, but I’m so psyched. Tell us what’s going on. Tell us what you’re planning. Let’s just talk about it. I can’t wait to hear all the cool things.

0:02:43.8 JT: Yeah, so Cyber Med Summit is something that Christian and I put together in 2017, with Josh Corman and Beau Woods, who are really close friends of ours. I hate to use the term thought leader, but I think it was invented for those two guys in the cyber security space. Josh and Beau, at the time, were part of The Atlantic Council and doing some really cool stuff on the policy side. So we met a few years prior to that, at DEF CON. We loved to hang out and just kind of brainstorm ways where we could sort of take our growing interest in healthcare cyber security, combine it with some of their more policy and outreach-oriented efforts and really create a conference, that kind of married what we loved about the hacker culture and space or something like a DEF CON, and bring it to our specialization of clinical cyber security. So there’s a lot in healthcare cyber security that I’m sure you’re all familiar with, focused on infrastructure and organization on operations. Christian and I are really interested in how do some of the cyber security issues that we talk about, directly affect the way that we deliver care to patients at the bedside.

0:03:43.0 JT: So in talking with Josh, and Beau, we’re like, “Man, wouldn’t it be great if we had an event that was kind of focused on this very specialized aspect, and bring together all of our friends in the space, all of the amazing role models we have?” like Suzanne Schwartz at the FDA, who has been incredible mentor to us in this. All of us kinda coming to together to see how do we really work to, in a very compressed space, accelerate some of these issues?

0:04:04.6 JT: So the very first event happened in 2017, back when we were still in Arizona, at the University of Arizona, the College of Medicine in Phoenix. That was two weeks after WannaCry. So it could not have been more timely, and more relevant. And that event was where we first kind of pioneered and debuted our simulation. So clinical simulation. So as medical students and later as physicians, we train often times, by using the modality of simulation. And we kinda stole it from aviation, to basically say, “How can you practice really high stakes, the rare events over and over again, to make sure that when they happen in the real world, you are capable of dealing with them?” So Christian actually had the amazing idea, let’s take some of the security research done by our friends and hackers like Jay Radcliffe, and Billy Rios, who have worked on medical devices and said, “Hey, we found some of these vulnerabilities or exploits that could compromise the function of these,” take our clinical knowledge, translate that into scenarios, where patients in our pretend emergency room were undergoing treatment with the device that may have not been working properly, as a result of a compromised vulnerability. And then how would that play out in real time? How would a doctor pulled into that, handle that?”

0:05:10.0 JT: The first time we ever did those was, in 2017, at the University of Arizona, College of Medicine. And we came back the next year. In 2018, we went to UCSD, when Christian moved in 2019. I wanna make sure all these dates are correct. It seems like it’s been forever since the first one, so forgive me, if in retrospect, I have misspoken. But long story short, we’ve done it three times. Each year has been bigger and better than the last. So Christian, do you wanna give a little preview about what we’re doing this year.

0:05:35.0 CD: You know, we’re gonna have pyrotechnics, we’re gonna have… No, just kidding. We are really excited. Of course, asterisk, asterisk, asterisk. COVID pending and who knows what’s gonna happen. But we’re lucky to, I think, report right now, that we’re gonna have an event in November 6 and 7 at the University of California San Diego Medical School. They’ve been a great host for us in our last event. And do much more of what we are kinda famous for in the space, which are those clinical simulations. Which is, “How do cyber security vulnerabilities of medical devices and infrastructure, how do those impact patient care?” We’re gonna be doing lots of that. I think we’re gonna be doing some innovative new things too. I’m just gonna preview it. We’re gonna have some, kind of, we’re gonna have a cool badge, hopefully. We’re gonna have some more workshops. Not necessarily more workshops, but more of the workshops that were exciting, “How do you hack medical devices?”

0:06:25.0 CD: And then we’re gonna also be expanding out our umbrella. One of the things that’s really cool about our conference, I think, is it’s not just technical folks, it’s not just clinical folks, it’s kinda like everybody. The regulators come, and what we can do in that is, continue to expand out our tent and say, “Who is another stakeholder that needs to come to this, because their voice is important?” And we’ve identified things like Biomed. Biomedical engineering is a huge part of this, that have been absent from so much of the both technical and non-technical conferences. So they need to be there. And in the shadow of COVID, it’s still there. I’m not saying it’s gone, but what we’ve seen post the worst parts of COVID, is this need to incorporate emergency managers. This is huge. This is a section of healthcare delivery, whose sole job is to make sure that you can take care of patients during a disaster.

