1.
How Artificial Intelligence
Can Overcome Healthcare
Data Security Challenges
and Improve Patient Trust

2.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Artificial Intelligence Increases Healthcare Security
This report is based on a 2018 Healthcare Analytics Summit presentation
given by Robert Lord, president and cofounder of Protenus, “Privacy
Analytics: A Johns Hopkins Case Study—Using AI to Stop Data Breaches.”
Robert Lord
Co-founder & President
Protenus

3.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Some security experts claim that an individual’s
medical record can be sold for ten times what
their credit card goes for on the black market,
making it a common target for hackers.
Implementing privacy analytics to improve
healthcare data security across the
industry is critical in healthcare today,
as more questions than answers arise
about patient privacy and security.
Artificial Intelligence Increases Healthcare Security

4.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Johns Hopkins put into practice an artificial
intelligence (AI) application to produce a highly
accurate privacy analytics model that reviewed
every access point to patient data and detected
when the EHR was potentially exposed to a
privacy violation, attack, or breach.
Specific techniques, including supervised and
unsupervised machine learning and
transparent AI methods, advanced Johns
Hopkins toward its predictive, analytics-based,
collaborative privacy analytics infrastructure.
Artificial Intelligence Increases Healthcare Security

5.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
With a secure, analytics-driven digital health
system, Johns Hopkins overcame a universal
barrier to delivering quality care among health
systems: patient trust.
Breaches are perilous to healthcare
organizations because they immediately
jeopardize patient trust, resulting in patients
withholding important health information from
providers.
Without a full picture of patient health, clinicians
can’t provide holistic care to patients, resulting
in a subpar healthcare experience for both
those receiving and delivering care.
Healthcare Data Security and the Struggle
for Patient Trust

6.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Patients are initially reluctant to share
information with providers because they don’t
know who can access their information, and
they’re uncertain how health systems keep
patient data safe and secure.
Data breaches have doubled in the past
decade, which erodes patient trust and leads
patients to seek care from another provider or
organization, potentially resulting in a
considerable loss to a health system over time.
Healthcare Data Security and the Struggle
for Patient Trust

7.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
According to a case study from Johns
Hopkins, most data breaches in clinical
systems (e.g., loss, theft, insider breaches,
etc.) originate from an organization’s
employees, not an outside hacker stealing
data on a personal computer.
The most common offenders are health
system staff and clinicians who have
access to the organization’s EHR.
EHRs and Common Security Pitfalls

8.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
EHRs are designed to grant access to
large groups of people, which means
taking aggressive measures to prevent
security breaches has its challenges:
1. Checking boxes for HIPAA versus
comprehensive review
2. Overworked privacy and security officers
3. Concerns around expanding access
4. The original state of privacy programs and
antiquated systems
EHRs and Common Security Pitfalls

9.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
1: Checking boxes for HIPAA versus comprehensive review
EHRs and Common Security Pitfalls
Johns Hopkins leaders and clinicians were
busy checking boxes to appease the regulators
at the Office for Civil Rights under the U.S.
Department of Health and Human Services
(HHS)—the institution responsible for enforcing
HIPPA—rather than thoroughly reviewing every
flagged record.
Lack of an in-depth, comprehensive review
also prevented organizations from proactively
searching for data breaches; rather, they had to
wait until they received a notification about
suspicious activity.

10.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
2: Overworked privacy and security officers
EHRs and Common Security Pitfalls
Time-consuming, laborious data
security processes require the privacy
and security workforce to focus on
sifting through breach data rather than
using their critical thinking skills and
human judgment on more vital tasks,
such as deciding which red flags are
worthy of follow-up.

11.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
3: Concerns around expanding access
EHRs and Common Security Pitfalls
Healthcare organizations are rapidly growing
and increasing their workforce, granting more
people access to the EHR.
Yet, in the midst of growing numbers, privacy
and security measures haven’t advanced.

12.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
4: The original state of privacy programs and antiquated systems
EHRs and Common Security Pitfalls
Traditional systems have their own share of
challenges, including:
• retroactive—rather than proactive—investigations
• high rates of false positives
• lack of data source aggregation capabilities
• slow search queries
• lack of visualization tools
These issues hinder an organization’s ability to
explore workflows and improve the privacy
breach identification processes.

13.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
A New Approach to Privacy Analytics
With its ability to accurately collate, analyze, and
review mass amounts of information, AI creates
a highly correct privacy model that helps
organizations overcome these common
healthcare data security roadblocks.
The privacy analytics approach at Johns
Hopkins allowed leadership to:
• Review all data logs accurately.
• Create a collaborative, interdisciplinary initiative
across the organization that eliminated data silos.
• Forge a sustainable path for long-term privacy
analytics to transform the future of privacy
analytics in healthcare.

