In this eye-opening episode of EJB Talks, Stuart Shapiro welcomes Professor Soumitra Bhuyan to discuss his research on why hospitals are losing the cybersecurity battle. Dr. Bhuyan discusses how data security breaches often arise from physical causes, not just digital ones, and how human error and managerial misses are a root cause. They also discuss how current Bloustein students are being prepared to take on these challenges as they enter leadership positions in hospitals and healthcare systems.
Stuart Shapiro
Welcome to EJB Talks. I’m Stuart Shapiro, the Associate Dean of the Faculty at the Bloustein School. And the purpose of this podcast is to talk with my colleagues and our alumni about policy, planning, and health, the interaction between these issues, and how they affect people in New Jersey, the United States, and the world.
As you know, we’re talking to our new faculty to start our second season. Today I’m speaking with Professor Soumitra Bhuyan, who like last week’s guest, Susan Krum, teaches in our relatively new, but quickly growing, Health Administration program. Professor Bhuyan also now holds the distinction of being our first repeat guest. Professor Bhuyan. Welcome back.
Soumitra Bhuyan
Thank you, Stuart.
Stuart Shapiro
When we talked in the spring, we were talking mostly about the pandemic and the effect on hospitals. It was obviously a crazy time. Today, I want to focus a little more on your area of interest, your area that you research, and that’s cybersecurity in hospitals. How did you get interested in this?
Soumitra Bhuyan
So hi, again, Stuart, it is good to be with you again this morning. So one of my, as you said, main research areas actually is health information technology. So specifically to understand how different HIT applications are empowering our patients, and also our healthcare providers to meet the Triple Aim. That is mainly improving patient outcomes, reducing healthcare costs, and improving the health of the population.
So as you might know, we spend about 18% of our GDP on healthcare, and it’s continuously going up. So with this rate, it is unsustainable. We need to find a way how we better manage our health, better manage our system to integrate different systems like, you know, the hospitals, nursing homes, and other healthcare providers. So, that’s basically the reason I was interested in how health information technology will impact and affect the U.S. hospital system.
Our healthcare system has always had some kind of computerized system to collect the patient data for billing purposes or for storing the data. But it was after 2009, actually, that hospital started to share the patient data across different providers. And that does happen because in 2009, as a part of the American Recovery Act, the high tech bill was passed. And hospitals got about, maybe around $30 billion to adopt and use certified Electronic Health Record systems so that they can meaningfully use those systems to improve patient outcomes. And the good thing is that an increasing number of hospitals after 2009 adopted and began using certified Electronic Health Record systems. But the data breaches, the number of data breaches and hacking incidents went up significantly in the last 15 years or so.
So another problem with the healthcare sector is if you really think about our financial institutes, they basically spend around 15% of their operating budget in IT, in health information technology. And, in health care, we spend in and around 5% of the operating budget on IT. So we spend significantly less … you know, part of the operating budget resources in IT, and as a result of that, we make our systems vulnerable to outside attacks. And that has a lot of implications for patient safety and data privacy. And in the last year after the COVID pandemic, there have been some opportunistic attacks; cyber-attacks increased, mainly attacking hospitals, research organizations, and health agencies. And the trend is increasing every year.
Stuart Shapiro
So if… let me sort of distill this a little bit. There are obviously tremendous advantages to increasing the information technology presence in our healthcare systems. There are cost savings, there’s efficiency, and hopefully, there’s better care. But that comes with a risk. Can you talk a little bit more about the risk and the kind of threats that exist as a result of this increased movement online?
Soumitra Bhuyan
So basically, you know, as you might have noticed, cybersecurity breaches are not only issues in healthcare, but in overall in our lives, right? From how we vote in our elections, you know, how we shop online. I think there are always concerns about these data breaches, cybersecurity issues. Actually, last year, there was a report from IBM Security and the Ponemon Institute, they found that there was about a 130% increase in the number of data breaches from 2006 to 2019. That’s all our sectors, not only healthcare. But the cost of every data breach in healthcare is significantly higher than in other industries, about 65% higher. For example, in 2006 a data breach cost about $3 million, you know, the cost of the compromised record. And in 2019, it actually went up to about $8 million not per breach, but per incident of data breach. And if you really break it down by the sector, it is highest in healthcare. So we spend about more than $400. $429 precisely, for each breach of record in healthcare.
