Kim explained that network traffic can be analyzed using big data tools to establish baselines for usage by individual users. "When there is an aberration in activity, a heuristic analysis can be done to identify where the aberration might be and flag it, in real time," she said.
"That way," she continued, "if there is potential criminal activity or an insider threat, a security team can head that off ASAP."
A challenge to any big data security set-up is making sure that all relevant data is being scrutinized. That's becoming increasingly problematic as more and more devices are allowed to access a health care organization's networks. "They really need to know where their data is, because if they don't, then it's going to be hard to make sure it's secure," Verizon's Widup said.
Moreover, data that's attractive to hackers can be found in more places than just patient records and medical devices connected to networks. Any point in the payment chain that contains data can be a target. For example, some cafeteria point of sale and co-pay collection systems implemented by third parties have Internet connections that can be attacked by bad actors. "We've seen breaches there," Widup said.
When deploying a big data security solution, care must be taken not to add to an organization's vulnerabilities. "Most hospitals practice security by silo," said Phil Simon, author of Too Big to Ignore: The Business Case for Big Data.
"They have their data segmented," he continued, "and as that data is brought together to build bridges between data sources, then the bridges have to be properly tested."
"We live in a world in which there are data sources all over the place," Simon said. "There's a tremendous opportunity for organizations that take advantage of that, but if they don't watch what they're doing, there can be security issues and HIPAA violations and bad PR. That's one of the reasons that many health care organizations have been reluctant to do a lot with big data."
Since many health care organizations don't have the chops to deploy a big data solution, they often must rely on third-party contractors to do so. That can lead to problems if a contractor isn't familiar with the health care regulatory landscape. "Third-party organizations that specialize in big data are very familiar with dealing with that data, and I have no doubt that the majority of them really do understand how to secure that data appropriately, but they've probably never had to do a HIPAA high tech compliance review," Kroll's Brill explained.
"This mechanism that's been developed, which is a combination of HIPAA and high tech with an overlay of all the state privacy laws, becomes incumbent upon on you to follow even though you are not a health care organizations and don't ever see a patient," Brill added.
Sign up for MIS Asia eNewsletters.