Healthcare’s Most Overlooked Vital Sign

Healthcare has never been more advanced, and more fragile. Jeff Tully wants to fix that. A practicing anesthesiologist turned security researcher, he has mapped vulnerabilities in 911 infrastructure, exposed exploitable health record protocols, and simulated compromised medical devices. Now he is on a mission to ensure that when a cyberattack strikes, patients stay safe.

You spend your days in an operating room making sure patients get the needed care. You spend the rest of your time demonstrating how easily that work can be undermined through digital means. How do those two roles sit together?

At its core, the specialty of anesthesiology is built upon vigilance and patient safety. The first intensive care units were started by anesthesiologists, and research coming from our field has resulted in new technologies for patient monitoring and safety that are now ubiquitous across all of medicine. So, when I am helping an individual get safely through an operation or working to ensure that critical healthcare technology infrastructure is safe and resilient, I view both efforts as participating in a professional legacy of keeping people safe and secure. The only difference is the scale and the methods. 

When a patient checks into a hospital, they place trust in the system—the equipment, the network, the data. How does the growing reliance on digital networks alter that safety assessment?

Modern medicine has allowed incredible advances in the way we treat serious, time-sensitive conditions like heart attacks, strokes, or sepsis. It has also benefited from the capture and analysis of biomedical data at an incredible scale. Both improvements are built upon an underlying technical infrastructure comprised of connected systems like electronic health records, connected medical devices, and clinical informatics pipelines.

The reliance on these technologies to execute clinical workflows means that the availability of these technologies becomes intertwined with patient care outcomes. When widescale disruptions like a cyberattack occur, and doctors and nurses are unable to use the tools they rely on for care, they are forced to adopt less safe analog and manual processes, negating much of the benefit derived from our modern clinical technologies. 

When ransomware forces a hospital off its digital systems, the clinical work cannot stop. How do staff keep delivering care in that void?

Many institutions will revert to analog processes like pen and paper records and manual tracking of patients and laboratory specimens. While most folks of a certain age likely remember the era before computers in their doctor’s offices and hospital wards, many healthcare professionals today have never known a non-digital workflow and so struggle to adopt what are often poorly drilled downtime procedures.

“Literature suggests that in the absence of certain features like automated allergy alerts or drug interaction warnings, using paper-based processes can result in increased risk of medical errors.”

Certain types of platforms such as an interventional radiology system for treating strokes or blood clots may be entirely dependent on access to a connected network, which, during a ransomware attack or other prolonged disruption may mean specialists can’t care for those patients at all, requiring time and resource intensive diversions to other facilities.

Your research gives evidence that a cyberattack on one hospital is rarely just one hospital’s problem. Neighboring facilities absorb the overflow and suffer too. How large is that blast radius?

The impact on a regional healthcare ecosystem from one or several hospitals in that area having prolonged downtime is likely to vary depending on the specifics. What our research does show is that there are measurable impacts in care quality and patient outcomes even in hospitals themselves unaffected by the underlying issue. The proximity to impacted hospitals will result in excess demands for care above a typical baseline, similar to what was seen during the pandemic. Of most concern are rural and critical access hospitals, which may be the only facilities in a given geographic radius caring for certain types of patients. 

As a researcher, you have simulated compromised devices, mapped 911 vulnerabilities, demonstrated exploitable health record protocols. Where is the line when a technical vulnerability becomes a patient safety issue?

When exploitation of that vulnerability leads to an impact that disrupts the routine standard of care. Before security researchers looked at vulnerabilities in certain connected medical devices, healthcare mainly thought about cybersecurity as a data privacy issue with regulations like HIPAA covering the inappropriate access of protected health information. In the mid 2000s hackers and security researchers began to demonstrate that vulnerabilities in connected medical devices could be exploited to cause alteration in device function which marked the beginning of viewing healthcare cybersecurity through a patient safety lens. 

People tend to perceive cyber incidents as less threatening than physical attacks, even when the material and human consequences can be the same. How can we change this bias?

Storytelling (your work being a great example) is definitely a step in the right direction—1000x more awareness was raised in a few weeks than during all of my decade plus long efforts when season 2 of the popular US streaming show The Pitt viscerally demonstrated the chaos of unplanned network down time in a busy emergency room. I bet a lot more people now ask their doctors about cyberattacks!

You have one year and one change to make. What would you do?

If you’ll permit a US-centric bias, and speaking in my personal capacity, I’d repeal the cuts to Medicaid featured in the ‘One Big Beautiful Bill’ which are set to result in significant adverse financial impact to rural and critical access hospitals across the country. Less resources available to spend on patient care, less resources available to spend on important operational capabilities like cybersecurity. 

From a proactive standpoint, the bipartisan Health Care Cybersecurity and Resiliency Act of 2026 put forward by Senators Warner and Cassidy seeks to provide resources to these very same kinds of hospitals in addition to addressing shortages in the cybersecurity workforce and improving information sharing across the sector. However, following Senator Cassidy’s unsuccessful run for re-election it is unclear as to what the fate of that legislation will be.

Jeff Tully, Co-Director, UC San Diego Center for Healthcare Cybersecurity