This report is based on a 2018 Healthcare Analytics Summit presentation given by Robert Lord, president and cofounder of Protenus, “Privacy Analytics: A Johns Hopkins Case Study—Using AI to Stop Data Breaches.”
Some security experts claim that an individual’s medical record can be sold for ten times what their credit card goes for on the black market, making it a common target for hackers. Implementing privacy analytics to improve healthcare data security across the industry is critical in healthcare today, as more questions than answers arise about patient privacy and security.
Johns Hopkins put into practice an artificial intelligence (AI) application to produce a highly accurate privacy analytics model that reviewed every access point to patient data and detected when the EHR was potentially exposed to a privacy violation, attack, or breach. Specific techniques, including supervised and unsupervised machine learning and transparent AI methods, advanced Johns Hopkins toward its predictive, analytics-based, collaborative privacy analytics infrastructure.
With a secure, analytics-driven digital health system, Johns Hopkins overcame a universal barrier to delivering quality care among health systems: patient trust. Breaches are perilous to healthcare organizations because they immediately jeopardize patient trust, resulting in patients withholding important health information from providers. Without a full picture of patient health, clinicians can’t provide holistic care to patients, resulting in a subpar healthcare experience for both those receiving and delivering care.
Patients are initially reluctant to share information with providers because they don’t know who can access their information, and they’re uncertain how health systems keep patient data safe and secure. Data breaches have doubled in the past decade, which erodes patient trust and leads patients to seek care from another provider or organization, potentially resulting in a considerable loss to a health system over time.
According to a case study from Johns Hopkins, most data breaches in clinical systems (e.g., loss, theft, insider breaches, etc.) originate from an organization’s employees, not an outside hacker stealing data on a personal computer. The most common offenders are health system staff and clinicians who have access to the organization’s EHR.
EHRs are designed to grant access to large groups of people, which means taking aggressive measures to prevent security breaches has its challenges:
With its ability to accurately collate, analyze, and review mass amounts of information, AI creates a highly correct privacy model that helps organizations overcome these all-too-common healthcare data security roadblocks. The privacy analytics approach at Johns Hopkins allowed leadership to review all data logs accurately; create a collaborative, interdisciplinary initiative across the organization that eliminated data silos; and forge a sustainable path for long-term privacy analytics to transform the future of privacy analytics in healthcare.
To achieve this higher caliber of privacy analytics management, Johns Hopkins carefully identified its key performance indicators (KPIs) and used them to overcome the organizational inertia that impedes change in large institutions.
Johns Hopkins used these five KPIs to measure success:
The organization’s new privacy analytics platform—aimed at improving healthcare data security—opened the lines of communication for the privacy and security teams, allowing them to work more closely together. The collaborative effort helped the security team by eliminating the manual work the old system required to identify insider threats, phishing, and credential sharing, which made it easier for the privacy team to complete investigations and audits.
At first, Johns Hopkins employees questioned the new monitoring process and worried that leadership lacked trust in the workforce. They soon discovered, however, the new security platform actually empowered team members and even cleared up miscommunications. The positive experience with the new data platform built trust among Johns Hopkins team members, many of whom were also patients at the health system. The innovative security platform also allowed the senior leadership team at Johns Hopkins to see the big picture and work toward their real objective—to retain patients and build trust with the community.
To evaluate the total cost of ownership of the new platform, Johns Hopkins leadership evaluated the major factors affecting its healthcare data security and privacy:
The results Johns Hopkins saw in its privacy and security processes were irrefutable—traditional investigations took 75 minutes, while investigations conducted on the new platform took only five minutes, saving over one hour for every investigation. The false-positive rate dramatically dropped from 83 percent to an astounding three percent with the new platform, meaning that nearly every notification was a real data breach.
The time Johns Hopkins’ security and privacy team members saved with the new platform, and the intense decrease in false positives, led to dramatic improvements in the workflow and more time for employees to work on projects requiring critical thinking and human judgment.
Improvements in three core components transformed the cultural and workflow challenges at Johns Hopkins:
Compliance analytics are as fluid as the roles in healthcare positions across the continuum of care—from a medical assistant, physician, and nurse to a research assistant. Rather than manually assigning a team member to a role (e.g., Dr. Jones is a family practice physician), the distribution of activities in the EHR defines the role of the individual. For example, if Dr. Jones spends most of her time looking at information that would indicate that she is an OB/GYN, then the AI platform will automatically assign her the role of OB/GYN, as well as other roles based on her distribution activity.
The automation factor of the compliance analytics platform enables team members to apply critical thinking and judgment to improve an organization. The powerful combination of automation and team members at Johns Hopkins offers three major benefits:
Healthcare data security and privacy is an increasingly critical issue in healthcare today and, when handled poorly, can cost millions. Ponemon Institute and IBM Security conducted a global survey that revealed a data breach costs an organization up to $6.45 million on average. Healthcare systems can proactively prevent security breaches, and their far-reaching effects, with AI-enabled platforms that provide clear solutions for long-lasting security and privacy changes.
When organizations systematically evaluate their privacy and security risks, it is easy to overlook best practices and focus only on the “checkboxes” of the law. However, these efforts can be futile. Real change that leads to a long-term paradigm shift occurs when organizations evaluate and follow through with best practices, such as auditing every access point and accurately presenting cases rather than reports.
John Hopkins proved it is possible to overcome the privacy and security stagnation that develops from years of repetitive, routine procedures. It shifted from a rule-based data breach defense system to an analytics-centered paradigm. The keys to success included an effective framework that fostered a compliance analytics-first environment and leadership’s ability to identify the appropriate tools to evaluate privacy and security analytics in the context of their own organization.
Would you like to learn more about this topic? Here are some articles we suggest:
Would you like to use or share these concepts? Download the presentation highlighting the key main points.