0:07:15.2 CD: Well, cyber attacks, as evident by these ransomware attacks that have been hitting, Conti, RYUK, all this stuff that’s been going on, clearly has disastrous consequences for a hospital. What does that mean? It means these are like natural disasters. They can have the same types of impact. Who in your hospital is tasked with keeping the clinical care going and make sure things are working? It’s emergency managers. It’s emergency management. They have that expertise. Well, they’ve been missing from the cybersecurity conversation for years. And so now, I think, at our conference, we’re gonna be expanding out to emergency managers, “Hey, come into the fold. How can we help elevate each other’s preparation for the inevitable cyber disaster that’s gonna hit more and more hospitals?” I think this is clear, maybe this will be a point of conversation we can come back to later on.

0:08:24.8 CD: Ransomware is not going away, hospitals are paying ransoms. The ransoms are causing greater impact to hospitals, our down time is longer. So, we can’t solve this from a purely technical side, we can’t solve this from a purely policy side. What we need is a huge amount of stakeholders to come together and work together, to really make a meaningful impact. We hope our conference is the place for that, and we’re also proud to say that our conference has never cost any money, so people can come to our conference for free, we don’t tell anyone they can’t come. Everyone’s voice is appreciated there, even if you know nothing about healthcare or nothing about cyber. It’s truly one of these open forums, and I’m excited to say, I think we’re gonna continue that tradition this year. And just excited to be able to say thank you, Mike, for letting us talk a little bit about it, before we get to some brass tacks of other stuff.

0:08:51.4 MM: Oh, no. Guys, I actually, it’s something I really, I’ve been waiting to actually have a forum, to talk about one thing specifically, that I think’s so powerful, from the simulations that you all did. The simulation that you all did in 2019, I happened to be in the room for, and the most interesting part was that, you were using real medical students and docs, and putting them in the situation where it was almost a chaos monkey sort of situation, if that reference makes any sense. Right? They go to treat this fake patient, or actually, real person pretending to be a patient on the table. And suddenly, equipment stops working and you’re yanking things out from them, and you just watch these people try and work in such an impoverished environment. And it’s a real impoverished environment. As we talk about this, there is a hospital system that I know about, ’cause it was in Beckers the other day, that their EHR is ransomwared and they’re doing all of their admissions and everything on paper. And you guys are really doctors. Tell this audience, most of whom are more IT cyber security people, what is that like as a doc, to just have all these processes start to disappear in front of your eyes? How do you survive that, if you haven’t practiced it?

0:10:01.3 JT: It’s a fantastic question, and I think it really gets to the heart of how dependent we are on technology, to do our daily job, with respect to patient care, and how implicitly we trust that that technology will always be there. Right now, my primary clinical operations are in the operating room, so taking care of patients under anesthesia. I’m monitoring their vital signs, I’m monitoring a lot of medications, I’m monitoring ventilator settings and things like that. All of this data gets pulled out and dumped into the anesthetic record, so I don’t have to worry about charting everything and I can focus on taking care of the patient. When we do have our intermittent down times and our ability to have all that data pulled, is lost, I literally have to go into a drawer on the anesthesia machine, pull out a paper record and then dedicate 50% of my attention to making sure I’m manually charting all the vital signs.

0:10:54.8 JT: That’s not how you would want somebody caring for your family member, if they were in a highly complex and technical surgery. So just by the very nature of needing to shift from one way of working to another, I think, has actual implications to patient care. And you’re absolutely right, we don’t practice that. So we don’t train for it in the same way that we train for a massive hemorrhage in the operating room or a cardiac arrest in the operating room. And that’s kind of the point behind the clinical simulations, is that we wanna give people a recipe for doing that type of training, because it is something that I feel, is almost as important as knowing how to treat an allergic reaction or give a blood transfusion.