14.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
A New Approach to Privacy Analytics
To achieve this higher caliber of privacy analytics
management, Johns Hopkins carefully identified its key
performance indicators (KPIs) and used them to
overcome the organizational inertia that impedes
change in large institutions.
Johns Hopkins used five KPIs to measure success:
1. What are the threats we discover?
2. What is our false-positive rate?
3. What is the burden of our current tool maintenance?
4. What is the investigation time?
5. What is the overall reduction in privacy threats overtime?

15.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
A New Approach to Privacy Analytics
The organization’s new privacy analytics
platform—aimed at improving healthcare data
security—opened the lines of communication
for the privacy and security teams, allowing
them to work more closely together.
The collaborative effort helped the
security team by eliminating the
manual work the old system
required to identify insider threats,
phishing, and credential sharing,
which made it easier for the
privacy team to complete
investigations and audits.

16.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
A New Approach to Privacy Analytics
At first, Johns Hopkins employees
questioned the new monitoring
process and worried that leadership
lacked trust in the workforce.
They soon discovered, however, the
new security platform empowered
team members and even cleared up
miscommunications.

17.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
A New Approach to Privacy Analytics
The positive experience with the new
data platform built trust among Johns
Hopkins team members, many of whom
were also patients at the health system.
The innovative security platform also
allowed the senior leadership team at
Johns Hopkins to see the big picture
and work toward their real objective:
• retain patients
• build trust with the community

18.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Elements Driving Cost of Healthcare Data Security
To evaluate the total cost of ownership of the new platform, Johns Hopkins
leadership evaluated the major factors affecting its healthcare data security
and privacy:
The current software
cost compared to the
new platform cost.
The effect of the
new platform on the
current number of
full-time employees
(FTEs), especially
the “silent” FTEs who
often go unnoticed.
The cost of outside
firms to resolve
discrepancies in
data, delays in
response time, and
fine regulation
violations.
Most importantly,
the cost of losing
patients due to the
degradation of
patient trust that a
data breach creates.

19.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
The results Johns Hopkins saw in its privacy
and security processes were irrefutable—
traditional investigations took 75 minutes,
while investigations conducted on the new
platform took only five minutes, saving over
one hour for every investigation.
The false-positive rate dramatically dropped
from 83 percent to an astounding three
percent with the new platform, meaning
that nearly every notification was a real
data breach

20.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
The time Johns Hopkins’ security and privacy
team members saved with the new platform,
and the intense decrease in false positives, led
to dramatic improvements in the workflow and
more time for employees to work on projects
requiring critical thinking and human judgment.
Improvements in three core components
transformed the cultural and workflow
challenges at Johns Hopkins:
1. Scale
2. Complexity
3. Automation

21.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
1: Scale
Compliance analytics fosters data
integration because it brings together
all the information needed to solve a
problem in one place.
The enterprise-wide solution also
serves a variety of compliance
interests across the health system.
Most importantly, it allows the
organization to review all records
instead of reviewing a sliver of records.

22.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
2: Complexity
The sophisticated platform was equipped to handle the nuances of each
case, making it easy to identify abnormal behaviors (e.g., the AI behavioral
dashboard, Figure 1).
Figure 1: The AI behavior dashboard.

23.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
2: Complexity
Rather than following the rigid para-
meters of a rules-based system that
lead to high rates of false-positives, the
new system’s distribution capabilities
allow organizations to focus on the most
unusual threats, which they can adapt to
a non-standard distribution list (common
for providers who wear many hats and
don’t fit one single description).

24.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
2: Complexity
Compliance analytics are as fluid as the
roles in healthcare positions across the
continuum of care—from a medical
assistant, physician, and nurse to a
research assistant.
Rather than manually assigning a team
member to a role (e.g., Dr. Jones is a
family practice physician), the
distribution of activities in the EHR
defines the role of the individual.

25.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
2: Complexity
For example, if Dr. Jones spends most of
her time looking at information that would
indicate that she is an OB/GYN, then the
AI platform will automatically assign her
the role of OB/GYN, as well as other roles
based on her distribution activity.

26.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Why Compliance Analytics Is So Effective
3: Automation
Automation within the compliance
analytics system didn’t remove the need
for staff, but it leveraged their judgment
capabilities so that team members could
focus on tasks that add value, instead of
wasting time on automatable tasks (e.g.,
sifting through false-positives).

