How artificial intelligence, machine learning can lessen breach risks
Healthcare organizations are struggling to find ways to manage the risks of massive data breaches, which have proven hard to detect, often taking months to discover.
In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was enacted. The Accountability portion of the law requires that healthcare providers protect the privacy of patient health information and includes security measures that must be followed. Provider success has been mixed and has recently come under intense scrutiny due to the number and size of reportable breaches of health information.
There are several major contributors to this increase. The first is the passage of the American Recovery and Reinvestment Act of 2009. The ARRA included the formation of the Health Information Technology for Economic and Clinical Health Act (HITECH). It also made permanent the Office of the National Coordinator for Healthcare Information Technology (ONC) to set policy and standards and establish procedures to guide and measure the success of the implementation of electronic health records.
Creating EHR systems requires storing a large amount of confidential patient information in multiple information systems and allowing thousands of users and other systems to access those databases.
Adding to the difficulty of securing this data is the increasing number of criminal attacks and HIPAA violations because of the rising value of health information. For many criminals, credit cards had been the target of choice. However, the value of a credit card is brief, as all transactions can be stopped immediately after the bank is aware of suspicious activity.
By contrast, the value of a medical record can be worth 30 times the value of a credit card on the black market. The reason is that the health records contain enough information to create a complete identify for the purpose of opening accounts, obtaining loans, creating passports and stealing healthcare services. The most valuable records include expired patients where identify theft may not be discovered for years.
In 2016, the Ponemon Institute reported that during the last two years, 89 percent of all hospitals reported to the Office of Civil Rights at least one data breach, and 79 percent reported two or more. Many in the industry believe that almost every hospital has experienced multiple breaches.
In the battle to protect health information, many providers are simply outmanned and outgunned by the sophistication and resources of hackers. Some healthcare organizations experience thousands of attacks daily, some of which are likely to succeed in penetrating the perimeter defenses. Once inside, hackers have increased opportunity to steal user credentials that will move them up the security ladder and into the data systems that contain the most valuable information.
After enough credentials are collected, it is simply a matter of slowly withdrawing information without triggering alerts. Ponemon reported in 2016 that it takes an average of 226 days to discover a breach and 69 more days to determine how it occurred and to stop the flow. It is safe to assume that after nearly ten months of access, there is little information left for the hacker to steal.
In addition to criminal hackers, hospitals must also contend with staff members using their credentials in an unauthorized manner. There are many reported instances of staff accessing records of co-workers, family or neighbors. The most publicized violations are stealing and selling celebrity health records to the media. When a staff member is offered thousands of dollars for a single record, they may believe it’s worth the risk of being caught.
There is also an ongoing problem of sharing credentials and leaving information systems open while unattended. Staff members keep unencrypted patient information on mobile devices, which can be stolen, thus creating even more problems.
Vendors are another cause of concern. Those that install and service hospital information systems have high security clearances necessary to maintain the systems. The threat from vendors is twofold. A vendor employee may go rogue and access confidential information out of curiosity or for financial gain. A second and more serious concern is the increase in vendors being hacked by criminals. Once inside the vendor network, the goal is to steal credentials used to access hospital systems. These credentials tend to be high risk to the hospital, as they allow access to large data sets such as EHR, billing, imaging and lab information systems. As more services are outsourced, vendor risks will become greater.
As difficult as the task of protecting this data has become, there is reason for optimism. The common tool in virtually all thefts and data violations is the use of a valid password and ID. Some significant advances have been made to ensure that the user of the credential is the actual owner. These include double authentication, biometric log-ins using fingerprints or iris scans and key counters that document patterns of typing behavior. Unfortunately, these can also be expensive and time consuming for the thousands of authorized users in most organizations.
Another promising way to validate credential ownership is analyzing user behavior and creating a digital fingerprint unique to each user. This includes a fingerprint for other systems pulling data for internal use or outsourced services. Monitoring user behavior requires continuous surveillance of every user on every system and the ability to alert or require additional authentication whenever the behavior deviates from expected.
The monitoring is not limited to search behavior only. It also looks at factors such as IP address, log-in location, any known relationship to the file being accessed such as name, co-worker, proximity of street addresses and any other information that is available. It is not likely that user behavior can be replicated by someone using a stolen credential. It also lets staff know that violations of hospital data policies will be detected even when using authorized credentials. Once alerted, the system administrator has the ability to modify or deny access in real time until further investigation is completed.
Combining artificial intelligence with machine learning algorithms gives an organization the ability to create the fingerprints and monitor an unlimited number of users in a network environment without creating barriers to normal workflow patterns. Once the behavioral fingerprints are created, they are further refined each time a user logs in. Theses fingerprints not only identify deviations from expected but also predicts the user threat level based on the deviations. It does this by assigning a value to each behavioral factor and arriving at a cumulative risk score. This type analysis has been used by financial and government institutions for years to detect fraud.
There is no silver bullet that that will stop all data breaches and HIPAA violations. It is however possible to create an organizational environment where the confidentially of health information is respected and vigorously defended. A combination of education and employment of the latest cyber defense technology will help create the noise that tells us we are doing the right things.