Aside from saving lives, one of the most important priorities of the healthcare industry is safeguarding patients’ most confidential information about their medical conditions. Without the right cybersecurity measures in place, their records will always be at risk from potential cyberattacks. Board-certified psychiatrist Muhamad Aly Rifai is here to discuss how hospitals and clinics should navigate cybersecurity to keep their electronic record systems away from data breach and leakages. He also discusses how scammers and cyber terrorists trick people into doing something they do not want by playing around with their personality types and using AI tools in the most cunning ways possible.
—
Watch the episode here
Listen to the podcast here
Navigating Cybersecurity In Healthcare With Muhamad Aly Rifai
Welcome to the show, where we explore the challenges faced by executives as they grapple with new cybersecurity mandates. We have an amazing guest who will do a 50-mile bike ride as long as it’s on an electric bike. He’s a doctor of psychiatry and has his own podcast, The Virtual Psychiatrist. Introducing our special guest, Dr. Muhamad Aly Rifai.
Thank you very much for having me. I appreciate being on your show.
Differences Between Cybersecurity And Cyber Risk
There’s a reason you’re on mine and I’m not on yours at this time. We’ll see about that one. We’re going to jump right in here. How would you explain the difference between cybersecurity and cyber risk?
From my perspective, cybersecurity is something that I live with every day. I’m a practicing physician. I’m in the field of psychiatry, and cyber risk is something that I deal with every day. If I’m dealing with patients who are worried about their identity being stolen, if I’m dealing with insurance and conveying information to the insurance, if I’m dealing with billing and conveying the billing information to the billing systems. We know we had the largest cyber attack ever recorded in history, with the records of 191 million Americans being gone through Change Healthcare.
They were my biller. They had my information. They had my personal information. It’s all gone with the wind out there in the dark web. Cybersecurity and cyber risk are merging and they’re becoming synonymous, but we can talk about differences and how I, as a psychiatrist studying the field of human behavior and psychology, can be helpful in some of these instances.
That’s what I’m looking forward to. Did you suffer any consequences from your information being out there?
For myself, I don’t know yet. We were doing credit monitoring from Change Healthcare, but professionally, yes. Our business was not able to receive any insurance payments for about 3 or 4 months. We had zero revenue. We have zero money coming through the door for about 3 or 4 months from Change Healthcare until we were able to get a new clearing house for our billing with Change Healthcare, and that issue. We still don’t know. The information about our patients is out there somewhere. It’s quite an unfortunate situation.
I was traveling in the Philippines, and I got a notice that my information had been stolen from a bank. Not too long after that, I started getting credit notifications that people were applying for credit cards and everything else in my name. A lot of them were being denied. It was one of those things that I had to experience. I locked down all of my credit and everything, but you don’t realize that until you’ve been duplicated.
I’ve been on the receiving end both personally and professionally. I talk to my patients who are on the receiving end. People think it’s funny, but it’s very sad because what happened with that cyber attack is that the hackers started fighting. There was infighting among each other. The company paid one group of hackers. Apparently, there was another group of hackers that were not getting paid or didn’t get paid by the first group of hackers. They started infighting, and they still released information, regardless of the fact that they were paid a ransom.
I should learn more about this. It’s a business. The person who requests the ransom is not necessarily the person who does the hacking. In this particular case, what happened is that the person who did the hack didn’t get paid by the person who was on the business side of it, who got the original ransom. Since they did the hack, they wanted their money, but they took the money and ran. It’s worth enough that they didn’t want to share it with the person and do the things that they were supposed to do in the hack. As a business, these are untrustworthy people.
The ethics of hackers.
Most Significant Cyber Security Threats Today
We might have a different podcast between the two of us on that one. Except we got no more hackers. With that being the case, what would you say is the most significant cybersecurity threat facing companies today, or maybe individuals? In your case, you’re dealing more with individuals.
Yeah, absolutely.
What is the psychology behind those individuals? Is it causing more problems with people?
