How Artificial Intelligence Can Overcome Healthcare Data Security Challenges and Improve Patient Trust
This report is based on a 2018 Healthcare Analytics Summit presentation given by Robert Lord, president and cofounder of Protenus, “Privacy Analytics: A Johns Hopkins Case Study—Using AI to Stop Data Breaches.”
Some security experts claim that an individual’s medical record can be sold for ten times what their credit card goes for on the black market, making it a common target for hackers. Implementing privacy analytics to improve healthcare data security across the industry is critical in healthcare today, as more questions than answers arise about patient privacy and security.
Johns Hopkins put into practice an artificial intelligence (AI) application to produce a highly accurate privacy analytics model that reviewed every access point to patient data and detected when the EHR was potentially exposed to a privacy violation, attack, or breach. Specific techniques, including supervised and unsupervised machine learning and transparent AI methods, advanced Johns Hopkins toward its predictive, analytics-based, collaborative privacy analytics infrastructure.
Healthcare Data Security and the Struggle for Patient Trust
With a secure, analytics-driven digital health system, Johns Hopkins overcame a universal barrier to delivering quality care among health systems: patient trust. Breaches are perilous to healthcare organizations because they immediately jeopardize patient trust, resulting in patients withholding important health information from providers. Without a full picture of patient health, clinicians can’t provide holistic care to patients, resulting in a subpar healthcare experience for both those receiving and delivering care.
Patients are initially reluctant to share information with providers because they don’t know who can access their information, and they’re uncertain how health systems keep patient data safe and secure. Data breaches have doubled in the past decade, which erodes patient trust and leads patients to seek care from another provider or organization, potentially resulting in a considerable loss to a health system over time.
EHRs and Common Security Pitfalls
According to a case study from Johns Hopkins, most data breaches in clinical systems (e.g., loss, theft, insider breaches, etc.) originate from an organization’s employees, not an outside hacker stealing data on a personal computer. The most common offenders are health system staff and clinicians who have access to the organization’s EHR.
EHRs are designed to grant access to large groups of people, which means taking aggressive measures to prevent security breaches has its challenges:
- Checking boxes for HIPAA versus comprehensive review: Johns Hopkins leaders and clinicians were busy checking boxes to appease the regulators at the Office for Civil Rights under the U.S. Department of Health and Human Services (HHS)—the institution responsible for enforcing HIPPA—rather than thoroughly reviewing every flagged record. Lack of an in-depth, comprehensive review also prevented organizations from proactively searching for data breaches; rather, they had to wait until they received a notification about suspicious activity.
- Overworked privacy and security officers: Time-consuming, laborious data security processes require the privacy and security workforce to focus on sifting through breach data rather than using their critical thinking skills and human judgment on more vital tasks, such as deciding which red flags are worthy of follow-up.
- Concerns around expanding access: Healthcare organizations are rapidly growing and increasing their workforce, granting more people access to the EHR. Yet, in the midst of growing numbers, privacy and security measures haven’t advanced.
- The original state of privacy programs and antiquated systems: Traditional systems have their own share of challenges, including retroactive—rather than proactive—investigations, high rates of false positives, lack of data source aggregation capabilities, slow search queries, and lack of visualization tools, that hinder an organization’s ability to explore workflows and improve the privacy breach identification processes.
A New Approach to Privacy Analytics
With its ability to accurately collate, analyze, and review mass amounts of information, AI creates a highly correct privacy model that helps organizations overcome these all-too-common healthcare data security roadblocks. The privacy analytics approach at Johns Hopkins allowed leadership to review all data logs accurately; create a collaborative, interdisciplinary initiative across the organization that eliminated data silos; and forge a sustainable path for long-term privacy analytics to transform the future of privacy analytics in healthcare.
To achieve this higher caliber of privacy analytics management, Johns Hopkins carefully identified its key performance indicators (KPIs) and used them to overcome the organizational inertia that impedes change in large institutions.
Johns Hopkins used these five KPIs to measure success:
- What are the threats we discover?
- What is our false-positive rate?
- What is the burden of our current tool maintenance?
- What is the investigation time?
- What is the overall reduction in privacy threats overtime?
The organization’s new privacy analytics platform—aimed at improving healthcare data security—opened the lines of communication for the privacy and security teams, allowing them to work more closely together. The collaborative effort helped the security team by eliminating the manual work the old system required to identify insider threats, phishing, and credential sharing, which made it easier for the privacy team to complete investigations and audits.
At first, Johns Hopkins employees questioned the new monitoring process and worried that leadership lacked trust in the workforce. They soon discovered, however, the new security platform actually empowered team members and even cleared up miscommunications. The positive experience with the new data platform built trust among Johns Hopkins team members, many of whom were also patients at the health system. The innovative security platform also allowed the senior leadership team at Johns Hopkins to see the big picture and work toward their real objective—to retain patients and build trust with the community.
Elements Driving Cost of Healthcare Data Security
To evaluate the total cost of ownership of the new platform, Johns Hopkins leadership evaluated the major factors affecting its healthcare data security and privacy:
- The current software cost compared to the new platform cost.
