AI isn’t just for early adopters anymore. Whether we like it or not, artificial intelligence is taking over our daily lives—from apps that operate in the background to ChatGPT to hyper-specific AI solutions like Perspectify.
As a society, we’ve essentially accepted that our internet-based activities are being tracked by third parties. But while most people aren’t super concerned about how much information their Waze app is sending back to a team of marketers, it’s a whole other can of worms when we start talking about healthcare applications and healthcare data.
In behavioral health, data and AI security concerns can’t be taken lightly—by vendors or the organizations adopting their technology. That’s doubly true in our current climate, where it seems like headlines about breaches and sensitive data being leaked to the dark web sprout up like weeds. Add ransomware to the mix, and it’s a healthcare IT leader’s nightmare fuel.
That’s exactly where your vendors’ Chief Information Security Officer (CISO) comes into play—to make sure your organization’s leadership team doesn’t lose any sleep over data privacy and security issues.
The Chief Information Security Officer
At the end of the day, both AI vendors (like Eleos) and behavioral health orgs seek to protect and secure the same data—though the path to get there looks a little different for each. When it comes to data security, a great AI vendor doesn’t cut any corners (we already know that would be a major red flag).
To ensure security never takes a backseat to other dev priorities, top-notch vendors hire a Chief Information Security Offer (CISO) to oversee all things data protection. At Eleos, that’s me, Raz.
Hi, I’m Raz Karmi, Eleos CISO. I’m a global information security expert with 20+ years of experience in IT and information security. And my colleagues say I’m pretty cool, too.
What is a CISO, exactly?
A CISO establishes and maintains an organization’s information security strategy, policies, standards, and procedures. The key difference between a CISO and a CIO or CTO is that while technology is at the core of what we do on an organizational level, CISOs don’t just focus on a solution’s capabilities—but rather the capabilities plus policies that govern those capabilities to keep data and sensitive information secure.
How does a CISO keep data safe?
As CISO, it’s my job to keep data safe. How I do that—and how I communicate what I’m doing to stakeholders—is where the rubber really meets the road. I am responsible for orchestrating, executing, and managing the policies and procedures that keep sensitive data out of the hands of those who seek to do harm.
A CISO’s To-Do List
- Identify security risks and implement controls to mitigate them.
- Ensure compliance with relevant laws, regulations, and industry standards.
- Develop and implement security awareness and training programs.
- Oversee the company’s day-to-day security operations, including:
- Monitoring and responding to security incidents and breaches.
- Conducting risk assessments and vulnerability testing.
- Implementing and managing security technologies.
- Act as a strategic advisor and leader on security matters, working closely with executive management and the board to:
- Report on the company’s security posture and risks.
- Collaborate with business units to align security with business objectives.
- Stay up-to-date on emerging threats and security best practices.
- Evaluate and manage the security risks associated with third-party vendors, partners, and service providers by:
- Reviewing vendor security practices and controls.
- Monitoring vendor compliance and addressing any security concerns.
Why do behavioral health orgs need a CISO?
What makes healthcare different from other industries, where a CISO is not considered a standard member of the executive suite?
The four biggest differentiators are:
- Heightened sensitivity of the data
- Stricter regulations
- Greater risk of insider threats
- More interconnected systems
Sensitivity of Data
Healthcare organizations deal with highly sensitive protected health information (PHI) and medical records, which are extremely valuable targets for cybercriminals. This isn’t groundbreaking news, but it is always worth leading with, especially if you’re in charge of keeping patient data safe.
Strict Regulations
The healthcare industry is subject to strict regulations like HIPAA (Health Insurance Portability and Accountability Act) that mandate robust data privacy and security controls. Failure to comply can result in severe penalties and fines—not to mention the potential damage to individuals, corporate entities, and reputations.
Insider Threats
The healthcare workforce is diverse, with many employees, contractors, and vendors accessing sensitive data and systems. This increases the risk of insider threats and accidental data exposure. Some of these potential threats could be purposeful engagements and some incidental—humans, and all that—but either way, teams absolutely must prepare for internal breaches.
