Patient Data Compromise

Protecting Patient Data with Behavior Analytics


The healthcare sector is in crisis. Stolen healthcare records are worth ten times more than credit card numbers on the black market and hackers are following the cash. A recent Ponemon report, commissioned by ID Experts, estimates that data breaches cost the healthcare industry $6.2 billion over the last two years, as some 79 percent of healthcare organizations were hit with two or more data breaches. Today, more than one third of the U.S. population is a victim of stolen healthcare information.


Securonix is the industry-leading innovator behind big data analytics that predict, prevent and detect electronic medical record snooping, theft and fraud. Its solutions leverage the latest advances in user and entity behavior analytics (UEBA), machine learning and artificial intelligence to identify real threats to patient data, automatically and accurately, in near-real time.

At the core of the big data platform is a machine-learning engine that establishes baselines of normal entity behavior and flags suspicious behavior outliers. An entity could be a person, network, system, endpoint or device.


The analytic engine ingests data from a variety of sources – security logs and SIEMs are examples – to build an understanding of entity context. This sophisticated machine learning capability enables Securonix to weed out false positives and understand which behaviors represent true threats. Every access point to patient data is continuously analyzed to detect patterns that may be suspicious. These analytic capabilities utilize several patented algorithms and techniques that are packaged into threat models and deployed out-of-the-box. Organizations can edit and customize the threat models to meet their unique needs.

Key Use Cases

  • Family, Self, and Neighbor Snooping

  • Co-Worker Snooping

  • VIP Snooping

  • Data Snooping – Employee & Transaction Profiling

  • Time, Age, and Location-Based Anomalies

Traditional, rule-based tools rely on comparing names and address strings to detect snooping attempts on records belonging to family members, neighbors or one’s self. Such methods are prone to false positives because of common names and the inconsistent ways employees enter address information into different systems. Securonix data snooping analytics go beyond names and addresses, leveraging more comprehensive contextual information including but not limited to geo-coordinates, social profiles, age and sex. The result: Securonix determines real incidents of data snooping without the false positives.

Co-worker snooping detection is always tricky – especially for larger healthcare organizations where employees are likely to use the medical services provided by the healthcare facility they work for. Securonix resolves this complication with machine learning techniques that that leverage peer group comparisons to detect linkages between patient and doctor. For example, if the doctor and patient both work for the same medical facility, there is a likelihood that they know each other.

Securonix uses entity-based analytics to pivot on patient data that has been accessed in an unusual pattern, uses a combination of publicly and privately available information to determine whether the patient is a VIP such as a celebrity or politician, and then automatically boosts the risk-rating of such patients. Securonix also provides customers with watch list capabilities to flag known VIPs and enables special monitoring for such patients.

Clinical applications record millions of transactions every day, and most of these are legitimate activities. To detect the “needle in the haystack,” it is important to analyze each actor that performs each activity. Securonix out-of-the-box content contains predefined actor identifications, critical transactions, and expected access patterns. For example, if an employee works in an outpatient clinic and performs a rare inpatient activity, that activity will be flagged as an anomaly.

In addition to profiling employee type and transaction, Securonix also profiles activity based on time, age groups of patients, location of patients and doctors and more to determine normal behavior across different dimensions. The threat model then leverages different indicators of compromise to identify suspicious actors or activity.

Easy Integration With Industry Standard Applications

Securonix ingests nearly unlimited volumes of data from a wide breadth of sources. In addition to traditional data sources such as SIEMs and security logs, it also connects easily and automatically to industry standard healthcare applications including but not limited to Epic, Cerner, Medicity, All Scripts and Meditech. The machine learning engine establishes baselines of normal behaviors within those applications such as logins, chart submissions, lab queries and clinical event queries, to name a few, and flags suspicious behaviors that could indicate noncompliant behaviors, record snooping or data theft.



Leveraging Non-Clinical Application Data

Other behavior-based threat detection tools only analyze activity logs on electronic medical records (EMR), but EMR access activity is a narrow scope of information. To effectively detect a data breach attempt and the extent of data compromise, security teams need network, application and behavior analyses that paints a more holistic picture.

Securonix understands where and how a malicious actor gained access, the actions s/he took afterward, and indicators of compromise across a variety of different data sources, then correlates the data and visualizes it all together. Securonix has developed threat models specifically for healthcare organizations and patient data protection that analyze events across a variety of data sources.

For example, here is a typical chain model of a phishing attack-based patient record compromise. Securonix is the only UEBA threat detection solution that can see the whole attack.



Dashboards and Reporting

Securonix provides healthcare-specific visualization, dashboards, and out-of-the-box reporting capabilities. The dashboards support role-based access to limit the information that an analyst can view based on the analyst’s user roles. Reports are standardized for various compliance needs and can easily be customized based on organizational needs.

With its strong analytic capabilities and industry know-how, Securonix is not only helping healthcare organizations with compliance needs, but also identifying real threats to patient records. Schedule a demo to get a deeper understanding of our industry leading privacy data analytics solution.