College of Medicine Graduates Organized Summit to Address Solutions to Medical Device Hacking

Jeffrey Tully, MD, and Christian Dameff, MD, are physicians first and computer hackers second.

They have dabbled in medical applications for Google Glass, discussed human augmentation concepts at Def Con — one of the world’s largest annual hacking conventions — and published research on what would happen to a city’s 911 computer system if it was breached.

Graduates of the University of Arizona College of Medicine – Phoenix Class of 2014, Tully just finished a pediatric residency at Phoenix Children’s Hospital and Dameff completed a residency in emergency medicine at Maricopa Medical Center. Next up for Tully is a three-year residency in anesthesiology at the University of California, Davis. For Dameff, it’s a clinical informatics fellowship at University of California, San Diego.

While they continue their medical career on one track, their personal interest in computers has consumed their off-duty time. At last year’s Def Con convention in Las Vegas, they met experts who, like them, were increasingly worried about lax security in hospital computer systems. If a hacker could hold patient information hostage for money, could the next step be compromising a patient’s pacemaker or insulin pump, or even a hospital’s bedside medication pump?

Their latest endeavor tackled solutions to the threats of medical device hacking. Teaming up with the Atlantic Council, the pair organized a two-day conference June 8-9 at the UA College of Medicine – Phoenix that drew more than 100 international IT experts.

Like many Millennials, the duo’s learning style is hands on. And what set this conference apart from previous ones on cybersecurity were three simulated emergency exercises, where patient pacemakers and insulin pumps were hacked in the name of science.

Tully and Dameff have taken to heart the college’s mission of becoming exemplary physicians, scientists and leaders, who innovate to improve health care in Arizona and beyond. They are single-minded in their focus to improve patient care.

They met during their first year at the College of Medicine – Phoenix and became fast friends due to their shared interest in Netflix shows, Star Wars movies, video games and computers. Tully was born in California and grew up in Cave Creek. He graduated from Arizona State University with a BS in biochemistry and a concentration in medicinal biochemistry. Dameff is from Tucson and completed his undergraduate degree in philosophy and masters in physiology and biophysics from the University of Arizona.

As kids, they both had a little “mad scientist” in them, with Tully building computers and Dameff trying to figure out what would happen if he tweaked a system’s software.

That experience as a 12-year-old, Dameff said, showed him that he was limited only by his imagination.

“Hackers understand the system. The spirit of curiosity and exploration is really at the heart of it. It’s an exercise in thinking about things creatively,” he said.

Both credit the environment at the UA College of Medicine – Phoenix for reinforcing a spirit of collaboration and discovery.

“It was a place I would have chosen even if it wasn’t in my own backyard,” Tully said. “There is a great support structure, and the training is world class. As part of one of the first classes to graduate, we were able to participate in building traditions.”

Dameff said he instantly had a sense of family when he met his medical school classmates.

“I never had a feeling of competition. We helped each other and were excited in each other’s successes,” he said. “We didn’t have to jump through hoops. We were encouraged to do something new. It’s because of that environment that Jeff and I were able to do the things like apply for (and receive) a Google Glass grant and have research published on 911 emergency systems.”

While it might seem odd for physicians to have an interest in hacking, Dameff said it’s a natural connection for him.

“Doctors are hackers; they just don’t know it,” he said. “They think through the pathology of a disease. They look for weaknesses of the disease, of the system, just like hackers.”

As an ER resident, he said, the last thing he wants a patient to do when they come to an emergency room is to worry about whether a medical device like a CT scan machine or a medication pump that’s connected to the Internet might harm them.

“In hospitals, we keep plugging everything to the Internet,” Dameff said. “Devices are becoming more sophisticated and connected wirelessly. At my core, I believe that we are doing something dangerous. We want to fix everything with technology. But we can’t secure it. I’m fearful that patients are going to suffer.”

That fear was behind the creation of the CyberMed Summit. Dameff and Tully teamed up with Josh Corman and Beau Woods, both directors of the Cyber Statecraft Initiative at The Atlantic Council, a Washington DC think tank.

Tully said they saw the conference as a way to gather clinicians, regulators, policy makers, medical device makers and hospital IT directors to begin improving security. They wanted to show how a rare medical situation could be handled in a controlled environment through the simulation exercises.

They attracted an impressive schedule of keynote speakers, including Suzanne Schwartz, MD, MBA, associate director for Science and Strategic Partnerships at the FDA Center for Devices and Radiological Health.

“Cybersecurity is going to evolve, vulnerabilities are going to evolve over the lifetime of a device,” she said. “In order to safeguard our patients, we believe it’s critical to create the culture of collective will.”

Tully said he was pleased with the turnout and the discussions at the conference.

“We had the first-of-their-kind cybersecurity simulations. We brought together people all across the world. We offered an event free of charge to the public, and we had the chance to show the UA College of Medicine – Phoenix as an innovative center that will lead the world in this issue,” he said.

Dameff and Tully hope to become premier cybersecurity experts.

“We want to become the real voice of patients in trying to fix these issues,” Dameff said. “It’s an opportunity, but it’s also a responsibility. When you see the waterfall coming and you’re on the raft, it’s your job to warn everyone to get to the side.”

CyberMed Summit Keynote Addresses

• Christian Dameff, MD, Emergency Medicine physician and researcher, and Jeff Tully, MD, pediatrician and researcher.
• Beau Woods, deputy director of the Cyber Statecraft Initiative in the Brent Scowcroft on International Security.
• Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center and a founder of I am The Cavalry.
• Marie Moe, PhD, senior scientist and research manager for the Infosec research group at SINTEF.
• Scott Erven, managing director at PricewaterhouseCoopers.
• Suzanne Schwartz, MD, MBA, associate director for Science and Strategic Partnerships at the FDA’s Center for Devices and Radiological Health (CDRH).