Automate Front Line Security Controls with Machine Learning Models and Risk Scoring

The healthcare industry is a target for malicious attackers given the type of data that payers and providers hold. It’s a challenge across the industry to implement adequate data security controls as well as access management controls to ensure that malicious attackers are not able to gain access. Gurucul offers advanced security analytics to address a broad range of security issues facing healthcare providers and payers.

A Risk-Based Approach for Healthcare Security

Staying ahead of the attackers is always the biggest challenge in healthcare security. Don’t look to compliance regulations for inspiration regarding what sort of controls to develop for the future. Instead, take a risk-based approach. Look at what cyber criminals are doing. What are the threats and evolving attack techniques they are using? Then, identify controls based on those threats. Make sure you can respond with innovative controls in a timely enough manner to prevent or mitigate cyber risks.

User and Entity Behavior Analytics (UEBA)

UEBA provides the most realistically effective approach to comprehensively manage and monitor user and entity centric risks. UEBA quickly identifies anomalous activity, thereby maximizing timely incident or automated risk response. The range of Gurucul UEBA use cases is what makes the solution extensible and valuable in healthcare security. It focuses on the detection of risks and threats beyond the capabilities of signatures, rules and patterns.

‟ UEBA is one of the most powerful new security controls to emerge in recent memory.  I believe that most – if not all – our technical security controls will have some element of UEBA associated with it.  I view this as a very strategic shift for Aetna security, and I think that the rest of the industry will be following as well.

– Kurt Lieber, CISO, Aetna

Key Security Analytics Use Cases in Healthcare

Insider Threat

Healthcare companies face their largest threat from malicious insiders misusing or gaining unauthorized access to patient’s sensitive data (including PII and PHI information). According to the 2018 Protected Health Information Data Breach Report, healthcare is the only industry where insider threats pose the greatest threats to sensitive data; 58% of incidents stem from insiders.  According to the 2018 Verizon Data Breach Report, “the Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. “

male physician typing on computer

Typical Insider Activities

  • Patient record “snooping” – viewing medical records of friends, family, neighbors
  • Sensitive data exfiltration to personal ids, competition or bad actors
  • Print/Download/Export activity including patient records and reports
  • Stealing VIP medical records
  • Unauthorized access to patient data from unrelated departments (e.g. pediatrics nurse accessing records from neurology)
  • Unusual access to medical devices from suspicious devices, users and network IP addresses

All of these activities can be addressed by monitoring activity logs from Electronic Medical Records Systems (EMR), such as Epic, Allscripts, Cerner, GE combined with IT platforms such as proxy, firewalls, VPN and Windows/AD.

Medical Devices

Medical devices are under increasing threat from ransomware attacks. In the past, manufacturers built medical devices with proprietary firmware or other exclusive features that were unlikely targets of cyberattack. Now, manufacturers are building cheaper and more scalable medical devices running easily compromised operating systems, such as Windows, that are targets in ransomware attacks.

Healthcare organizations must also deal with unexpected changes in device configurations, broken or malfunctioning equipment, and “lost” devices that are unaccounted for in inventory.


Protect Patients by Securing Medical Devices with Behavior Based Security Analytics

In the healthcare industry, patients must always come first. To keep medical devices secure, it’s necessary to profile the behavior of these devices and to understand their standard behavior patterns. Once you know these standard behaviors, it’s possible to identify unusual trends that could indicate the device has been compromised and the IT group needs to intervene to prevent damage.

  • Identify what the various kinds of devices are, and use behavior patterning to understand where they should live and how they should operate on the network
  • Establish an early warning system by providing important indicators that a device is not behaving normally and remove it from rotation
  • Detect anomalous behaviors associated with devices that may be targets of ransomware or malware attacks
  • Determine when to safely patch medical devices by understanding device behavior patterns
  • Predict when devices are about to malfunction and need to be serviced or replaced

Medical devices must be managed from a security perspective, but also from an operational perspective. Using analytics to establish behavior baselines helps support risk assessments, find malfunctions and enhance staff productivity.

Healthcare Provider and Consumer Fraud

Healthcare Provider and Consumer Fraud costs organizations Millions of dollars each year. On a larger scale, Healthcare Fraud, Waste and Abuse (FWA) costs over $75 Billion each year.  Over the last few years, large Healthcare Organizations have spent billions of dollars on FWA. Some estimates put this number at over $500 Billion.

On the consumer side, more than 2 Million people have been impacted by some sort of Medical Identity Theft. Victims have paid close to $20,000 in fraud on average.