And the second is the financial Institute about $200. And then the mean is around $150. So, it is also increasing in terms of how much we need to spend once the breach occurs. And, you know, after the SSN, the social security number information, the healthcare data is second most valued in the black market when they go and sell this data. And also think about that. Healthcare is a very sensitive environment to work in, right? Think about it. There is a ransomware attack. If you are practicing in the ED or emergency room, and all of a sudden you see that you cannot get access to the system if you don’t pay a certain amount of money to the hackers. So the question is what do you do because there is a patient, you’re taking care of a patient, and they’re kind of demanding money so that you can get your data back. So a lot of the hackers take advantage of this sensitivity of this healthcare data. Actually, they exploit this vulnerability and that is why there’s more interest in health care than other fields.
But there’s also…. it’s not only about, hacking this data. There was a study from Israel, they found that the attacker can use deep learning to add or remove evidence of medical conditions from medical scans. So they did this study. What they did is that they actually introduced fake cancer nodes in CT scans. And it was created by malware and they tricked the radiologist to think that these patients have cancer, actually, when they did not have it. And think about the implications of this kind of incident, right? We are in a political… you know, the election is coming. So think about how this kind of information can actually affect someone’s political career, right? And again, it can also sabotage research we are conducting in universities. What if they kind of introduced a certain thing and also it can lead to insurance fraud. Maybe it can also lead to murder. So it’s really kind of evolving. And healthcare is kind of the number one target for a lot of these hackers.
Stuart Shapiro
So this is all very terrifying. Some of the examples you’ve listed are definitely things to be scared of. How realistic is it? Can you give some examples, particularly from around here in New Jersey of hacking episodes in the healthcare sector?
Soumitra Bhuyan
So about 94% of the healthcare system has experienced–that’s what the data suggests–some sort of cyber attack. And between 2009 and 2014, about 150 million patient records were breached. That’s the number we have, and it is continuing to go up. For example, in 2019, the healthcare data, which is almost triple as compared to 2018 — we don’t have the data yet from 2020 — but I am expecting the number will go up again. So there were two incidents from New Jersey I would say in the last about 19 months. In December of 2019, Hackensack Meridian Health paid a ransom to the hackers to stop a hospital cyber attack. We don’t know much about the case. But the news was released that they paid that ransom to get the data back.
And recently, actually, this was in the news from last week, that University Hospital in Newark, they paid about $670,000 as ransom to get back their data. They actually prevented the hackers from publishing about 240 GB worth of data and about 48 thousand documents, including patient medical records. So it is, you know, the New Jersey hospitals, they’re facing this problem, but I think this is a problem across the country. Very recently, the University of California-San Francisco, they paid about $1.4 million to decrypt the files that the school determined was important for some academic research work they were doing. Their system was not infected, the patient care side of it, but the academic side of it where they conduct this research, that was impacted. So they paid that $1.4 million there to get the system back. So this is kind of a growing problem across [the U.S.].
Stuart Shapiro
So now that you’ve scared us, it’s time to give us a little hope here. What can hospitals do about these threats that you’ve outlined?
Soumitra Bhuyan
So before I go into that I just want to talk a little bit about what kind of threats exists, right? That’s important for us to understand before we go on in terms of what the hospitals can do actually to mitigate some of these. So the cyber threats come in different flavors. While we largely focus, we think about somebody sitting in a remote part of the world having access to our database remotely, and kind of attacking it. But sometimes we really overlook the physical security of our system that is the foundation. So it is interesting.
Actually, I do have a guest speaker in my… I taught the health IT class. I had a speaker, he is a security analyst, hired by hospitals to do their risk assessment. Once the hospital actually hired him to do their risk assessment he looked into Facebook and found that the CEO attended a football game, and he was actually wearing his badge. And he got the information from that badge, and he basically copied it and got access to their system. So basically, I think that’s one very important thing, sometimes we really overlook the physical security of our healthcare system.
Stuart Shapiro
The weakest link in a cyber system is often a person.
Soumitra Bhuyan
Right. It’s a behavioral issue, not a technical issue. I think it’s more of a behavioral issue. And you are as strong as your weakest link.
Stuart Shapiro
Right.