0:11:28.5 CD: Mike, I don’t know what it’s like to do that because I’m 34 years old, and I trained in medical school and residency and fellowship, after the era of paper records. And that’s only gonna accelerate. It’s funny, we talk about how great technology is, and it is, it saves lives every day. It’s amazing, the technology we can employ, to treat cancer patients and to do those things. Jeff, hit the nail on the head. We are so dependent on that, we’ve heard cliche after cliche, that digital generation or millennials, we can’t get off our phones. Well, it’s even worse in medicine ’cause every tool we use is digital. To answer your question, what is it like when we don’t have those things? I can’t tell you, Mike. I’ve never done it. But I can tell you, it’s not gonna be good. If I had to be in the emergency department, and all of a sudden, we didn’t have an electronic health record or a PAC system to look at images, and that persisted for a prolonged amount of time, I can tell you exactly what’s gonna happen. My job in the emergency department is to make sure people don’t die. I don’t always come to a diagnosis, but I’m supposed to make sure that I do everything I can to treat emergent, life-threatening conditions right then and there.

0:12:41.6 CD: To do that job, I need technology to give me quick answers. If I don’t have that, I don’t get quick answers. I might not get an answer at all. So if I don’t know what your medical record is, I can’t tell, “Oh, they have a history of a brain tumor that’s probably bleeding. Oh, that’s why they’re confused, and can’t tell me what’s going on.” If I don’t have that record, I don’t know why you’re confused. If I don’t have an electronic health record to help me order medications the right way, I might give you an overdose or an under-dose of medication. That’s a scary thought. Our electronic health records have tools in them, to reduce mistakes by doctors. We become dependent on those. When we don’t have those tools, we’re more prone to make mistakes. Guess what? I look at, not just records, results. So you come in with chest pain, I need to figure out if you’re having a heart attack or not. Part of me figuring that out, is getting laboratory studies in a timely way. Well, if the systems are down, I can tell you, what normally might take an hour to get labs back, might take six or nine hours. And if I don’t have that answer, about whether or not you’re having a heart attack, it’s not entirely dependent on lab, for example, but there’s a big component of it, I’m gonna not know you’re having a heart attack, for 10 hours. Guess what? Portions of your heart are dying, every minute I don’t figure that out.

0:13:49.8 CD: And so, at the heart of it, imagine trying to do your job without any of the tools that you normally use, and being quickly shunted into a workflow you’ve never done before and expected to take care of people in time-sensitive, life-threatening medical conditions. That is the proposition. On top of that, that might be two weeks, it might be four weeks. We’re seeing ransomware attacks now, that are taking hospitals down, not for days, but for weeks. It almost feels like they’re getting longer because of the focused targeted attacks of healthcare and how impactful their particular ransomware is, to the entire enterprise. That is something that’s terrifying and honestly, one that I don’t hope I’m never in. I hope I can’t ever go back to you, Mike, and say, “Wow, I know exactly what it’s like now, because this happened to me.” I can talk to people where it’s happened to and we all know, it’s not good.

0:14:44.3 MM: Yeah. The unfortunate part is, I heard a statistic the other day, that blew my mind, that 25% of the nation’s hospitals have been hit with ransomware in the last three years. And the idea that that’s one in four. In any city you’re in, there’s at least four hospitals, pretty much. You can pretty much guarantee that someone has been shut down in the last four years and those professionals have had to live through that. One of the things that I remember from that particular, and Christian, you reminded me of this as you were talking about the lab’s piece, the thing that I thought was so powerful about that demonstration is, often, those demonstrations, we’ve seen over the years Barnaby Jack hack an ATM onstage and they end up theatrical, but more for the cyber security folks in the audience.

0:15:27.3 MM: And I thought it was so interesting, that you guys actually stopped the simulation at one point, to explain to everyone the decision that the doctor was trying to make. And you guys will remember this better than I do, but it was something about a blood clot and it was, “If they give this one drug and the blood clot is this way, it will save their lives, but if they give the same drug and the blood clot is a different type, this drug will kill them instantly. And the only thing that will make this decision is the CT scan that just went down.” And I was just seeing the audience being like, “How do you make that call if you’re the doctor in that situation, without the… ” And as Christian, as you were talking about it, I was thinking about, “How do you put yourself in that situation, where the information you have to determine to save the person’s life is now gone, what that must feel like?”

