Drs. Jeffrey Tully (left) and Christian Dameff (Photo: Sun Czar Belous/UA)
Drs. Jeffrey Tully (left) and Christian Dameff (Photo: Sun Czar Belous/UA)

UA Med School Hosts Summit on Medical Device Hacking

Drs. Jeffrey Tully and Christian Dameff, alumni of the College of Medicine – Phoenix, teamed up with the Atlantic Council to attract more than 100 cybersecurity experts to a conference in Phoenix.
June 9, 2017

Drs. Jeffrey Tully and Christian Dameff are physicians first and computer hackers second.

They have dabbled in medical applications for Google Glass, discussed human augmentation concepts at Def Con — one of the world's largest hacking conventions — and published research on what would happened to a city's 911 computer system if it were breached.

They are graduates of the Class of 2014 of the University of Arizona College of Medicine – Phoenix. Tully recently finished a pediatric residency at Phoenix Children's Hospital and Dameff completed a residency in emergency medicine at Maricopa Medical Center. Next for Tully is a three-year residency in anesthesiology at the University of California, Davis. For Dameff, it's a clinical informatics fellowship at University of California, San Diego.

While they continue their medical careers on one track, their personal interest in computers has consumed their off-duty time. At last year's Def Con convention in Las Vegas, they met experts who, like them, were increasingly worried about lax security in hospital computer systems.

If a hacker could hold patient information hostage for money, could the next step be compromising a patient's pacemaker or insulin pump, or a hospital's bedside medication pump?

Their latest endeavor tackled solutions to the threat of medical device hacking. Teaming up with the Atlantic Council, a think tank from Washington, D.C., the pair organized a two-day conference on June 8 and 9 at the UA College of Medicine – Phoenix that drew more than 100 international IT experts.

Hacking in the Name of Science

As with many millennials, the duo's learning style is hands-on. What set this conference apart from previous ones on cybersecurity: three simulated emergency exercises in which patient pacemakers and insulin pumps were hacked in the name of science.

Tully and Dameff have taken to heart the college’s mission of becoming exemplary physicians, scientists and leaders who innovate to improve health care in Arizona and beyond. They met during their first year at the College of Medicine – Phoenix and became fast friends over a shared affinity for Netflix shows, "Star Wars" movies, video games and computers.

Tully was born in California and grew up in Cave Creek, Arizona. He graduated from Arizona State University with a bachelor's degree in biochemistry and a concentration in medicinal biochemistry. Dameff, from Tucson, completed his undergraduate degree in philosophy and master's in physiology and biophysics from the UA. As children, they had a little "mad scientist" in them, with Tully building computers and Dameff trying to figure out what would happen if he tweaked a system's software.

That experience as a 12-year-old, Dameff said, showed him that he was limited only by his imagination.

"Hackers understand the system," he said. "The spirit of curiosity and exploration is really at the heart of it. It's an exercise in thinking about things creatively."

Both credit the environment at the UA College of Medicine – Phoenix for reinforcing a spirit of collaboration and discovery.

"It was a place I would have chosen even if it wasn't in my own backyard," Tully said. "There is a great support structure, and the training is world-class. As part of one of the first classes to graduate, we were able to participate in building traditions."

Dameff said he instantly had a sense of family when he met his medical school classmates.

"I never had a feeling of competition. We helped each other and were excited in each other's successes," he said. "We didn’t have to jump through hoops. We were encouraged to do something new. It's because of that environment that Jeff and I were able to do the things like apply for (and receive) a Google Glass grant and have research published on 911 emergency systems."

While it might seem odd for physicians to have an interest in hacking, Dameff said the connection is natural for him.

"Doctors are hackers, they just don't know it," he said. "They think through the pathology of a disease. They look for weaknesses of the disease, of the system, just like hackers."

Technology That Demands Security

As an ER resident, he said, he doesn't want a patient to worry about being harmed by a medical device, such as a CT scan machine or a medication pump that's connected to the internet.

"In hospitals, we keep plugging everything to the internet," Dameff said. "Devices are becoming more sophisticated and connected wirelessly. At my core, I believe that we are doing something dangerous. We want to fix everything with technology. But we can't secure it. I'm fearful that patients are going to suffer."

That fear was behind the creation of the CyberMed Summit. Dameff and Tully teamed up with Josh Corman and Beau Woods, directors of the Cyber Statecraft Initiative at the Atlantic Council.

Tully said they saw the conference as a way to gather clinicians, regulators, policy makers, medical device makers and hospital IT directors to begin improving security. Through the simulation exercises, they wanted to show how a rare medical situation could be handled in a controlled environment.

Dameff and Tully said they hope to become cybersecurity experts.

"We want to become the real voice of patients in trying to fix these issues," Dameff said. "It's an opportunity, but it's also a responsibility. When you see the waterfall coming and you're on the raft, it's your job to warn everyone to get to the side."