The following is an edited transcript of an MDAdvantage podcast with Steve Adubato and Dr. Soumitra Bhuyan, Assistant Professor at Rutgers Edward J. Bloustein School of Planning and Public Policy. Dr. Bhuyan’s primary teaching and research interests include chronic disease management and health information systems, with an overarching emphasis on population health.
ADUBATO: Let’s talk about cyberattacks. Why are healthcare organizations prime targets for data breaches and cyberattacks?
BHUYAN: Cybersecurity issues in healthcare are linked to the larger set of cybersecurity issues in society as cyberattacks become a real threat in many aspects of our lives. The way we do our shopping online, how we vote, how we order food. In every aspect of our lives, we are concerned that something will happen to our information. And for good reason; it’s estimated that cybercrimes will cost about $10 trillion annually by 2025 and onward, so it is a significant concern, not only to individuals but also to policymakers.
“Approximately 94 percent of healthcare organizations in the U.S. have experienced at least one type of cyberattack, and the numbers of these incidents are rising.”
Healthcare data, in particular, is very lucrative for cybercriminals. It is estimated that approximately 94 percent of healthcare organizations in the U.S. have experienced at least one type of cyberattack, and the numbers of these incidents is rising. For example, in 2019 the number of data breaches nearly tripled from 2018, which was about 30 million breaches.
Apart from the nature of the data, the time sensitivity of healthcare data makes it more vulnerable to attack. If you are a physician treating a patient in the ICU, and all of a sudden you find that you cannot access your electronic health record system, what you are going to do at that point? Cybercriminals take advantage of that vulnerability and the time-sensitive nature of that data. It’s a matter of life and death for patients.
ADUBATO: What types of data are most at risk?
BHUYAN: All kinds of patient records are at risk. An attacker with access to the medical record can hold the data for ransom, which is most common now. In addition, the type of cyberattacks are becoming more sophisticated. A particularly frightening breach was noted in a recent study from Israel, where it was revealed that an attacker could add or remove evidence from medical conditions, such as medical scans. The attackers were able to introduce fake cancer nodes on patients’ CT scans, which were created through malware. A lot of money is at stake, and people are finding sophisticated ways to hack and then breach medical records.
Cyberattacks are also slowly moving from patient care to the research side of medical care. There was one very high-level case recently in California. The University of California San Francisco paid more than $1 million for the return of the researcher’s data. The attackers actually encrypted the data using malware.
ADUBATO: Does the COVID-19 pandemic make the problems and the issues associated with data breaches even greater?
BHUYAN: Yes. We are now living in a chaotic environment, and many cybercriminals are taking advantage of that. The number of cyberattacks has increased specifically to disrupt the healthcare organizations fighting the pandemic. One mistake by one actor can put the whole organization at risk. The Department of Homeland Security and the FBI have alerted us that there will be more cyberattacks in the future in U.S. healthcare, and not only on the hospital side. Cyber attackers are also targeting pharmaceutical companies, in the U.S. as well as Canada, France, India and South Korea. Additionally, post-COVID-19, telehealth is going to be a part of our mainstream healthcare delivery system, so cybersecurity will continue to be a challenge in the future.
ADUBATO: In what ways does the pandemic impact patient privacy concerns?
BHUYAN: Patient privacy is the cornerstone of clinical medicine. If we don’t promise confidentiality to our patients, they will be not willing to share their clinical history, or they will withhold information vital for their healthcare. They will also withhold information that is vital to stopping the spread of infections like COVID-19. Case investigation and contact tracing are the foundation of conquering the infection, but they have to be based on a promise of patient privacy and data security, or people will be reluctant to share information.
In Europe and North America, there are numerous calls to ensure that monitoring apps and contact tracing do not breach privacy laws. In India, the government mandated that every citizen download an app that tracks their location; of course, there is a lot of concern about the privacy and security of that app. Also in India, the government published the names and addresses of about 20,000 international visitors to keep track of their movements. In developing countries, the issue is very concerning. In Nigeria, for instance, the names of individuals with positive COVID-19 test results were publicly announced by the government. In one known incident, the patient learned on social media he was COVID-19 positive. A similar thing happened in Indonesia where 19 patients received the news that they were COVID-19 positive from media outlets.
ADUBATO: What best practices or preventive measures help minimize the risk of cyberattacks?
BHUYAN: No one can guarantee safety from a cyberattack, but we can try to minimize the risk. Cyber liability insurance or cybersecurity insurance helps healthcare organizations cover the cost of a data security breach for things like identifying protections, solutions, public relations, legal fees, etc. The cybersecurity insurance industry is still evolving, and there are a lot of gray areas, but it is a great way to protect against the financial hit of a cyberattack.
“We need to have a shift in mindset. If you think that data security and privacy is solely a technical issue, you don’t fully understand the problem.”
But healthcare organizations should not become complacent and assume that insurance is the only solution to cybersecurity issues. We need to move the healthcare system from being reactive to proactive when it comes to healthcare security. We need to have a shift in mindset. If you think that data security and privacy are solely technical issues, you don’t fully understand the problem. It’s not only a technical issue but also a huge behavioral issue.
A culture of responsibility for data security must be developed within the organization from top to bottom—not just among the people who are at the top or the clinicians who directly take care of patients, but also among the front and back office staff and among the environmental service people. These are the people who can implement multifactor authentication—a practice proven to be efficient in protecting patients’ security and privacy. Everyone in the organization is responsible for the physical security of the system. This message can be delivered through ongoing cybersecurity training and in an environment where people can openly discuss their mistakes and get an opportunity to rectify practices that weaken security.
Additionally, at the top level of an organization, cybersecurity has to be a part of the strategic planning and budgeting processes. It should not be an ad hoc approach that deals with security breaches on a case-by-case basis; this is not adequate to identify the threats and to address all the emergency security gaps. Cybersecurity needs to be established as part of an organization’s strategy planning and budgeting processes.
Despite these preventive efforts, data breaches will happen, and we need to prepare proactively for such events. For example, files must be backed up regularly for quick and easy data restoration if the system is breached, and providers lose access to their system.