A recent Compliance Week story on how artificial intelligence could revolutionize compliance depicted how technology firms “are offering software platforms that promise to automate otherwise routine tasks and improve upon fraud detection audits, anti-money laundering protocols, and know-your-customer screening.” With the advent of cyber-security attacks, developers of advanced artificial intelligence security monitoring solutions have also emerged. However, understanding when and how often monitoring solutions should be executed presents trade-offs to be considered.
Legacy approaches to risk monitoring look for recognized threats by known signatures and pre-built event detection logic. Often these standby methods rest on technology confines and as a result are not aligned to business risk. These limitations can lead to serious detection challenges such as “data” overload (missing the important needles), “alert” overload (too many false alarms where all the needles look the same), along with gaps in skills needed to quickly analyze, recognize, and act on a real event. Trying to monitor every transaction or activity (though essential for some compliance and security functions) to manage threats can be just as ineffective as completely locking down all entry points in an attempt to secure everything.
New approaches to compliance monitoring and threat detection are needed. Successful threat detection and response starts with understanding your top risks, which can be a combination of business, regulatory, and technical risks, including known threats such as data breaches, industrial espionage, fraud, corruption, and disruption of business operations.
The simple pattern-matching approaches of the recent past are highly susceptible to both false positives and false negatives. Advances in machine learning and affordability of large-scale computing resources enable more sophisticated anomaly detection. In order to accomplish this new approach to threat detection, compliance professionals will need greater knowledge of core operational processes to understand a potential compliance incident’s business context. In short, the human element remains critical.
Privacy access monitoring for threat detection provides a straightforward example. Open-access environments, in which authenticated employees (i.e., those who have presented valid credentials) can access any patient’s record in the system, even if they are not treating that patient) are common across electronic medical record systems, despite their associated privacy risks. The choice to deploy an open-access environment instead of fine-grained access controls is often based on the need for caregivers to access information for continuity of care and in emergencies. For example, if access to a medical record is blocked, the caregiver will not be able to identify the patient’s medication allergies and, if given in an acute setting, certain medications may cause harm or even death. Many health organizations therefore have traded more granular patient privacy protections for health delivery utility and efficiency.
Keep in mind that tools and technologies are enablers—they are not the foundation of a robust monitoring program.As you move toward the use of compliance intelligence, behavioral analytics, and “Big Data,” first ask if more data feeds will lead to more alerts or even more noise, and whether analysts are just going to get buried.
In an open-access environment, privacy professionals must determine how to best monitor medical record access for inappropriate use. Privacy laws and organizational policies do not permit curious snooping in the record for those not on the patient treatment team. Manual auditing techniques are difficult to scale to meet the needs of modern healthcare volume, necessitating automated monitoring systems.
The process for reviewing a flagged access involves going through the patient’s medical chart to determine if the accessing employee had a clinical or operational reason to do so. This manual process takes time and often result in false positives that result in wasted staff effort and can be overwhelming to a privacy program. Machine-learning systems can leverage operational context to reduce false positives, decreasing the time to complete access reviews.
Health organizations are generally required to log every access to their electronic medical record for years, for security purposes, and to accommodate a patient’s right to know who has accessed their record. The challenge is monitoring these large logs. The systems typically record millions of accesses per week, limiting the capability and usefulness of manual auditing approaches. Because of the volume, privacy officials often deploy simple flags to focus on high-risk behavior such as employees accessing records of VIPs, co-workers, patients with the same last name, or family members.
Near real-time monitoring systems are delayed in their ability to alert on suspicious activities but are able to incorporate more clinical context than real-time systems. The addition of context drastically reduces false positive alerts, because the clinical context can be used to filter away accesses that occur for appropriate reasons. Moreover, by auditing for both appropriate and inappropriate accesses, the monitoring coverage drastically increases as the system can analyze more types of access. The ability to automatically audit and filter appropriate access using clinical context can mean the difference between practical management of potential breaches and drowning in alerts.
Reactive monitoring systems have many of the same benefits of near real-time systems, but suffer from long detection delays. Specifically, the system can utilize the complete clinical context to understand and identify suspicious activity, again resulting in broader monitoring coverage than real-time systems. However, breaches may have occurred for months without detection.
Building a compliance monitoring system
When developing (or selecting) a compliance monitoring system, compliance professionals need to bring the right people to the table and ensure that business leaders are actively engaged.
System responsiveness. Real-time monitoring systems are able to react quickly to suspicious activity and can notify compliance staff shortly after an event has occurred. Responsiveness is valuable when the time-to-react is imperative. However, it is important to understand the types of inappropriate activities real-time monitoring systems miss and the mistakes they can produce.
False positive rates. Given the need to respond quickly, real-time systems often look at the activities in isolation, without considering business context. Even if the real-time monitoring system could incorporate all context in its decision-making process, the information may not exist in the system at the time the activity takes place.
Coverage. It is further important to consider the types of activities that real-time systems are capable of detecting. If the monitoring system only uses previously specified flags, then the system will not be able to identify other types of inappropriate use.
Filtering appropriate behavior. One of the main benefits of near real-time and reactive monitoring systems is their ability to incorporate context into their decision-making processes and filter away appropriate accesses. The challenge will be defining how to accurately filter away appropriate behavior.
Recent published and peer-reviewed research has developed machine-learning methods to address monitoring challenges. These methods can intuitively filter away appropriate accesses by identifying connections between a patient and the employee accessing the patient’s record. Such explanation-based auditing systems can infer relationships from a hospital’s data, display them to a privacy officer for approval and, once approved, apply them to future accesses. Using this approach, machine-based learning systems have been shown to filter more than 95 percent of accesses, so staff can focus on truly suspicious behavior.
Keep in mind that tools and technologies are enablers—they are not the foundation of a robust monitoring program. As you move toward the use of compliance intelligence, behavioral analytics, and “Big Data,” first ask if more data feeds will lead to more alerts or even more noise, and whether analysts are just going to get buried.
As the use and sharing of data intensifies with a more connected economy (e.g. the Internet of Things), there is an ever-growing need for efficient and workable monitoring approaches. Many organizations can improve the risk alignment of compliance monitoring as they strive to innovate and drive performance—ironically, the very things that magnify compliance risk.