What’s happening now is that we truly think that probably the credit information or some detailed information is out there about almost every American that lives in this country, and probably about everybody who is in the world unless they are disconnected from the internet and live under a tree somewhere. Even then, there’s still some information about them.
The ability to connect with that person and gain an understanding of that person, and this is specifically if there’s a malicious attempt to extract information or understand what that person’s preferences are with credit hacks. It is very easy. We humans are simple organisms. Even though people tell you that we were complex, we’re very simple. There’s a set of human characteristics that’s not infinite.
That is studied, and hackers who are expert psychologists are able to understand. Who are they hacking? Who are they looking at? Who are they targeting? It’s because the personality types are there. There are multiple tests for personalities, but we know. It’s a very limited number of personality types, and they’re able to tell within a few minutes of understanding a person where they’re going to live in terms of the personality profile.
I don’t know if you’ve heard of the Myers-Briggs personality testing. It’s just an example. There are multiple of those also, but it divides the humans into different groups, sixteen patterns, numbers, and letters. They all think alike. They’re all the same. The ability to tell which group the person belongs to is pretty reliable. It’s 80% to 90%, but they’re able to tell who you are, what you prefer, and what you think about. The ability to bring in intrusion information is very easy once they know the information about you. For me, as a psychiatrist, it’s very easy to deceive people and convince them to do something that they normally would feel uncomfortable doing.
Are there any of those sixteen categories that make it more difficult for somebody, or is it once you know which category they fit into, you can push the right buttons?
You can push the right buttons. People talk about a live, large-scale example. For example, with an election, being able to identify through analysis, maybe on social media, who this person is likely to vote for based on their Myers-Briggs. It’s good. If you get it at 80% to 85%, that’s pretty good, just wth their Myers-Briggs. The likelihood of who they are going to vote for. Are they going to vote this side, or maybe they’re in the middle? You’re able to target advertising. You’re able to target malicious software and intrusions. You’re able to do any of those things.
Muhamad, I just got back from Vegas. I would definitely take 85% odds.
There you go. People misunderstand that. There’s a lot of psychological testing and studies. I’ll give you an example because a lot of my patients ask about that. They would be talking about a topic with family or friends, and then a couple of hours later, they look at their phone and they see similar topics being offered in a variety of things, email, things to buy, or something like that.
They say, “The phone was listening.” In reality, that is not true because the software is not that specific. What happens is that because we’re organisms, because we’re humans, the group of humans who have the same characteristics are going to be thinking about the same thing at the same time. No matter what, whether they’re in the United States, in China, or Russia, the people with the same characteristics are going to have the same things that they’re thinking about. They’re in the same stage of life.
They’re able to identify that, “This person is from this group. They’re probably in this scenario or this group. Let’s offer them this.” As you said, 85% is good enough. If they get 85% of what they’re presenting to them, because it’s not always that you think about something, and you see it on your phone. Most of the time, that doesn’t work. If you get even 50%, people are going to start thinking, “My phone is listening to me,” but it’s only probability statistics that they’re doing.
One of the things that I saw was some of the statistics when it came to dating, like the dating apps. I think it was Match.com, Tinder, or something, where a young lady requested her data to be sent to her, first of all, then to delete it. What she received was this manual. It was this gigantic thing, and they had it down to like when she felt lonely, and they knew when she was opening the app, and what she was looking for at the time, and everything else. Utilizing that and having that much information is quite interesting to understand the psychology behind it.
There’s able to be predictive analysis in terms of psychology. For example, I tell you as a psychiatrist, a psychologist, or somebody who’s in this field, we have personality testing. Some of that Myers-Briggs also deviates into personality testing. One of the famous personality tests is the Minnesota Multiphasic Personality Inventory. We’re truly able to tell the person.