0:16:11.0 MM: We talk a lot about physician burnout. I can’t imagine the level of physician burnout that must come from all of this uncertainty, when you get into cyber events. I know that wasn’t really a question, I was just throwing out how I was thinking about it ’cause it’s such an interesting topic to me. I’m not a doctor, I’m a cyber guy, and so it’s fascinating, to hear how you guys think. So what other things are you guys up to, especially around… We know the CyberMed Summit is coming up. But every time I talk to you both, there’s five other things going on at the same time. You’re involved in all kinds of other things. What’s the news in Jeff and Christian’s life lately?

0:16:49.3 JT: Well, we really haven’t talked about the elephant in the room, which is that we’re coming off of a period in our clinical careers that I don’t think we ever anticipated we’d experience, as we were becoming doctors, with respect to taking care of patients during the pandemic. Christian and I were both privileged, to be able to help out more in the frontlines in the ICU and in the Emergency Department. And so I think that obviously, provides an opportunity to reflect and it just kinda serves to further reinforce how important it is, when we are in such a position and the system in general, is stressed, you really, really have to have technology that you can depend upon and rely on. So unpacking that a little bit, from a research standpoint, I’ll let Christian in just a moment, talk about some of the interesting stuff that we have on the docket, with respect to understanding that we are all connected in various ways in an ecosystem and that some of these things don’t happen in a vacuum and that there are spillover effects. He can dig into that a little bit more.

0:17:52.3 JT: From a advocacy and outreach standpoint, we really want to do what we do with the simulations, on a much larger scale. So we want to be able to give training and education to clinicians across the entire allied health spectrum, so that means not just doctors, but nurses and pharmacists and physical therapists and everybody who touches patients. We feel it’s important that they have a little bit of education, regarding some of these aspects. We’re not hoping to turn everybody into a cybersecurity professional, but we wanna develop curriculums and modules that can illustrate a little bit of what we do, more viscerally with the simulations. I’m sure there’s stuff I’m forgetting because we are chronically overbooked. But Christian, do you wanna mention a little bit about sort of our research directions?

0:18:33.0 CD: Yeah. So another elephant in the room besides COVID is that, we in the San Diego area, just had a pretty big event. Scripps got hit and I don’t work at Scripps, but I work at an adjacent hospital system, and what an awful thing. A pretty intense attack and the recovery of which was over a month, before they were able to restore systems. That’s a big thing. It’s one thing when that happens across the country. When UHS got hacked, there was one hospital around our system, around me physically, that I heard some things about, which were disconcerting. So I think when it happens on a Saturday night and I’m working a Monday shift in the emergency department. Why? Why does that matter? We didn’t get hit. Our institution didn’t get hit. Why would it matter? Because that was one of the busiest days I’ve ever worked in my entire life and it was so impactful to me, to say, “They’re getting hacked and we’re getting the patients that they would normally take care of, in our Emergency Department.” And what does that mean? It meant that our wait times shot up. You might wait in the emergency department for a couple hours, maybe less if you’re really sick. Wait times went through the roof, because we were inundated with patients.

0:19:45.2 CD: One of the biggest things we saw is nearly… And we’re gonna publish this data, it will be out in the public domain later on this year, but one of the things that was very impactful is, we got so many ambulances. I wanted to almost take a picture of it, but it would’ve been a… I don’t wanna take pictures of patients, but there were literally, a dozen ambulances waiting to put patients into beds, because all the ambulances that would normally go to those hospitals had to come to us. And we saw more heart attacks and we saw more strokes, and we saw that this ecosystem effect that Jeff is mentioning, it mattered to me ’cause I was working that Monday shift. And what it really told me is that, even if you yourself are maybe a little bit ahead of the curve as a healthcare delivery over-organization, cyber-wise, you have the multi-factor authentication, you’ve done some hardening of your systems, if you’ve invested a lot in cybersecurity and you feel like your posture is better than most hospitals.

0:20:35.6 CD: It still might not matter because you’re gonna get the spill-over effect, you’re gonna have this ecosystem. And that’s truly one of the things that we need to talk about, how that changes the conversation. It’s almost like we can’t just have really secure hospitals and hospitals that are really poorly secured, and that’s acceptable. We need to raise the resiliency across the board because we all interact in an ecosystem. And what we know, and there’s plenty of literature to support this is that, when patients get diverted to other hospitals because they can’t go to hospital A, or when wait times go through the roof, or when there’s too many… There’s not enough beds in the hospital, and people end up being in the emergency department for days, we know that leads to inferior care for patients, and that matters for patients and their care. What am I trying to get at here? We need to start treating cyber disasters not like, “I do this and you do that,” it doesn’t matter what you do. We need to all raise our cyber resiliency, it matters.

