Automate Front Line Security Controls with Machine Learning Models and Risk Scoring

Request a Demo

The healthcare industry is a target for malicious attackers given the type of data that payers and providers hold. It’s a challenge across the industry to implement adequate data security controls as well as access management controls to ensure that malicious attackers are not able to gain access. Gurucul offers advanced security analytics to address a broad range of security issues facing healthcare providers and payers.

A Risk-Based Approach

Staying ahead of the attackers is always the biggest challenge in the healthcare industry. Don’t look to compliance regulations for inspiration regarding what sort of controls to develop for the future. Instead, take a risk-based approach. Look at what cyber criminals are doing. What are the threats and evolving attack techniques they are using? Then, identify controls based on those threats. Make sure you can respond with innovative controls in a timely enough manner to prevent or mitigate cyber risks.

User and Entity Behavior Analytics (UEBA)

UEBA provides the most realistically effective approach to comprehensively manage and monitor user and entity centric risks. UEBA quickly identifies anomalous activity, thereby maximizing timely incident or automated risk response. The range of Gurucul UEBA use cases is what makes the solution extensible and valuable. It focuses on the detection of risks and threats beyond the capabilities of signatures, rules and patterns.

‟ UEBA is one of the most powerful new security controls to emerge in recent memory.  I believe that most – if not all – our technical security controls will have some element of UEBA associated with it.  I view this as a very strategic shift for Aetna security, and I think that the rest of the industry will be following as well.

– Kurt Lieber, CISO, Aetna

Key Security Analytics Use Cases in Healthcare

Insider Threat

Healthcare companies face their largest threat from malicious insiders misusing or gaining unauthorized access to patient’s sensitive data (including PII and PHI information). According to the 2018 Protected Health Information Data Breach Report, healthcare is the only industry where insider threats pose the greatest threats to sensitive data; 58% of incidents stem from insiders.  According to the 2018 Verizon Data Breach Report, “the Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. “

Healthcare-Insider Threat

Typical Insider Activities

  • Patient record “snooping” – viewing medical records of friends, family, neighbors
  • Sensitive data exfiltration to personal ids, competition or bad actors
  • Print/Download/Export activity including patient records and reports
  • Stealing VIP medical records
  • Unauthorized access to patient data from unrelated departments (e.g. pediatrics nurse accessing records from neurology)
  • Unusual access to medical devices from suspicious devices, users and network IP addresses

All of these activities can be addressed by monitoring activity logs from Electronic Medical Records Systems (EMR), such as Epic, Allscripts, Cerner, GE combined with IT platforms such as proxy, firewalls, VPN and Windows/AD.

Healthcare Provider and Consumer Fraud

Healthcare Provider and Consumer Fraud costs organizations Millions of dollars each year. On a larger scale, Healthcare Fraud, Waste and Abuse (FWA) costs over $75 Billion each year.  Over the last few years, large Healthcare Organizations have spent billions of dollars on FWA. Some estimates put this number at over $500 Billion.

On the consumer side, more than 2 Million people have been impacted by some sort of Medical Identity Theft. Victims have paid close to $20,000 in fraud on average.

These costs not only impact large Healthcare organizations in terms of lost revenue, but also the average consumer. Every dollar spent on fraud reduces the amount of available money to improve the quality of care for honest customers and providers. Healthcare organizations feel the brunt of the fraud problem from primary actors they are dealing with:

Providers, who are trying to make money by falsifying provided services

Consumers, who are trying to get free services by impersonating other consumers

Provider Fraud

Provider Fraud constitutes the majority of the FWA bucket. These fraudulent practices are designed to produce additional profits for the Healthcare provider by using some of the methods listed here.

Healthcare-Provider Fraud

Key Fraud Use Cases

  • Billing for services not provided
  • Threatening to bill members if insurers don’t pay full price
  • Billing for a non-covered service as a covered service
  • Falsifying service data
  • Abnormal waiving of deductibles and/or co-payments
  • Incorrect reporting of diagnoses or procedures (includes unbundling)
  • Prescribing unnecessary drugs / drug diversion

Consumer Fraud

Although a smaller part of the overall FWA bucket, consumer fraud is widely prevalent. In the last decade, 250,000 to 500,000 individuals have been victims of this escalating crime.