There are patterns similar to the Myers-Briggs, and you can design questionnaires that are on the web that will tell you to the minute detail of where the person fits in their personality inventory without even talking to them, just with doing analysis of their life story, life circumstances, surfing habits, where they are on the internet, where do they go, what do they do, what work they do, who their friends are. You have a very good probability of being able to tell who that person is, and what is the best way to get in.
I think I’m pretty good at this stuff, but I don’t take it to that level.
This is the cyber risk that’s out there. If they decide to target a certain place or a certain group, for example, a practice or a hospital, they target the person. They’re able to present them with something that they’re going to feel comfortable with. They’re going to lower their guards, and they’re going to be able to cause an intrusion, or the person would agree to do something that they don’t usually do.
Importance Of Prioritizing Cyber Risk
What I see is that it happens a lot of times when somebody is distracted. If they’ve had a loss in the family, they lost a loved one or something, and they’re still showing up to work, but they’re not really there. That’s also a prime time for those types of attacks. You’re running your own companies. How do you prioritize your cyber risk as a company?
I run a psychiatric group. We have even a heightened level of care for privacy because under the Health Information Portability and Accountability Act of 1996, we are at a heightened level, like a level two, with psychiatric and psychological information. Even if we are part of a large health network, there is a barrier. There is a lock on the psychiatric information. We are very sensitive to that information.
For example, I have my own electronic medical record system. We don’t mingle with the big hospitals, the epics of the world, the large health systems. Part of that is that’s how people come and see me because they value the fact that my electronic medical records are segregated. They’re not part of a big health system where there’s a possibility of a cyber attack, or there’s a possibility of somebody coming in and breaking glass. When they enter into a psychiatric record of somebody, they have to push an affirmative, “Yes, I understand that I am doing this affirmatively.”
Cybersecurity: My chronic medical records are segregated. They are not part of a big health system where there is a possibility of somebody breaking the glass and doing a cyber attack.
If there’s any issue in the future, they understand that they are affirmatively coming into this electronic medical record. To be honest with you, I have thought several times over the last two years whether I truly should return to paper and pencil medical records, and abandon electronic medical records. Unfortunately, what happens is that we are stuck with electronic prescribing. We have to do electronic prescribing in terms of our patients, but I think about whether my patients’ data and their medical records would be safer if they were just paper and pencil.
Coming from the world that I come from, I would say no, because that can be as easily stolen off somebody’s desk or from a file cabinet or anything else. At least if I steal the file cabinet, and if it’s electronic, it’s encrypted. I would still prefer that.
To steal physical data, there has to be a physical action. There’s going to be a break-in somewhere. Somebody is going to see it. There’s going to be cameras somewhere. There are more breadcrumbs to go after versus the electronic breadcrumbs, where that trail may go dry very quickly.
Quite possibly. I’ll check back with you in two years and see what you did with that one.
It’s reality. I do know several psychiatrists who are still paper and pencil. Their patients value that because they know that their records are not going to be stolen. They’re not going to be with a hacker in Estonia, getting all their psychiatric history and all their life story, and using that to open a credit card in their name, understand their life, and be able to steal their identity.
Agreed. Do you have a CFO at your organization, or are you the CFO?
I’m a small organization, so I am it. I do have a contractor who manages my electronic medical records. The staff is robustly trained on responding to inquiries and emails. We’re very sensitive about who we email and who we receive emails from. Sometimes, even legitimate things that we distrust, we delete. We don’t even answer. We don’t even open. If there are any links, we just delete them. If somebody needs to get hold of us, do the good old telephone. Get hold of us and there’s no electronic. Even with the good old telephone now. I don’t know if you heard about somebody who took the identity of the White House Chief of Staff, and an AI called other legislators in her capacity. Even the telephone, people are becoming distressed by it.
Emerging Trends In Cybersecurity
I had a friend who’s a plastic surgeon, and he ended up losing data while losing a couple of hundred thousand dollars because of a call that was made to the bank with his voice and everything else to verify. It was an AI version of his voice that approved it. How’s that? It’s getting interesting from that perspective. Let’s move on to the next question that I’ve got. What emerging trends do you believe will have a profound impact on cybersecurity in the near future? AI is one of those things. The video and the audio are ways of taking over somebody. If you’re doing a Zoom meeting with somebody as their psychiatrist, do you know you’re talking to somebody, or are they putting on an AI show?
That’s always a possibility. I can tell you, I’ve been deceived before with legitimate information. I’ve been deceived by somebody before, and they were trying to deceive me, and they used legitimate information, and still were able to deceive me. I was able to make things later on and understand that that was deception.
It’s very easy to deceive somebody these days. Authentication and taking your time to make decisions. There’s no rush. I have had a few patients who are like, “They called me. They said they’re from the FBI. They’re going to come and arrest me.” “Let them come and arrest you. If the FBI wants to come and find you, they’re going to find you. There’s no reason for somebody to call you. If they want you, they’re there. Don’t think that there’s going to be somebody on the other side of the phone, that there’s any urgency for anything.”
Unfortunately, we’re humans, and we’re very easy to play on. We talked about the Myers-Briggs. Whether somebody is an introvert or an extrovert, it’s very easy to understand and play on that psychological factor. That would be a point of intrusion to be able to deceive that person into doing something that they don’t want to do.
Preparing Different Plans In Case Of Data Loss
Very much so. You’ve got your data, and you’ve got all your records. What do you think it would look like if you had a cyber disaster and lost all of your records? What would that do for you? What postmortem would you have to do on your end?
Since last year, I’ve been preparing and trying to make sure that if we lose all of our data we have, we have a plan B, C, and D. We’ve developed a system where we do an off-site storage of all of our electronic medical records. We try to back it up once a week. It’s off-site on a physical drive and in multiple locations.
It’s a paper record equivalent of all the records that we have. Maybe just one week late in terms of how often it gets updated. We have backup. We want to be ready that if somebody steals your electronic medical record that’s in the cloud, what are you going to do? We’re going to continue. We access it, and it’s on paper. We’re able to service the patient. We’re able to continue to be of help to our patients.
Continuing vigilance with my staff. It’s very difficult. You have staff who may be distracted. They go through their own issues. For example, with the Change Healthcare. They had a very robust system. What happened is that there was a period where they were transitioning from the Change Healthcare system to the United Healthcare System.
During that transition, there was some turning off of some of the security measures that they had. That was the opportunity for the hackers to get in. A period of transition that nobody paid attention to. That was the opportunity for the hackers to get in. Being able to do that and have my staff have an understanding of what’s going on and the risks that we face is very important.
I think that the risk is always the case. When a transition like that is happening, people are willing to take more risks, but then that comes to bite them. They’re trying to be more open with another company, or they’re trying to transfer the records. They’re scaling back, but it does increase the risk. In that case, it bit them.
The consequences could be very catastrophic. An example is a local hospital in my area. They were taking over an oncology practice that treats cancer. This practice had a database of pictures of patients for different body parts that are affected by cancer. They had a database, but some of it was unclosed pictures. During the transition from that health system taking over this oncology practice, there was a period of lapse in robust security measures, and then hackers got in. They got that picture database, and they threatened to release it.
The hospital stood on its grounds and said they were not going to pay a ransomware. The hackers ended up releasing the pictures on the web. It’s quite unfortunate that unclosed pictures of cancer patients are out there on the web. The patients sued the hospital, and the hospital had to settle for a significant amount of money, more than the ransomware that was being demanded from them. The consequences are significant most of the time.
There’s a show on Apple TV that talks about software companies. They say, “We got hacked.” One of the episodes was, “We got hacked.” The guy goes, “Yeah, but so this company, and this company,” and he lists off all these companies. He’s like, “It’s no big deal.” Ultimately, that’s where a lot of people live these days. Their information has been passed by so many times. That’s generally not nude body pictures and that type of thing. That’s pretty extreme. I can understand where some people are coming from. If my Social Security number is there and people have had it, you do what you can to protect yourself from those items.
