UC San Diego Health’s Tully Sees Upside in Monitoring the Industry’s Vital Signs

Health systems should treat technology failures as a public-health threat with direct and measurable effects on patient care. To prepare, organizations need real-time monitoring, specialty-specific playbooks, and incident structures that bring IT and clinical leaders together, according to Jeff Tully, MD, Co-Director of the Center for Healthcare Cybersecurity and Associate Clinical Professor of Anesthesiology at UC San Diego Health.

Drawing on recent studies of ransomware and a nationwide software outage, Tully argues that the industry now has enough evidence to move from anecdotes to action on resilience and clinical continuity.

The Center for Healthcare Cybersecurity frames cyber incidents and other digital failures as clinical safety events whose impacts ripple across a region, not just the affected hospital. In 2023, the group analyzed conditions in a market where one health system was hit by ransomware: emergency departments saw higher census, longer waits, more “left without being seen,” and a sharp rise in EMS diversion hours, peaking above pandemic levels. Those findings led the team to view cyberattacks like mass-casualty events, where the weakest link in a regional chain can strain neighbors that are not directly attacked.

The research also underscored a paradox: it is difficult to measure patient-safety outcomes during downtime because the tools used to track quality and operations may be offline. That reality pushed the team to pair clinical operations data with independent signals of digital disruption and to avoid “fear, uncertainty and doubt” in favor of empiricism. “We have data that is definitely correlative, not necessarily causative, but enough to get us to be able to ask questions,” Tully said, adding that the aim is to give stakeholders reliable signals to guide response.



Measuring the Impact: From Ransomware to a Software Bug

To move beyond case studies, the center—working under ARPA-H’s Healthcare Ransomware Resiliency and Response program—mapped hospital domains and public endpoints and now monitors availability across thousands of U.S. hospitals. When a faulty software update triggered a widespread outage on July 19, 2024, the platform captured a wave of hospital endpoint disruptions, giving the team a chance to observe a non-malicious technology failure at national scale.

The monitoring is not intended to tell an affected organization something it already knows; rather, it enables early situational awareness for regional and state stakeholders, neighboring health systems, and federal partners who may need to anticipate surges or resource constraints. As Tully noted, the goal is to track “digital vital signs” for critical health infrastructure to support early warnings and planning when disruptions are likely to affect patient-facing tools.

From Command to Care: Governance and Playbooks

Tully urges leaders to adapt traditional disaster frameworks to technology-driven downtime that can last days or weeks. A hospital incident command structure can be modified for prolonged outages, with clearly defined authority for an incident commander and a cyber-savvy clinical liaison who can translate system status into bedside impact. The center has even piloted a “ransomware resiliency specialist” role to sit alongside incident command and triage communication, workflow, and safety decisions in real time.

Preparation, he argues, must be clinical and highly specific. The team is producing downtime procedures tailored to specialties and subspecialties, recognizing that what a cardiologist needs during a multi-week outage differs from the needs of hematology-oncology, surgery, or anesthesiology. Those resources are slated to be released as open-source tools so hospitals can adapt them to local contexts.