Splunk as a Tool for Privacy Monitoring

Chris Grant Chief Information Security Officer Chris White Senior Security Engineer October 9, 2014

Group Health Cooperative (GHC) Introductions

Chris Grant, CISO Chris White, Senior Security Engineer

•  Seattle, WA (Go Hawks!) •  Integrated, non-profit provider and payer •  Cover 600,000 lives •  Medicare last 3 consecutive years •  25 Clinics in 17 cities in Washington state •  380 Providers, 720 specialists •  9,000 Total employees

2

So, What Will You Get Out of This?

Show you how we solved the healthcare privacy monitoring problem by 1.  Not using default privacy monitoring tools

2.  Using clever information security geeks 3.  Using tools we already owned

3

What is Privacy Monitoring? Why Does it Matter?

What is it?

Privacy Monitoring is looking for patterns in log data •  Access logs •  Between two people

Why does it matter?

Healthcare has unique privacy monitoring needs •  Clinical data •  Personal relationships •  Required by regulation

4

How Were We Doing This Prior to 2014?

•  Manually and slowly •  With product-specific reports •  Frustrating, maddening tedium (editorial comment)

5

Design Considerations

After speaking with two organizations that came before us, we had lessons learned.

•  How would we do this differently? •  Can we do it all in Splunk? •  How do we integrate other applications? •  How do we bring in people data? •  Can we build something that could be redistributed?

6

Design Considerations

7

Production Implementation

Group Health Log Sources: Epic Clarity (access logs)

•  Filter 6M -> 2M per day (40% of raw events) •  Filtered false positives •  Filtered if no user_id, pat_id “PersonDB” (people data) •  Lawson •  Ceridian

8

Proof of Concept

Focused on proving we could:

1)  Understand Epic access log data

2)  Understand Splunk 3)  Build a sample “report” using

#1 and #2 4)  Ask for direction then build to

Privacy Team needs

9

Production Goals

•  Minimize daily indexing volume –  Filtering out high volume,

low value data –  Only logs populated

UserID/PatientID pair •  Create generic framework

–  Focus on functional pieces –  Support multiuser workflow –  Reduce requirements for

adding scenarios

10

Production Goals

•  Create a simple, dynamic analysis experience for users •  Present complete context through demographics and encounters •  Increase efficacy, decrease false positives through weighted scores •  Reporting performance

–  Avoid live analytical searches –  Summarize scenario reports –  Display pre-analyzed data

•  Support scope expansion –  Avoid vendor/product specifics in framework –  Design with the intent of supporting multiple sources of privacy data

11

Flight Demo!

12

Decision Path

•  2012 to Early 2013 – RFP, not satisfied

•  Mid 2013 – Two conversations

•  October 2013 – Site visit

•  November 2013 – Decision

•  December 2013 – PoC proven

•  March 17, 2014 – Go Live

4 months from decision to production!

13

Recent Past and Future Recent Past •  Made distinction between interactive bits and product-specific bits •  Wrapped up GHC-supported open source license (important)

Future •  Releasing Sentry framework through SplunkBase •  Releasing Epic product-specific bits through Epic •  Analysis to detect anomalous behavior and improve

confidence scores •  Improve scenario logic and scoring with performance data

14

How to be Successful

1.  Get Splunk – presume this has been completed 2.  Invest in a creating a Splunk guru 3.  Develop organization-specific scope 4.  Play off your strengths in the design 5.  Find willing participants on the IT side 6.  Get access log data 7.  Get your people data

Note: apply bribes where possible to improve speed of implementation

15

16

Contact Information

Preferred email: sentryquestions@ghc.org Chris Grant, CISO 206.901.6710 grant.chris@ghc.org Chris White, Sr. InfoSec Engineer 206.901.6226 white.chris@ghc.org

17

Purpose Tell you our journey and implementation of our Splunk-based solution for healthcare focused privacy monitoring, “Sentry”.

Agenda Name What will you get out of this? Chris Grant Decision Path and Overview Chris Grant Design, PoC & Production Chris White

Demo Chris White

Future, Questions & Contact Info Chris Grant

Payoff You’ll have enough information to be dangerous…

18

Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday Geek out, share ideas with Enterprise Security developers

Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM

Learn, share and hack

Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room

© 2014 Group Health Cooperative and Group Health Options, Inc.