0:21:29.8 CD: And then two, “What do we do, to prepare for these things?” We need to talk about them like disasters. We have plans regionally, if an earthquake hits. We’re gonna talk about what to do if an earthquake hits us, this hospital is gonna do this, if we have to put tents out in this… We have plans for that. We don’t have good cross-talk or regional plans for cyber disasters. This we hope, in publishing this data, is going to push more people to recognize that we’re all in the same kind of cyber boat here. We need to prepare for this. It’s gonna require an investment across the board, and I hope that gets bore out with things that are recently developed, like Biden’s Executive Order on cybersecurity and securing infrastructure, including healthcare. There’s this bipartisan infrastructure deal that just got… Reportedly, there’s some movement with and includes 47 billion dollars for securing critical infrastructure cybersecurity. These are the types of things that I’m hoping, are gonna move the needle to making us more cyber resilient across healthcare, but not just at the hospitals that have money. We really need to do it with everybody.

0:22:32.1 MM: Yeah, and you really identified, the cyber programs in the healthcare industry have really been a big haves and have-nots kind of thing. You get the big privately funded systems that have a really effective program, and then you go to a safety net hospital in some regional area, that’s barely hanging on and has almost no profit margin to speak of. And every one of their patients is Medicare, and you ask them what their cybersecurity budget is, and they’ll laugh at you. But it’s those hospitals getting hit, that’s going to divert their patients off to that big rich system, and then you’ve got a problem in both places. For all the time I spent thinking about and talking about this, I actually hadn’t thought about the regional disaster impact. That’s a really important point. I can’t wait for you guys to publish the data on that, because I think it’s something that you can’t solve at an individual system or individual hospital level. That’s really fascinating, guys.

0:23:26.3 MM: I don’t wanna take up a million hours of time and we’re sort of up on it. Where can the world find more of you guys? Obviously, everyone listening should come to the CyberMed Summit when they have it in November. I’m gonna be there, probably half the Scope team’s gonna be there just ’cause we’re all excited about it and everybody’s kind of psyched to… Well, and let’s be honest, San Diego in November is not a terrible choice. So looking forward to hanging out with you guys and seeing everybody. But where else can they find you, if they want more Christian and Jeff?

0:23:56.7 JT: Christian has an OnlyFans page, it’s very tasteful.

0:24:00.7 CD: I don’t yet, but if…

0:24:02.1 JT: I’m going to pay for this. The return on investment of my trolling is going to not work out favorably for me. No.

0:24:08.7 MM: It’s gonna make a good podcast episode though.

0:24:10.7 JT: Yeah, sorry. I’m sorry, Christian.

0:24:12.8 MM: I love it.

0:24:14.7 JT: It was very low hanging fruit. So we probably tweet more than we should, or I’m at least on Twitter more than I should be, @JeffTullyMD. I would not encourage people to reach out to me via my UC Davis email, because that will be wiped from memory, eternal sunshine style in a couple of days when I leave. But once I get established down south at UCSD, we’re always happy to have conversations and see about possible avenues for collaboration. And then again, cybermedsummit.org. We are working right now, on a brand new website refresh, so excuse the geo-cities design right now, but that will be all updated with new information about registration and how to come and hang out with us. So Christian, I’ll give you one free shot at me. Go ahead. Take your best.

0:24:55.6 CD: Oh, I wouldn’t do such a low blow, Jeff, I’m not gonna sink to… Just kidding. Another thing I wanna do, hey, listen, DEF CON this year, whether you’re going in person or you’re going to be online, we will support you. Of course, either way, is another venue for… To communicate. We’ve been going to DEF CON for years. I think my first one was ’13. I drug Jeff at, I think, at ’19 or ’20, it’s like, it fills our cup every year to go and hang out with our hacker families. This year is gonna be no exception, and we’ve been lucky enough, knock on wood, we’ll see what happens this year, to have a pretty regular healthcare cybersecurity presence at DEF CON, and some of that’s with the Biohacking Village, but it’s also with another event that we run, at least we have done the last four years, which is this Do No Harm event. So it’s usually in evening, Friday or Saturday, it’s usually adjacent, so the EFF panel is usually one night and Do No Harm is on the other night. And what is it? It’s exactly what we say, it’s a forum for hackers to come together and talk about healthcare cybersecurity.