Soumitra Bhuyan
So once your weakest link is exposed, you are vulnerable. So basically… think about that. You know, think about what the cyber attacker can really do, they can actually copy these ID cards. And healthcare is a very stressful environment. You go to a hospital and you pretend to be a part of the IT team, and somebody needs to solve a problem. You know, very likely they’ll let you enter if they see that you fit the culture, to the environment. And that’s not my assumption, but that’s the reality. And once you get into a floor or a department, you can have access to so much data. And think about it. I think we all understand, right? We have … think about how many usernames and passwords you have, we have in our lives, right? It’s very difficult. And more likely those healthcare providers are going to write down those passwords and usernames, you’ll find it somewhere around their system. Either they’re using a sticky note, or they’ll put it on the computer monitor, or you’ll find it below the keyboard. So it’s very easy for them to have access. And once they get access to that, they are in the system. So that’s one physical security aspect.
Another one is basically the fear of somebody sitting somewhere else and introducing some kind of virus to our system. So one of the reasons why the country moved towards electronic health record systems, one of the strong proponents was the providers. Because providers thought that they can have access to the patient’s record at any time, and they can actually see that from their home, from their workplace, anywhere you sit. So what happened as a result of that, there is a growing culture called “bring your own device.” So you have your device, and you have access to the patient information on your iPhone. So that also adds a layer of complexity, because you go home, for example, your child wants to play with your phone, and accidentally your child downloads certain software to your phone. And that software can have access to that patient record system. So that’s how the hackers can get access to the actual network.
So that’s another issue, but… if you really think about what we need to do as a system, as a healthcare system, we need to actually work on the culture. How we can actually prevent the cyber attacks, because the culture of security is not there, as you say. People really think this is a technical problem, but more so this is actually … it’s not a purely technical problem. Somebody said that, if you think that technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology. So I think, you know, having a culture of security is very important. We actually live in a punitive world. So, the people who might accidentally make some mistake, they may not come out and say why they made this mistake, and try to cover up and that leads to more severe breaches.
Stuart Shapiro
So, the solutions, then, are in our management systems and in our cultural creation within hospitals?
Soumitra Bhuyan
Yes, that is, I think one aspect of it. And there are a lot of others, like training, and then come up with comprehensive policies. For example, what are you going to do if your system get breached, right? If you cannot access the patient medical record, what is your backup plan? I think those also need to be developed. But I think one very important part of it, and again, I think we need to reevaluate it because telemedicine is becoming a central mode of healthcare delivery in this country during COVID and going forward. I think that telemedicine will gain more traction. So we really need to understand and create a sense of culture about security. I think that’s really important.
But there are some other steps the healthcare system must take to ensure the security of their system. As I said, the physical security, think about the frontline staff. The frontline staff, the incentive is not there for them, and they are not a part of the overall security assessment. They do mostly, it’s the providers, you know, and the non-clinicians, like nurses… sorry, providers, including physicians and nurses, but I think we need to develop a plan that cuts across the organization, not just the clinicians, not just the providers.
Stuart Shapiro
Right. And hopefully, I can assume this is the kind of stuff you’re teaching our students in the Health Administration program?
Soumitra Bhuyan
So yes, we do basically. I’m not teaching the health IT class but when we teach the strategy part we talk about health IT. It’s not a separate issue, it should be a part of your overall organizational strategy. You know, it should reflect on your strategic plan, on your budget, and you need to allocate resources to make sure that the system is in place. To make sure that if something happened, you can actually react. And also, you can make sure that everybody on your team is competent to deal with that.
And actually, we published one paper recently… the title was “How We Can Move The Healthcare System To Be More Proactive, Rather Than Reactive To The Cyber Breaches.” So far, the health systems are reactive, it’s we’ll see what happens if we get breached. Right? That’s the culture right now. So I think we need to change the mindset from let’s see what will happen if we get breached, to more proactive to what we can do to make sure that our system doesn’t get breached. But having said that, you know, it can get breached at any time. So there is always that fear.
Stuart Shapiro
I don’t think that reactive/proactive distinction is unique to healthcare by any means. Professor Bhuyan thank you very much for coming on. It’s been a very instructive session. I know I learned a lot.
Soumitra Bhuyan
Absolutely. Thank you so much, Stuart.
Stuart Shapiro
Also, a big thank you to our production team, Amy Cobb and Karyn Olsen. We’ll be back next week with another talk from another expert at the Bloustein School. Until then, stay safe.