Why we need it?
The ASCLEPIOS Cybersecurity, Encryption and Access Analytics for Healthcare Providers (CEAA) module helps healthcare providers build more robust threat preventive mechanisms around their infrastructure and data, by delivering insights into encryption and decryption activities, normal and abnormal behaviours in data access patterns.
To achieve its goal, CEAA monitors interactions between and within the different architecture layers and components of the ASCLEPIOS framework. CEAA offers visibility to the execution of data access workflows and the usage of the underlying services, helps healthcare providers understand how these operations take place and thus facilitates them in timely detecting abnormal behaviours. Not all identified “abnormal” behaviours are malicious and CEAA can also help detect cases where benign users are having difficulties in using the services in an appropriate way or are, knowingly or not, interacting with a system in an unconventional way which could make it (or the underlying data) vulnerable to attacks.
How does it work?
Some metrics are generic, e.g., number of successful/failed requests within a given timeframe, whereas others are ASCLEPIOS-specific and offer more in-depth understanding of the underlying data access patterns, e.g., percentage of functional encryption computations that came as a follow-up to a search request (through searchable encryption).
CEAA provides a contextualisation mechanism to further improve the analysis, ranging from generic functions such as using geoIPs to integrating contextual and operational information of the underlying organisation. Detection of abnormal behaviour entails having a common ground of what constitutes normal behaviour for the specific healthcare provider and CEAA leverages this to improve its results and to create a more intuitive interface for the security analyst working for the specific provider.
CEAA comes with a rich default dashboard that offers insights into all identified metrics and even allows for more to be defined, computed, and visualized, leveraging the ELK stack to ensure scalability, speed, and flexibility. The default CEAA dashboard offers alternatives for each security analyst to choose from and allows configuration across the complete pipeline: input data, contextualisation and analysis process, rule definition and visualisation adaptation.