0:25:55.0 CD: That’s at DEF CON, we’re always there. We lead a panel of amazing people, and if this year, we get accepted, we’ll be happy to announce, our panel this year is of no exception. Of course, really cool people that are in the space, taking care of patients, but also regulating medical devices from FDA leadership. And then also, a lot of other people, voices that haven’t been elevated in the space before. So we’re always excited every year, to bring new people on the panel and elevate their voices and their perspectives on healthcare, cybersecurity, another place to hang out with us, of course, at DEF CON. And then if the numbers continue to get better and COVID permits, you can always meet us at our conferences, as we always have, besides DEF CON, we have other conferences we go to and other forums. We’re always looking for people to collaborate, especially if you advocate for patients and their safety.

0:26:41.7 CD: And we’re excited for just the future, which is hopefully, much more secure than the past, and our healthcare much more resilient, because that’s what matters at the end of the day. We could talk about this and admire the problem until we’re blue in the face, but if we don’t fix it, not fix it entirely, but if we don’t fix some of it or make it better, then it doesn’t matter. Because our mothers and our brothers and our sisters and our children, they’re gonna go to hospitals and get the same potentially compromised care that they would, if we don’t. And that’s an important point, is that this is for patients. And whether or not you’re on the front-line, taking care of patients by touching them, or whether or not you’re securing the critical systems that support that, know that at the end of the day, it’s for patients. It’s a big honor, but also a big responsibility and one that we’re thankful to be a part of and hope anyone who wants to be a part of that mission, joins us.

0:27:34.4 MM: Guys, you know that the team at Scope is behind your mission. We appreciate that very much and love it. And actually, Christian, you just reminded me of something that I told Jeff, but haven’t told you yet, and I’ll use this as an opportunity to say this for the first time publicly, that Scope is actually participating in the BioHacking Village Device Lab this year. That Scope’s platform will be ingesting all of the logs from all of those medical devices and then telling the medical device manufacturers how they can improve their own logging, so when a hospital uses that device, it will be easier to detect exploitation and compromise on the future generation of medical devices. So big fans of the BioHacking Village, big fans of you guys. I think you both know that, and thank you again, for coming on, I can’t wait to see all at DEF CON. Can’t wait to see you guys in November, and look forward to chatting again soon.

0:28:22.7 JT: Thank you so much, Mike.

0:28:23.9 CD: Thanks, Mike.

0:28:27.2 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]

About Christian Dameff


Christian Dameff, MD, MS is an Emergency Physician, Clinical Informatics Fellow, and researcher. His published clinical works include post cardiac arrest care (including therapeutic hypothermia), novel drug targets for acute myocardial infarction patients, ventricular fibrillation waveform analysis, cardiopulmonary resuscitation (CPR) quality and optimization, dispatch-assisted CPR, teletoxicology, clinical applications of wearables, and electronic health records. He has published in journals such as JAMA, Resuscitation, Circulation, JAMA Cardiology, Academic Medicine, and others. Dr. Dameff is also an internationally known hacker and security researcher interested in the intersection of healthcare, patient safety, and cybersecurity. He has spoken at some of the world’s most prominent hacker forums including DEFCON, RSA, Blackhat, Derbycon, and BSides, and he is one of the cofounders of the CyberMed Summit, a novel multidisciplinary conference with emphasis on medical device and infrastructure cybersecurity.

About Jeffry Tully

Jeff Tully is an Anesthesiologist, Pediatrician, and Security Researcher with an interest in understanding the ever-growing intersections between healthcare and technology. Prior to medical school he worked on “hacking” the genetic code of Salmonella bacteria to create anti-cancer tools, and throughout medical training has remained involved in the conversations and projects that will secure healthcare and protect patients as we face a new era of remote care, implantable medical devices, and biohacking. His work on 911 infrastructure vulnerabilities, simulations of hacked medical devices, and exploitation of HL7 protocols have been featured at RSA_C, DEF CON, and Black Hat. He co-founded the CyberMed Summit, the only multi-stakeholder healthcare cybersecurity conference with a clinical focus.


Leave a Reply

Your email address will not be published. Required fields are marked *