There’s still room for vigilance. It’s a question of when I’m going to be hacked versus if I’m going to be hacked. That doesn’t help because then it lulls the person into a false sense of like, “I’m going to be hacked. That’s it. Let me try my best. It doesn’t matter,” which is quite unfortunate.
At some point, your data is going to be gone, depending on what data it is. That’s where we have some struggles. As I said, my Social Security number, I know mine is there, and my home address. All that information was leaked, but I’ve got ways of protecting that. If I were a cancer survivor and I had pictures out there, that might be a different situation. That would be unfortunate. I feel for the people who had that.
The consequences are not just, “My Social Security got lost.” It’s private pictures, private memories, private information that you don’t want out there that bad actors may use to pressure you. Before we started the episode, we were talking about Amazon. We bought the microphones from Amazon. I pointed to an intrusion on the head of Amazon, Jeff Bezos, and how he was duped by an international player who is the head of a foreign country he was communicating on WhatsApp. He sent him a link that took over his phone. It took a long time for him to understand that this was what happened. He extracted all pictures because he found out all of a sudden that his wife had a picture of him with his mistress. How did she get that? It was the foreign leader who leaked that information to the wife, and they ended up divorcing.
One of the most expensive divorces in history.
Yes. Absolutely.
Providing Telehealth During Pandemic
Muhamad, how did you get to be where you’re at? You’re a doctor of psychiatry, and everything else, you have a podcast. How did you get here?
It’s a long journey with a lot of adversities and a lot of successes. I’m a first-generation. My family is originally from the Middle East, from Syria. I did my training in internal medicine and psychiatry at the University of Virginia. I focused on the field of psychiatry and medicine. I was an early adopter of telehealth.
Now we were meeting on Zoom, but I saw patients through telehealth in 2006 when it wasn’t popular. It wasn’t sexy. During the COVID pandemic, telehealth exploded, and Zoom exploded. Zoom was an insignificant company before COVID. It was a small company that was trying to grow, but now look at it in terms of the business that it does. Prior to that, we did telehealth from 2006 to 2020. I was the go-to person when COVID hit because of my expertise in telehealth.
I saw patients in rural areas. I saw patients in emergency rooms. I saw patients at home, and I was able to develop great expertise in the field of telehealth and was the go-to person during the pandemic. I was successful because the pandemic came and excelled my career, being able to provide that information to other physicians, other health systems, and business took off since then.
Developing A Program To Save Lives
You had increased your marketability. You were able to work anywhere in the country. That’s one of the cool advantages of the technology, being able to bring us closer together, depending on where you’re at. You’re up there in Pennsylvania, and I’m here in Tampa, Florida. We’re able to bring this technology together to do this. You were able to do it by bringing healthcare to the people who needed it, and your expertise. That is amazing. What’s the current thing that you’re working on that you’re most excited about?
For a little bit, I had a very interesting contract with a couple of social media platforms, and I helped them design a program. There was a wave about a couple of years ago of adolescents, underage individuals, or even adults who would experience psychiatric distress, live on social media. They would call for help, or they would make threats. Some of these social media platforms were sued. They came seeking help to be able to develop teams that would be able to hone in on those psychiatric emergencies and develop buzzwords for individuals who are facing distress, whether they’re on social media or online, and you would be able to act on that perceived distress.
That, and with the establishment of the government’s 988 hotline, which is now available on all social media, you’re able to tag 988, and that would bring it to the attention of a social worker or a counselor who would tend to the situation. If there’s a threat of violence or a threat of self-harm, the person would come to clinical attention very quickly if somebody alerted the 988 system. For a while there, I helped them develop that, developed keywords that you would look at, and developed what they would look at. That was very interesting and very rewarding.
Get In Touch With Muhamad
Anything that helps people, I appreciate that because here I sit in cybersecurity, and we talk about data, but that’s not necessarily having people on the line. Having people on the line, I can appreciate that and appreciate what you’re doing with that. That’s pretty amazing. I like that. Why don’t you tell me a little bit more about your business? How can people reach you? What does it look like?
I have a couple of businesses. I have a brick-and-mortar private psychiatry practice. We are in Pennsylvania in the Greater Lehigh Valley area. BluePsychiatry.org is our practice. We’re very easy to reach. People can get us by phone or online. I’m available on LinkedIn. I also have a podcast, The Virtual Psychiatrist, and I talk about a variety of psychiatric issues. I also talk about AI, Artificial Intelligence.
I’ve been very active in the AI field for a while, partially because of my involvement with telehealth early on. AI came onto the scene also, and I’ve been involved with that, and I’ve written lots of articles about that. I also have a legal practice, and it’s called SHIELD, Support and Help in Ethical Legal Defense. I provide consultations to attorneys in relation to the psychiatric aspects of crime, the psychiatric assessment of defendants, and assist lawyers in how to help their defendants.
For example, if they’re to go to trial, going to a plea, they have any issues related to their capacity for what happened when the crime was allegedly committed, and/or assist judges if they’re going to go through sentencing. The practice is called SHIELD, Support and Help in Ethical Legal Defense. We’re online at www.Shield.expert
Take Time To Verify Information
I appreciate that. We like to end the show with this. What piece of advice would you give to our readers? What actionable thing can they do, either from a psychological standpoint, dealing with cyber risk, or just in general? What advice would you give to somebody?
It’s hard. People don’t trust anything these days. Trust, but verify. Verification is very important. Trusting things is very difficult these days because even if you trust something, you could get an illusion that it’s something similar. Take your time. There is no need to rush. Unless you’re in the hospital and you’re facing a medical emergency, and you have to act immediately, there’s no reason to act immediately on anything.
There’s no reason to be told to do something, get in your car, and go grab money for somebody, and do something. There’s no reason to be doing that at all. Zero. Take your time, cool down, verify, and ask other people because that usually thwarts 99.99% of attacks of that nature, if somebody takes their time, verifies things. I tell people to take their time and verify things. If it’s not an emergency, take your time.
Muhamad Aly, first of all, I love the name. Muhamad Aly Rifai. I appreciate it. It’s been a wonderful chat. It’s always good to get somebody from a different profession, especially from the psychiatric field. That’s not one that I’ve done before. I’ve got a close friend who’s a psychologist, and so I appreciate that.
My pleasure.
To our audience, thank you for tuning in. If you’ve learned something, laughed, or anything else, tell somebody about the episode and get us out there. This has been another great episode of the show with your hosts, John and Muhamad. See you next time. Thanks, everybody.
Important Links
- Dr. Muhamad Aly Rifai on LinkedIn
- The Virtual Psychiatrist
- Blue Mountain Psychiatry
- Blue Mountain Psychiatry on LinkedIn
- SHIELD
About Muhamad Aly Rifai
Muhamad Aly Rifai is a board-certified psychiatrist, internist, and addiction specialist committed to healing where others hesitate and innovating where systems fail.
Born in war-torn Aleppo, Syria, his early experiences with trauma and resilience shaped a lifelong dedication to medicine as a calling. He currently serves as CEO and Chief Psychiatrist at Blue Mountain Psychiatry, leading advances in mental health, internal medicine, and addiction care. He holds the Lehigh Valley Endowed Chair of Addiction Medicine and is nationally recognized for pioneering work in telepsychiatry, ketamine therapy, brain stimulation, and psychiatric treatment of Hepatitis C.
With over 20 years of experience in research and clinical leadership, Rifai has defended patient care and telehealth, including a 2024 federal acquittal that affirmed his commitment to truth and the sanctity of the doctor-patient relationship.
He is a leading voice in digital psychiatry, blending science and spirituality, and advocating for second chances for both patients and physicians.