Key Fraud Use Cases

  • Medical Identity Theft: availing medical services using a stolen identity
  • Falsifying claims from non-existent providers/clinics or duplicate claims filing under different names
  • Unusual claims submissions from numerous geolocations/accounts
  • Money Laundering: consistently diverting an insignificant amount of disbursement funds to a fraudulent account
  • HSA Account Takeover: compromise online account, submit false claims, modify bank account details and disbursements

How Advanced Security Analytics Can Help

First generation data models have been used in the past for identifying fraud and access abuse. But, these techniques use simple signature driven models or look at historical data and statistical models to detect individual events which need to be analyzed and manually linked together.  This process is time consuming and laden with human error.

Machine Learning and advanced security analytics provide a way to analyze large volumes of data and predict anomalous behavior that can help prevent large scale frauds and detect insider threats. In addition, security analytics can detect anomalous behaviors and risk score individual users, consumers and entities, providing meaningful information on potential risky situations in real time.

Gurucul Risk Analytics (GRA) provides a holistic risk-based approach to detecting insider threats and fraud for internal and external users using award-winning machine learning algorithms and an open big data architecture. Gurucul’s risk engine creates a unique risk score for each user, customer or provider using context driven sensors from public and private data transactions. Gurucul’s open big data platform ingests both structured and unstructured data and aggregates risk context for intelligent detection of fraud and insider threats.

Machine Learning and Next Generation Predictive Models

Machine Learning and Next Generation Predictive Models

Gurucul Risk Analytics uses machine learning and predictive models to identify potential malicious behavior and predicting potential fraud. Machine learning uses historical data to create Behavior Baselines for users and entities.  This baseline is used to identify deviations in patterns. The behavior baselines are self-adjusting and change as the user behavior changes.

Real Time Transactional Surveillance

Real-Time Transactional Surveillance

Gurucul Risk Analytics uses real-time and near real-time processing techniques for transactional surveillance and can identify potentially fraudulent transactions and insider threats on the fly. Near real-time analytics allows timely identification disposition on employee, provider and member based incidents.

Link Analysis

Link Analysis

Gurucul Risk Analytics uses its proprietary Link Analysis® to identify and link transactions across claims to map them to users and provider entitles. This linkage provides a historical and current view of all transactions for a member and claims submitted by providers. GRA provides a consolidated view of transactions related to patients and provider entities. Also, this data is used by GRA machine learning algorithms to provide real-time predictive detection.

Linking Non-Claims Data to Claims Data

Linking Non-Claims Data to Claims Data

Gurucul Risk Analytics can link EMR data with non-claims data and clinical data to provide a composite view of a patient’s condition and highlight unusual transactions based on user and historic community profiles. The GRA platform can analyze public records, mine and normalize data and score provider risk of fraud and abuse.

Custom Models and Use Cases

Custom Models and Use Cases

Gurucul Risk Analytics comes with Studio®, a feature that provides the capability to create custom behavioral models within GRA. This feature provides a simplified interface allowing customers to create or modify models without needing to know the complexities of data science and modelling. This is particularly helpful for Healthcare customers in creating their own models based on custom applications and proprietary schema without hiring or engaging data science or development teams.

Risk-based-Access Control

Risk-based Access Control

Gurucul Risk Analytics provides a dynamic risk score based on user/entity behavior, which can be used to orchestrate access control decisions. Automate the enforcement of step-up authentication and MFA, or restrict access to certain data elements, transactions or capabilities based on the risk score.

Open Choice Big Data Platform

Open Choice Big Data Platform

Gurucul Risk Analytics works with all major Big Data platforms to make it easier to ingest both structured and non- structured data. Compile public clinical and claims information in any data format.

Allina Health Customer Testimonial

‟We leveraged the power of Gurucul to identify what people should be looking at from a care perspective.  A physician or nurses may not have a need to go look up a VIP  they’re not providing care for at that time.  It helps us to manage the patient privacy issues.”

– Bill Scandrett, CISO, Allina Health

Share this page: