Security Experts:

The Intersection of Health Care Intelligence and Security Intelligence - Part 2

Part Two In A Series, Please See Part One - Big Data, Little Devices: Security Analytics Enable Health Care Transformation

Practically every one of us carries a supermarket loyalty card that tracks our purchases. The stores themselves apply analytics to the collected data to plan inventory and target advertising based on consumer profiles.

Target, for example, engaged in a program to identify pregnant women. People change their buying habits during periods of change in their lives, and one of the major events is having a child. Along with a newborn comes a surge of needs for new goods that starts well before the baby is born. Pregnant women, particularly in the second trimester, start buying prenatal vitamins, maternity clothes, unscented lotion, cotton balls, washcloths, hand sanitizer—about 25 items in all. The analytics are so accurate that Target can estimate the due date within a few weeks. Case in point: the company sent targeted advertising to a household and the father of the recipient contacted Target, infuriated that the store was encouraging his teenage daughter to get pregnant. A day or so later he called back and apologized: he’d had a heart-to-heart with his baby girl and she confessed that she did, in fact, need the products in the targeted flyer.

Health Care SecurityPredictive analytics can also be applied to determine whether consumers are making smart food choices. Health providers and payers could collaborate to provide discounts to patients who continuously eat to stay healthy. Heart rate monitors for working out can update your EMR and establish a pattern of exercise and record your vital statistics on a frequent basis. These are only a couple of possibilities: there’s a practically endless supply of ideas that could fuel a whole industry, contributing to not only a healthy population, but a healthy economy.

While the goal is to prevent disease in the first place, even the most ardent health and fitness enthusiast can develop a medical condition. As the bumper sticker goes, “Eat right, work out, die anyway.” Analytics are being applied to diagnose illnesses: IBM’s own Watson is in the process of retraining from being a Jeopardy champion to a medical diagnostician. It’s much more than a database of symptoms and associated possible conditions; Watson is able to refine that basic searching capability by ingesting patient history, comparing diagnostics with other patients with similar symptoms and backgrounds, assimilating new research from unstructured sources such as medical journals, and arrive at a more accurate diagnosis more quickly than most doctors.

And for those who have already been diagnosed with a condition or disease, monitoring can be applied to ensure they’re staying on plan for recovery or maintenance. Currently 80% of healthcare goes into dealing with chronic illness. Technology can reduce this figure and balance it out with preventative health care efforts by ensuring patients stick to their treatment plans, saving effort and money by reducing recovery periods and remission rates, ultimately improving outcomes. For example, pill bottles are being outfitted with sensors that ensure patients take their medications on-schedule.

All of this should percolate into a health dashboard of Key Health Indicators, available to patients, caregivers, payers, and goods manufacturers, with different levels of detail based on role and associated need to know. The concept sounds easy, all neatly packaged in one, short sentence; however, the complexities are staggering, both from a functional and security perspective. The first problem is the data needed to create a unified dashboard is scattered within each organization, and across many organizations, effectively locked within “islands” in the health care system. Encouraging the stakeholders and sometimes competing players to cooperate and share is a human problem, the most onerous of challenges. Teasing the data out of legacy systems is another obstacle: many are no longer supported either because the manufacturer melted down years ago or the platform it runs on is so antiquated that no one under the age of 45 has ever heard of it (DR-DOS anyone?)

Not only does the system have to be transparent and intuitive, security needs to be baked in, not added on. Defining roles and enforcing them through complex and federated identity and access management policies is the first security obstacle, followed by data masking and database security, encryption and key management, policy monitoring and detection of violations, fraud detection, and compliance tracking. All of this is layered on top of traditional security, including firewalls, intrusion prevention, and endpoint management and protection. Each of these topics deserves their own treatment, the sum of which can easily fill a rather largish book.

A quick glimpse under the cover reveals some of the complexities:

● The need for cross-organizational access creates challenges in defining and enforcing consistent role-based access to data. Different departments and organizations often have differing views on what they should have access to, and while it would seem to work itself out based on who owns the data, anyone who’s administered any access control will attest that the best laid plans eventually mutate into a goulash when applications don’t work as expected and new requirements crop up, forcing ad-hoc modifications to roles and policies. And while there is a certain amount of trust between organizations, security controls are still required to keep each other honest. Inter-organization segmentation, web application firewalls for SOA gateways, and federated identity and access control with multi-tenant self-service are only some of the basic security requirements.

● Data masking is imperative to be able to share a corpus of data, yet redact what’s appropriate for delivery to a given role. For example, changing patient names and social security numbers so application developers have access to realistic data without compromising patient confidentiality; obfuscating ePHI in logs; or substituting values for sensitive information after use, but before storage, and keeping a table to reconstitute it. You can’t assume the data is always structured or even in textual format: ePHI is often embedded in x-rays or MRI images, for example.

● Fraud detection requires a certain amount of creativity, putting yourself in the fraudsters’ mindset. Why do people commit records fraud? In some instances to make money selling diagnoses to the media when a celebrity is admitted to a hospital. In others a clinician may want to view the records of their neighbor. The trick is identifying the properties associated with those intentions: are medical records flagged with “celebrity”? Can you calculate that the distance between the home addresses of the caregiver and the patient, and what’s the right distance to call them neighbors in New York City versus Montana?

It’s appropriate that the same type of analytics that can be used to monitor health choices and diagnose medical conditions can also detect medical fraud and exposure of ePHI. They both involve consuming enormous amounts of wildly diverse data, interpreting it in the context of the problem at hand, and correlating seemingly unrelated information to yield an accurate and actionable conclusion. Said otherwise, they both involve the application of intelligence, which will transform the healthcare industry just as it has for security.

But we still have a way to go before we’ll be able to wave an iPad over a patient and get an instantaneous diagnosis.

Subscribe to the SecurityWeek Email Briefing
view counter
Chris Poulin brings a balance of management experience and technical skills encompassing his 25 years in IT, information security, and software development to his role as Chief Security Officer at Q1 Labs. Prior to joining Q1 Labs in July 2009, Poulin spent eight years in the U.S. Air Force managing global intelligence networks and developing software. He left the Department of Defense to leverage his leadership and technical skills to found and build FireTower, Inc., an information security consulting practice.
view counter