27.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
The automation factor of the compliance
analytics platform enables team members
to apply critical thinking and judgment to
improve an organization.
The powerful combination of automation
and team members at Johns Hopkins
offers three major benefits:
1. Natural language cases
2. Automated emails
3. Documentation and comprehensive logs

28.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
1: Natural language cases
Gathering facts, documenting cases, and
submitting them to a compliance officer
was a time sink for the workforce.
The compliance analytics platform provides
a natural language note, including the
information an employee needs to submit
a ticket to a compliance offer.
When there is a data breach, the team
member can print the ticket directly from
the platform. The printed document
initiates the investigation.

29.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
2: Automated emails
Gathering facts, documenting cases,
and submitting them to a compliance
officer was a time sink for the
workforce.
The compliance analytics platform
provides a natural language note,
including the information an
employee needs to submit a ticket.
When there is a data breach, the
team member can print the ticket
directly from the platform. The printed
document initiates the investigation.

30.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
3: Documentation and comprehensive logs
If AI lacks explanations as to why it
flagged a certain behavior, it’s not helpful.
The cutting-edge solution eliminates the
“blackbox” of AI and explains why
something is flagged, looks risky, or is
identified as anomalous behavior, allowing
organizations to tackle security concerns
in a transparent way, shown in Figure 1.

31.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
Healthcare data security and privacy is an
increasingly critical issue in healthcare today
and, when handled poorly, can cost millions.
Ponemon Institute and IBM Security
conducted a global survey that revealed a
data breach costs an organization up to
$6.45 million on average.
Healthcare systems can proactively
prevent security breaches, and their far-
reaching effects, with AI-enabled platforms
that provide clear solutions for long-lasting
security and privacy changes.

32.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
When organizations systematically evaluate their privacy
and security risks, it is easy to overlook best practices
and focus only on the “checkboxes” of the law.
However, these efforts can be futile.
Real change that leads to a long-
term paradigm shift occurs when
organizations evaluate and follow
through with best practices, such
as auditing every access point
and accurately presenting cases
rather than reports.

33.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
John Hopkins proved it is possible to overcome
the privacy and security stagnation that develops
from years of repetitive, routine procedures.
It shifted from a rule-based data breach defense
system to an analytics-centered paradigm.

34.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
The Power of Automation Combined with
Human Judgment
The keys to success included an effective
framework that fostered a compliance
analytics-first environment and leadership’s
ability to identify the appropriate tools to
evaluate privacy and security analytics in
the context of their own organization.

35.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
For more information:
“This book is a fantastic piece of work”
– Robert Lindeman MD, FAAP, Chief Physician Quality Officer

36.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
More about this topic
Link to original article for a more in-depth discussion.
How Artificial Intelligence Can Overcome Healthcare Data Security Challenges and Improve
Patient Trust
Customer Journey Analytics: Cracking the Patient Engagement Challenge for Payers
Health Catalyst Editors
Reducing Hospital Readmissions: A Case for Integrated Analytics
Health Catalyst Editors
Meaningful Machine Learning Visualizations for Clinical Users: A Framework
Valere Lemon, MBA, RN, Senior Subject Matter Expert; Alejo Jumat, User Experience Designer, Sr.
The Future of Healthcare AI: An Honest, Straightforward Q&A
Health Catalyst Editors
Machine Learning in Healthcare: What C-Suite Executives Must Know to Use it Effectively in Their
Organizations — Eric Just, Senior Vice President and General Manager, Product Development
Levi Thatcher, VP, Data Science; Tom Lawry, Director, Worldwide Health, Microsoft

37.
© 2019 Health Catalyst
Proprietary. Feel free to share but we would appreciate a Health Catalyst citation.
Other Clinical Quality Improvement Resources
Click to read additional information at www.healthcatalyst.com
Health Catalyst is a mission-driven data warehousing, analytics and outcomes-improvement company
that helps healthcare organizations of all sizes improve clinical, financial, and operational outcomes
needed to improve population health and accountable care. Our proven enterprise data warehouse
(EDW) and analytics platform helps improve quality, add efficiency and lower costs in support of more
than 65 million patients for organizations ranging from the largest US health system to forward-thinking
physician practices.
Health Catalyst was recently named as the leader in the enterprise healthcare BI market in
improvement by KLAS, and has received numerous best-place-to work awards including Modern
Healthcare in 2013, 2014, and 2015, as well as other recognitions such as “Best Place to work for
Millenials, and a “Best Perks for Women.”