The security of patient and hospital data is superseded by few other issues in healthcare today. What's more, the "enemy" in these scenarios is often within, as unwitting employees help seed malware or ransomware attacks by opening unsafe attachments or meandering into restricted areas within a network.
Robert Lord and Nick Colbertson, co-founders of Baltimore-based startup Protenus, are sussing out ways to make accessing electronic medical record systems more air-tight and accountable for healthcare organizations. On Feb. 16, Protenus announced a $4 million Series A funding round, the capital from which will go toward expanding the company's customer base and team, according to Mr. Lord.
"Fundamentally, we wanted to work together on a project that was important to us and touched on some of the areas we thought really needed fixing in healthcare — kind of the un-sexy side of EMRs and administrative data," says Mr. Lord. "What started off as a project to think about workflows and this administrative data ended up spiraling out of control into a company."
The duo, who began their company while attending medical school at Johns Hopkins in Baltimore, developed learning algorithms that set limitations on EMRs access and work backwards to retrace digital breadcrumbs when someone missteps, intentionally or not, and worms their way into sensitive data.
"Ultimately we realized that one of the big problems with EMRs that was yet unsolved was the problem of insider threats to those records," Mr. Lord says. "Hospitals have rolled out a huge amount of EMRs, but they've done so with very little thought to issues around who has access to those records and under what circumstances should insiders in the hospital — whether employees, contractors, affiliates — can look at the millions or tens of million of records in a hospital's system."
Protenus' system works by understanding who in a hospital should be accessing what in the EMR system, Mr. Lord says. Once the bounds of clinically or administratively appropriate activity are established, the system is on watch for anyone who might cross them. Should that happen, Protenus immediately alerts hospital security and compliance officers to the infraction and provides a forensic platform with which to investigate and remediate.
The company's algorithms are based on big data analytics, a phrase that's overuse has resulted in some blurring of its meaning, Mr. Lord admits. However, Protenus' analytics do take large amounts of data into account, such as historical patterns around access, to mitigate false positives that could result in alert fatigue.
"Compliance and security officers often have systems in place that end up making more work than they actually save. By understanding who should be accessing what and applying expert learning systems to really get at the heart of what is the most inappropriate activity, we're able to determine what really should be prioritized and solved as soon as possible," Mr. Lord says.
Certain privacy and security problems related to EMRs are universal to healthcare systems, and those issues must be addressed in hospital-specific idiosyncrasies when it comes to establishing and patrolling a digital parameter. When designing Protenus' software, Mr. Lord says this was something he and his co-founder took into account to minimize the stresses of implementation and tackle a variety of problems.
"[The system] doesn't really require a lot of customization because it dynamically customizes itself," Mr. Lord says. "It's not a consulting kind of implementation. We learn a bit about the institution up front and speak with security and compliance officers to understand some of their unique policies, but the heavy lifting is really done by the underlying analytics system."
EMR security is a top of mind issue for every hospital, but one that has persisted without many options for effective solutions, according to Mr. Lord. As co-founder of a company working to engineer a possible fix for the issue, he says creating a foundation of trust has been imperative.
"To do what we do, hospitals place a lot of trust in us, and simultaneously what we are doing is providing a level of trust to these hospitals and their workforces that they didn't have before," Mr. Lord says. "Developing that trust, that robust security and those privacy controls within our own organization, is something we spent a lot of time on. It's always a challenge, and it's one we take very seriously as a core pillar of what we do."