The core business of healthcare organizations is to care for the medical needs of patients. Yet information security is a key component of any healthcare organization. There are electronic healthcare records (EHRs) and HIPAA privacy regulations, both of which make your average hospital or big healthcare practice an enticing target for hackers looking to steal data.
"We are attacked about a million times a day," said Jennings Aske, chief information security officer at NewYork-Presbyterian Hospital. Aske joined the organization in 2015 to create a cyber security strategy for the organization, and he used platforms from Splunk which he said was "basically a security analytics platform." The system allows the hospital to ingest logs from antivirus software, from the millions of events on the hospital's firewall, from the attacks on user accounts, and more. Using rules in Splunk, Aske's group is able to winnow down all that data to "a handful of events that we want to investigate. It gets us to the needles in the haystack."
Besides protecting data from outside threats, the organization also needed to protect health records from being available to be viewed by unauthorized personnel.
"We want to make sure only the right people are looking at patient records," Aske said, so the team also built out that capability -- ensuring that only those who were authorized could see medical records. It's more than just access control. The system Aske's team was working to build out would protect against accounts that had been logged in for an extensive period of time, or raise flags if someone was accessing records significantly more frequently than normal.
It was during the EHR privacy project that Aske attended a meeting of the hospital's pharmacy team. Among other topics, the team was talking about security measures for opioids.
"This light went off that said the same techniques, like the machine learning we are using for our other projects, can be used to prevent potential diversion of controlled substances," Aske said.
Controlling opioid security is a concern at every large provider, and organizations don't have good visibility into the scope of the problem, according to Aske.
Opioids are a big problem in the US overall. Drug overdoses killed more than 70,000 Americans in 2017, setting a new record, with synthetic opioids the main driver of overdose deaths. Indeed, in 2017, the US Department of Health and Human Services declared a public health emergency.
What's going on with opioid misuse and addiction in the US has been called a crisis, an epidemic, and an emergency.
At NewYork-Presbyterian Hospital , which runs two hospitals -- one in Hudson Valley and another in lower Manhattan, it was a problem that could potentially be significantly improved with machine learning.
For instance, EHRs could provide the data that identifies patients using the synthetic opioid fentanyl. Other systems could identify the pharmacy cabinets where these drugs are stored.
"Machine learning comes in and helps us identify normal patterns of behavior," Aske said. "Outliers are flagged. For instance, those that are opening cabinets 40 times a day instead of 20 times a day."
Heatmaps can also show behavior, according to Aske, showing things that may not be problematic from a legal perspective. But maybe the hospital can identify a person who prescribes a controlled substance more than others prescribe it.
"The power of the platform is not just protection against potential fraud, but it also offers analytics around how pharmaceuticals are used in the hospital."
Aske brought the idea to Splunk, and NewYork-Presbyterian Hospital and Splunk announced a collaboration earlier this month to create and test this new platform for protecting against opioid misuse. The controlled substance monitoring platform will be implemented in Q2, and enabling monitoring of EHRs, Electronic Prescription of Controlled Substances platforms, pharmacy dispensing systems, and other sources to guard against the diversion of these medications, according to Splunk.
The system will issue an alert if a doctor prescribes a controlled substance to a patient not currently in the care of the hospital, or if a pharmacy technician uses an automated dispensary cabinet more often than his or her peers. By working with Splunk on this platform, Aske's team is enabling it to be used by other hospitals in their efforts to combat the opioid crisis.
Aske said that in the future this platform could also potentially be used for other issues involving pharmaceuticals -- for instance, analyzing prescription patterns around antibiotics.
Aske's efforts to involve his organization in this co-development effort included meetings with Splunk's leadership team, including its CEO, as well as work with the hospital's own pharmacy team. For instance, the work with the pharmacy team included a listing of all the potential use cases, an identification of all the data sources, and then aligning the data sources to the use cases.
It wasn't a difficult sell internally at the hospital. The pharmacy department reports in to a senior vice president, and Aske said that executive was immediately onboard with the project.
"There were some people in the pharmacy team who were wondering, 'What's this all about,' but they could see that the leadership team was onboard immediately," Aske said.