- The effect of the new platform on the current number of full-time employees (FTEs), especially the “silent” FTEs who often go unnoticed (e.g., members of the business intelligence, nursing, and legal teams).
- The cost of outside firms to resolve discrepancies in data, delays in response time, and fine regulation violations.
- Most importantly, the cost of losing patients due to the degradation of patient trust that a data breach creates.
Why Compliance Analytics Is So Effective
The results Johns Hopkins saw in its privacy and security processes were irrefutable—traditional investigations took 75 minutes, while investigations conducted on the new platform took only five minutes, saving over one hour for every investigation. The false-positive rate dramatically dropped from 83 percent to an astounding three percent with the new platform, meaning that nearly every notification was a real data breach.
The time Johns Hopkins’ security and privacy team members saved with the new platform, and the intense decrease in false positives, led to dramatic improvements in the workflow and more time for employees to work on projects requiring critical thinking and human judgment.
Improvements in three core components transformed the cultural and workflow challenges at Johns Hopkins:
- Scale: Compliance analytics fosters data integration because it brings together all the information needed to solve a problem in one place. The enterprisewide solution also serves a variety of compliance interests across the health system. Most importantly, it allows the organization to review all records instead of reviewing a sliver of records.
- Complexity: The sophisticated platform was equipped to handle the nuances of each case, making it easy to identify abnormal behaviors (e.g., the AI behavioral dashboard, Figure 1). Rather than following the rigid parameters of a rules-based system that lead to high rates of false-positives, the new system’s distribution capabilities allow organizations to focus on the most unusual threats, which they can adapt to a non-standard distribution list (common for providers who wear many hats and don’t fit one single description).
Figure 1: The AI behavior dashboard.
Compliance analytics are as fluid as the roles in healthcare positions across the continuum of care—from a medical assistant, physician, and nurse to a research assistant. Rather than manually assigning a team member to a role (e.g., Dr. Jones is a family practice physician), the distribution of activities in the EHR defines the role of the individual. For example, if Dr. Jones spends most of her time looking at information that would indicate that she is an OB/GYN, then the AI platform will automatically assign her the role of OB/GYN, as well as other roles based on her distribution activity.
- Automation: Automation within the compliance analytics system didn’t remove the need for staff, but it leveraged their judgment capabilities so that team members could focus on tasks that add value, instead of wasting time on automatable tasks (e.g., sifting through false-positives).
The Power of Automation Combined with Human Judgment
The automation factor of the compliance analytics platform enables team members to apply critical thinking and judgment to improve an organization. The powerful combination of automation and team members at Johns Hopkins offers three major benefits:
- Natural language cases: Gathering facts, documenting cases, and submitting them to a compliance officer was a time sink for the workforce. The compliance analytics platform provides a natural language note, including the information an employee needs to submit a ticket to a compliance offer. When there is a data breach, the team member can print the ticket directly from the platform. The printed document initiates the investigation.
- Automated emails: The compliance analytics system can create automatic emails for whichever level of threat the system would like to flag. When there is an alert, the system autogenerates an email, versus requiring a team member to manually send one. The new system moves the autogenerated emails to a queue for a designated reviewer to approve before sending to the recipients.
- Documentation and comprehensive logs: If AI lacks explanations as to why it flagged a certain behavior, it’s not helpful. The cutting-edge solution eliminates the “blackbox” of AI and explains why something is flagged, looks risky, or is identified as anomalous behavior, allowing organizations to tackle security concerns in a transparent way, shown in Figure 1.
A Broader Reach: The Future of Compliance Analytics and Healthcare Data Security
Healthcare data security and privacy is an increasingly critical issue in healthcare today and, when handled poorly, can cost millions. Ponemon Institute and IBM Security conducted a global survey that revealed a data breach costs an organization up to $6.45 million on average. Healthcare systems can proactively prevent security breaches, and their far-reaching effects, with AI-enabled platforms that provide clear solutions for long-lasting security and privacy changes.
When organizations systematically evaluate their privacy and security risks, it is easy to overlook best practices and focus only on the “checkboxes” of the law. However, these efforts can be futile. Real change that leads to a long-term paradigm shift occurs when organizations evaluate and follow through with best practices, such as auditing every access point and accurately presenting cases rather than reports.
John Hopkins proved it is possible to overcome the privacy and security stagnation that develops from years of repetitive, routine procedures. It shifted from a rule-based data breach defense system to an analytics-centered paradigm. The keys to success included an effective framework that fostered a compliance analytics-first environment and leadership’s ability to identify the appropriate tools to evaluate privacy and security analytics in the context of their own organization.
Would you like to learn more about this topic? Here are some articles we suggest:
- Customer Journey Analytics: Cracking the Patient Engagement Challenge for Payers
- Reducing Hospital Readmissions: A Case for Integrated Analytics
- Meaningful Machine Learning Visualizations for Clinical Users: A Framework
- The Future of Healthcare AI: An Honest, Straightforward Q&A
- Machine Learning in Healthcare: What C-Suite Executives Must Know to Use it Effectively in Their Organizations
Would you like to use or share these concepts? Download the presentation highlighting the key main points.