Interconnected Systems
Thanks to an industry-wide push for greater interoperability and improved care quality, healthcare systems are highly interconnected, with data constantly flowing between providers, patients, insurance companies, and other third parties. When intentions are good, this is great; but when intentions are to do harm, the attack surface has been expanded—making it more challenging to secure data transmissions.
When it comes to AI, what are the main security concerns? And why do you need a CISO to address them?
The four main areas of concern are:
- Data breaches and privacy issues: Naturally, data breaches top the list of concerns when it comes to healthcare IT, and AI is no exception to this rule.
- Adversarial attacks and manipulation: This includes any bad actors seeking to steal data, manipulate said data, or both—whether internally or externally.
- Model theft and supply chain risks: While the main concern is always the protection of PHI, protection of intellectual property is also an AI security concern. If an AI product is not secure, competitors could steal the building blocks for themselves or interrupt communication between systems for their own gain.
- Bias and discrimination: AI models are trained on human language, and all human language is subject to implicit biases. At Eleos, we work to overcome bias through intense scrutiny of our inputs and outputs—but until we, as humans, find a way to totally eliminate bias from our written, spoken, and visual language, it will continue to be a concern.
Addressing these risks requires robust security measures, responsible AI development practices, ongoing monitoring, and collaboration among various stakeholders to ensure the safe and ethical deployment of AI technologies—all of which goes well beyond the scope of a traditional CTO or CIO role.
AI and Ethics
Security and ethics go hand-in-hand. Some might say they are two sides of the same coin. However, security and ethics are two separate concepts, and both must be discussed individually when it comes to AI.
While ethics as a whole doesn’t fall under the CISO umbrella, all of us here at Eleos believe that our intention to use AI for good helps mitigate many ethical concerns related to the technology. One of the questions we get asked a lot is:
The relationship between clinicians and clients is at the center of great care. We understand that the thought of adding technology to that relationship can feel awkward or even untoward. Eleos Health’s ambient solution operates in the background, and it does not intrude in the client’s care or therapeutic journey. Eleos is not intended to replace provider judgment about the proper course of care. Instead, we exist to supply insights and empower providers to deliver higher quality, more personalized care.
Learn more about how AI works for good in behavioral health.
Behavioral Health AI Security FAQs
So, as the CISO of a best-in-class behavioral health AI vendor, what are the questions I get asked the most? Some are simple, others more complex. All need straightforward answers. So, go ahead and dig in! And if I missed any, be sure to let us know!
Q: What’s the lowdown on all the regulatory certifications Eleos has earned? How are they different, and why do they matter?
A: Here’s an overview of each law, regulation, and certification Eleos complies with:
HIPAA | HIPAA is a federal law in the US mandating how healthcare organizations and their business associates handle protected health information (PHI). |
SOC 2 | SOC 2 certification is an independent verification that a service organization’s security controls are effective over a period of time. |
HITRUST | HITRUST certification builds on the foundation of the SOC 2 framework, but with a specific focus on the healthcare industry. |
ISO 27001 | ISO 27001 certification is essentially a stamp of approval for an organization’s information security management system (ISMS). |
NIST CSF | NIST CSF is an industry-standard framework for organizations of all sizes to manage their cybersecurity risks. |
Q: Does Eleos monitor and test security on a regular basis?
A: Yes. At Eleos, we have implemented a variety of security tools and techniques, including penetration testing, ongoing monitoring of our product for security vulnerabilities, and ongoing scanning of our internal and external cloud environments. We have a designated cloud security posture platform which alerts us for any finding, such as known vulnerabilities, misconfigurations, and abnormal activity. Additionally, for our public-facing assets, we have a number of tools and platforms to ensure we are clean when it comes to vulnerabilities, misconfigurations, and other concerns. And we have a designated third-party risk assessment platform that scans our third-party vendors to make sure their security posture adheres to the most stringent best practices.
Q: How does Eleos encrypt data in transit?
A: All user traffic passes via HTTPS. All administrator traffic is encrypted through Eleos Health’s secure VPN (virtual private network) and uses two-factor authentication mechanisms. Integration traffic also passes through our secure VPN, which encrypts packet data as well as packet headers.
Q: How does Eleos encrypt data at rest?
A: Sensitive data handled by Eleos Health’s cloud applications are encrypted whenever they are stored in persistent memory. When such data is accessed by a user, file-system encryption ensures that access to the physical disk does not expose sensitive data. Database records are further encrypted with 256-bit keys via the industry-standard AES algorithm.
Q: How does Eleos detect unauthorized access and other threats?
A: At Eleos, we’ve implemented access restrictions using Zero Trust and the Least Privilege principles, essentially ensuring access is granted based solely on need (in line with HIPAA’s Minimum Necessary Rule). Furthermore, access is rigorously secured by login information, regardless of network or access type. Our system uses a host-based intrusion detection system (HIDS) to continuously monitor for unauthorized access attempts, suspicious activity, and unexpected behavior on each server within the Eleos cloud. Additionally, all company workstations and remote servers deploy endpoint detection and response (EDR) tools to monitor for threats in real time. Our databases also deploy access-control algorithms to identify rare events, items, or observations that differ significantly from standard behaviors or patterns, thus warranting investigation.
We also have a designated data security platform that gives us visibility into our customers’ data activity. Our systems continuously monitor for unauthorized access attempts, suspicious activity, and unexpected behavior—alerting us if and when needed.
Q: Where is Eleos data housed? Does it ever move locations?
A: Eleos supports data deployment in specific geographic regions, and we guarantee that these data will not move outside of the originally designated region. For example, if a US-based health system desires to keep its data within the US, Eleos will store and process the data only in US-based Amazon Web Services (AWS) data centers.
Q: What security measures are in place for the AWS data centers Eleos uses?
A: AWS data centers meet the highest standards for physical security and access control. Access is strictly limited, and anyone granted access is thoroughly vetted and monitored. Additionally, all physical and electronic access to AWS data centers is routinely logged and audited.
Q: What personnel measures are in place at Eleos to protect customer data?
A: Access to the Eleos cloud is locked down by implementing environments separation, network segmentation, firewall rules, and more protocols. User access control policies and procedures for remotely connecting to our cloud environments establish a lifecycle of account management while incorporating principles of least privilege and separation of duties. Additionally, user access control records confirm that account management is consistent with required user access control policies and procedures. Furthermore, Eleos requires all employees and contractors performing services for Eleos to undergo a thorough background check and participate in security training. Eleos also logs and monitors all access activities, keeping tabs on the who, what, where, when, and why of access.
Q: How does Eleos ensure data security when integrating with client systems?
A: Integrations with client systems are managed via VPN. We provision, monitor, and manage the VPN to create an overlay network designed to link a customer’s corporate data center and our private network. This ensures that all communications between the two are encrypted. Finally, a client can leverage the Eleos cloud VPN with its existing extranet infrastructure. This VPN supports almost every IPSec data-center extranet solution as well as the standard OpenVPN protocol.
AI Security Doesn’t Have to be Scary, but it Has to be Thorough
I know AI can be scary for behavioral health orgs to introduce to their teams. But as society moves from “AI is the future” to “AI is the present,” it’s important to take stock and find ways AI can really make our professional lives easier. And when you choose an AI partner, you should be confident they are doing everything they can to stay ahead of the security game. Here at Eleos, we believe an experienced CISO (a.k.a. me!) is a key piece of that puzzle. The Trust Center is available for your learning pleasure, and my inbox is always open if you have another question not answered here (or there!).
Ready to see why Eleos is the most-used and most-trusted behavioral health AI platform on the market? Request a demo today!
Or if you’re not quite ready to jump in, check out our AI policy template so your org can start dipping its toes into the AI waters. Because while it sounds corny, the AI future is already here.