These costs not only impact large Healthcare organizations in terms of lost revenue, but also the average consumer. Every dollar spent on fraud reduces the amount of available money to improve the quality of care for honest customers and providers. Healthcare organizations feel the brunt of the fraud problem from primary actors they are dealing with:

Providers, who are trying to make money by falsifying provided services

Consumers, who are trying to get free services by impersonating other consumers

Provider Fraud

Provider Fraud constitutes the majority of the FWA bucket. These fraudulent practices are designed to produce additional profits for the Healthcare provider by using some of the methods listed here.

pill bottles and medication

Key Fraud Use Cases

  • Billing for services not provided
  • Threatening to bill members if insurers don’t pay full price
  • Billing for a non-covered service as a covered service
  • Falsifying service data
  • Abnormal waiving of deductibles and/or co-payments
  • Incorrect reporting of diagnoses or procedures (includes unbundling)
  • Prescribing unnecessary drugs / drug diversion

Consumer Fraud

Although a smaller part of the overall FWA bucket, consumer fraud is widely prevalent. In the last decade, 250,000 to 500,000 individuals have been victims of this escalating crime.

physician filling out an insurance claim form

Key Fraud Use Cases

  • Medical Identity Theft: availing medical services using a stolen identity
  • Falsifying claims from non-existent providers/clinics or duplicate claims filing under different names
  • Unusual claims submissions from numerous geolocations/accounts
  • Money Laundering: consistently diverting an insignificant amount of disbursement funds to a fraudulent account
  • HSA Account Takeover: compromise online account, submit false claims, modify bank account details and disbursements

How Advanced Security Analytics Can Help

First generation data models have been used in the past for identifying fraud and access abuse. But, these techniques use simple signature driven models or look at historical data and statistical models to detect individual events which need to be analyzed and manually linked together.  This process is time consuming and laden with human error.

Machine Learning and advanced security analytics provide a way to analyze large volumes of data and predict anomalous behavior that can help prevent large scale frauds and detect insider threats. In addition, security analytics can detect anomalous behaviors and risk score individual users, consumers and entities, providing meaningful information on potential risky situations in real time.

Gurucul Risk Analytics (GRA) provides a holistic risk-based approach to detecting insider threats and fraud for internal and external users using award-winning machine learning algorithms and an open big data architecture. Gurucul’s risk engine creates a unique risk score for each user, customer or provider using context driven sensors from public and private data transactions. Gurucul’s open big data platform ingests both structured and unstructured data and aggregates risk context for intelligent detection of fraud and insider threats.

head with spinning gears in yellow, red and blue

Machine Learning and Next Generation Predictive Models

Gurucul Risk Analytics uses machine learning and predictive models to identify potential malicious behavior and predicting potential fraud. Machine learning uses historical data to create Behavior Baselines for users and entities.  This baseline is used to identify deviations in patterns. The behavior baselines are self-adjusting and change as the user behavior changes.

Real Time Transactional Surveillance

Real-Time Transactional Surveillance

Gurucul Risk Analytics uses real-time and near real-time processing techniques for transactional surveillance and can identify potentially fraudulent transactions and insider threats on the fly. Near real-time analytics allows timely identification disposition on employee, provider and member based incidents.

data and line graph graphic

Link Analysis

Gurucul Risk Analytics uses its proprietary Link Analysis® to identify and link transactions across claims to map them to users and provider entitles. This linkage provides a historical and current view of all transactions for a member and claims submitted by providers. GRA provides a consolidated view of transactions related to patients and provider entities. Also, this data is used by GRA machine learning algorithms to provide real-time predictive detection.

circle chart graphic

Linking Non-Claims Data to Claims Data

Gurucul Risk Analytics can link EMR data with non-claims data and clinical data to provide a composite view of a patient’s condition and highlight unusual transactions based on user and historic community profiles. The GRA platform can analyze public records, mine and normalize data and score provider risk of fraud and abuse.

screwdriver and wrench on white circle

Custom Models and Use Cases

Gurucul Risk Analytics comes with Studio®, a feature that provides the capability to create custom behavioral models within GRA. This feature provides a simplified interface allowing customers to create or modify models without needing to know the complexities of data science and modelling. This is particularly helpful for Healthcare customers in creating their own models based on custom applications and proprietary schema without hiring or engaging data science or development teams.

a cross, check mark and exclamation symbol

Risk-based Access Control

Gurucul Risk Analytics provides a dynamic risk score based on user/entity behavior, which can be used to orchestrate access control decisions. Automate the enforcement of step-up authentication and MFA, or restrict access to certain data elements, transactions or capabilities based on the risk score.

big data logo with circles and squares

Open Choice Big Data Platform

Gurucul Risk Analytics works with all major Big Data platforms to make it easier to ingest both structured and non- structured data. Compile public clinical and claims information in any data format.

Allina Health Customer Testimonial

‟We leveraged the power of Gurucul to identify what people should be looking at from a care perspective.  A physician or nurses may not have a need to go look up a VIP  they’re not providing care for at that time.  It helps us to manage the patient privacy issues.”

– William Scandrett, CISO, Allina Health

Share this page: