The Reveal Platform
The healthcare industry is a target for malicious attackers given the type of data that payers and providers hold. It’s a challenge across the industry to implement adequate data security controls as well as access management controls to ensure that malicious attackers are not able to gain access. Gurucul offers advanced security analytics to address a broad range of security issues facing healthcare providers and payers.
Staying ahead of the attackers is always the biggest challenge in the industry. Don’t look to compliance regulations for inspiration regarding what sort of controls to develop for the future. Instead, take a risk-based approach. Look at what cybercriminals are doing. What are the threats and evolving attack techniques they are using? Then, identify controls based on those threats. Make sure you can respond with innovative controls in a timely enough manner to prevent or mitigate cyber risks.
The Gurucul REVEAL Security Analytics Platform is the behavior-based security analytics and intelligence platform that enables healthcare organizations to implement model-driven security to address cyber risk. The platform leverages over 4000+ Machine Learning Models powered by data science to produce actionable risk intelligence. The platform does not rely on signatures, rules or patterns. It is intended – from the ground up – to identify zero-day threats and is designed to provide both contextual and situational awareness.
Employees may view the records of other employees. Employees may also search and view records of friends, relatives. Employees that discover interesting patient records may share that information in the form of gossip or the records themselves.
Providers can identify high-risk profiles with risk-based analytics, data mining, anomaly, and behavior detection. Tools can help security teams by creating a baseline using profiling attributes from HR records, activities, access records, log management solutions and more.
Quick access detection and user behavior associated with this type of breach can limit the distribution of PHI.
Healthcare employee accounts come with privileges and access to PHI. Enterprises trust employees to behave appropriately. When someone other than the employee has access to an employee account all bets are off.
Identity theft is one of the greatest threats to any enterprise. User accounts with unnecessary privileges are especially dangerous. Compromise can be detected by ingesting data sources such as DLP and data classifications to uncover essential data locations, access, and application activity. Risk scoring DLP alerts is a primary benefit of UEBA machine learning by significantly reducing alert fatigue and prioritizing mediation.
Employee access to VIP health records can be particularly tempting. Using behavioral analytics, enterprises can ensure employees have appropriate access for member care. Behavioral analytics can identify physicians and nurses who should not have access VIP records, but do.
If an employee with a low-risk score initiates an application session from a recognized location with a known device, the run-time risk score would remain in a safe zone. As a trusted employee, passthrough access could be granted without additional authentication. If the same employee begins exhibiting abnormal behaviors such as accessing private records, conducting unusual transactions, their real-time risk score would rise.
Risk-scoring employees and members, may eliminate the need for authentication via passwords, biometrics. Dynamic Provisioning allows continuous monitoring of identity behavior to dynamically assess enterprise risk. Once an employee exceeds pre-set thresholds and reaches high-risk status, automated access responses can escalate authorization requirements, including enforcing MFA and locking the account.
If an employee (or someone in control of their account) decides to move data out of your enterprise, this likely includes multiple steps. Once they have access, the next behavior is ‘farming’. This is the collection of data and packaging data for transport. Farming behavior may touch resources both inside your corporate network and those in the cloud. Packaging may occur on a provisioned system or shared disk partition. Increasingly, these resources and activities are cloud based.
The platform User and Entity Behavior Analytics (UEBA) tracks all the employees, members, and resources in your environment, whether on-premises or in the cloud. This breadth of visibility makes it possible to assemble all the activities and recognize the behavior as a threat.
Once an identity has ‘farmed’ and packaged data for transport, it may need to passthrough a mail transfer agent (MTA) firewall. Informed by the high-risk score of previous suspicious activity, a model-drive driven security environment could autonomously identify the risk of forwarding that email and escalate the event for investigation.
“UEBA is one of the most powerful new security controls to emerge in recent memory. I believe that most – if not all – our technical security controls will have some element of UEBA associated with it. I view this as a very strategic shift for Aetna security, and I think that the rest of the industry will be following as well.”
– Kurt Lieber
– CISO, Aetna
Fraud costs Healthcare organizations millions of dollars each year. On a larger scale, Healthcare Fraud, Waste, and Abuse (FWA) cost over $75 Billion each year. Over the last few years, Healthcare FWA has cost billions of dollars to large Healthcare organizations. Some estimates put this number at over $500 Billion.
On the member side, fraud impacts more than 2 Million annually, some Medical Identity Theft and victimized in paying close to $20,000 in fraud per victim on an average. Categories for fraud analytics include:
These categories share common elements:
Benefits:
These costs impact not only large Healthcare organizations concerning lost revenue but also the average member since every dollar spent on fraud cases reduces the available money to improve the
quality of care for honest members and providers.
| Claim-centric | Confining analytics to data within the claim. Does the claim make sense in the context of coding and payment? Does the claim make sense for this member considering their age, gender, and diagnosis? |
| Member-centric | Confining analytics to data within the history of this member? |
| Provider-centric | Confining analytics to data within this provider or hospital? |
| Network-centric | Confining analytics to data within the network of peers, both members and providers? |
Healthcare organizations feel the brunt of the problem from both, the providers, who are trying to make money by falsifying provided services, and the members, who are trying to get free services by impersonating other members.
Systems are available to administer complex sets of rules for current practices in diagnosis and procedure coding. However, they lack the integration of billing and financial activities. A comprehensive approach to fighting fraud must include the following elements:
Provider Fraud constitutes about 90% of the FWA bucket. These fraudulent practices are designed to produce additional profits for the provider by using some of the methods listed below:
Although a smaller part of the overall FWA bucket, member fraud is widely prevalent. In the last decade, there have been between 250,000 to 500,000 individuals that have been victims of this escalating crime.
Some of the ways the member fraud is committed are:
The REVEAL Platform, provides a holistic risk-based approach to fraud detection for both internal and external users using award-winning machine learning algorithms and an open big data architecture.
First generation data models were used to identify fraud abuse. However, these techniques look at historical data and statistical models to predict fraud in a community or area. Machine learning and advanced data analytics provide a way to analyze large volumes of data and predict anomalous behavior that can help prevent largescale frauds. Also, data analytics can help in risk scoring of individual users/members and entities and provide meaningful information on potential risky users and real-time analysis of user behavior.
Real-Time Transactional Surveillance. The platform uses real-time and near real-time ingestion for transactional surveillance and can identify potentially fraudulent transactions on the fly. Near real-time analytics allow timely identification disposition on both Provider and Member Fraud cases.
Cross-Claims Analysis. The platform uses its proprietary Link Analysis® to identify and link transactions across claims to map them to users and provider entitles. This linkage provides a historical and current view of all transactions for a member and claims submitted by providers. The platform provides a consolidated view of transactions related to patients and provider entities. Also, this data is used by the platform machine learning algorithms to provide real-time predictive detection.
Linking Non-Claims Data to Claims Data. The platform can link claims data with non-claims and clinical data to provide a composite view of the patient’s condition and highlight unusual transactions based on user and historic community profiles. The platform system can analyze public records, mine and normalize data and score provider risk of fraud and abuse.
Out-of-the-box-Healthcare Fraud Use-Cases.
The following use-cases are provided out of the box for Healthcare members:
The depth and range of use cases fundamentally defines the areas of expertise and functionality for user and entity behavior analytics vendors. This factor represents an important qualification when choosing a solution partner. Having a broad selection of use cases provides customers with the assurance that their advanced security analytics requirements will be addressed comprehensively today and into the future.
Gurucul’s Next-Gen SIEM leverages AI-driven data pipeline management to normalize, enrich, and analyze third party telemetry—reducing risk while increasing insight.
