January 15, 2021
Healthcare Data Privacy: We Have Met the Enemy and They Are Us.
I wasn’t really involved when the original CloudWave team built the OpSus Cloud; I was…well, I was probably studying for finals or meeting up with friends off campus. Cloud services for healthcare weren’t exactly new in 2011, but they certainly didn’t enjoy the ubiquity they do today. We knew, and history bore us out, hospitals’ first, second, and third concern with going to the cloud was going to be security.
So, we invested. We bought next generation firewalls. We built a security team of genuine breadth and depth. We virtualized our network. We knew it needed to be more than “as good as you had” – it had to be better.
We weren’t unique in this; as a whole, IT services for healthcare rose slowly but effectively to the challenge of protecting your data against a threat landscape full of dynamic malice. But there is one lingering deceptive risk in the strategy we took to safeguard ePHI. All our efforts have been directed outward, erecting concentric curtain walls against the tools of the marauding hordes from torches to siege towers to trebuchets – the original defense in depth. We forgot the lesson Edward I taught us about sieges; the disease was already inside.
In the last year, the number of breaches due to inside actors rose from 20% to 25%; these were hospital employees. These breaches ranged from simple accidental workflows exposing PHI through negligent credential sharing to the truly malicious acts like identify theft. We’ve spent so much time investigating IP addresses from the Ukraine, we’ve missed the double print on the patient record and the unlocked computer in admissions. The problem is – the fines don’t care.
I’m one of the very few CloudWave employees who has never worked at a hospital, but I’m reminded of a story our CTO told of his time in IT as a hospital in Massachusetts. It was his job to print out access logs once a month and read through them and highlight accesses that were suspicious and worthy of investigation. Did you know dictionaries have proofreaders? I think I’d rather the latter.
The historical tools for monitoring user behavior for privacy have been as obtuse and difficult as they have been ultimately ineffective. Good tools for monitoring user behavior will take a multi-layered, but easy to consume approach:
- Rules Based Detection
- Stop known bad behaviors
- Flag suspicious activity for further investigation
- Behavioral Profiling
- Understand normal behavior patterns
- Identify when user activity differs from the established norm for that user group.
- Machine Learning
- Discover previously unknown anomalies
- Enhance rules engines to reduce false positives
- Learn and continuously update via algorithm training
I listed these layers here in a reasonable ordering of importance; few enough tools employ a machine learning algorithm. At the end of the day, while CloudWave has some pretty great tools to help hospitals of any size with data privacy, if you got nothing else from this but a mild unease with your current tools and processes, then it was worth my time.
Take a brief break from scanning the horizon of external security threats and gaze inward. I tried to have a little fun here, but drop me a note if you’re interested in some more detail or just want to offer some of your experience combatting internal privacy risks. I never tire of learning from the people in the trenches.
Jacob Wheeler, Cloud Product Manager