About the Company
A US-based pediatric behavioral health company is developing digital diagnostic and therapeutic products with the goal of enabling earlier and more equitable care for behavioral health conditions. Its products are intended to be routinely prescribed by providers and covered by insurers. The company trains data models to diagnose behavioral health conditions, including autism and ADHD, with highly sensitive data from its AWS data sources in the AWS Cloud (a HIPAA environment containing patient identifiers and electronically protected health information [ePHI]).
Challenges
Legacy Approaches and Delays to Access
Data security and privacy are of paramount concern for the company, and it needed a software platform to enforce data security rules, permissions, and policy decisions using attributes and policies in a scalable and easy-to-understand manner.
However, its legacy practice of providing data scientists and analysts with all of the data required to build their algorithmic models securely was extremely time- and labor-intensive.
Using legacy scripts, the company’s data scientists and analysts were constantly looking at historical data snapshots, which could be up to one month old. They were also making copies of data. It became clear that in order to advance innovation, it was essential to expedite this process, provide data scientists with the latest data “same day same hour,” and find a way to anonymize sensitive information for reporting.
Initially, the organization’s Data Platform Owner estimated it would take his team several months of engineering time to build a tool to capture logging of sensitive data. It would take even longer to build a data masking solution in order to protect user IDs, user names, user emails, birthdays, or gender based on these roles. Finally, acquiring Kubernetes knowledge, keeping up with numerous versions, and monitoring the tools would limit what the data team could accomplish.
“We tried building something ourselves, but we’re so happy we chose Immuta,” the Data Platform Owner said. “Immuta has really accelerated what our data teams can accomplish while also giving us a lot more peace-of-mind.”
Achieving FDA Compliance for Clinical Trials
As a healthcare company regulated by the FDA for HIPAA compliance, planning for data security governance up front is a requirement. The ramifications of not complying can be severe.
The company was also looking to conduct FDA-approved clinical trials, which added another unique set of data security requirements. As part of the clinical trial process, the organization was required to provide the FDA with patient data, along with information on who reads it, when, how, for how long, and why.
The study in question would be double-blind, meaning neither the participants nor the experimenters – including the data scientists – can know who is receiving a particular treatment. The challenge was figuring out how to prove to the FDA that the study was double-blind without providing unauthorized access to the data.
This is done so that the FDA can make sure corporations are not influencing the trial’s outcomes. If the company could not get FDA approval for its clinical trials, it could potentially waste upwards of $3-5M.
Solution
After initially investing time developing its own tooling, the data team realized it needed to evaluate and deploy a specialized data security platform to enforce rules, permissions, and attribute-based policy decisions, beyond the standard resource or table-based control levels. This was necessary for scalability and proving data privacy compliance.
The company chose Immuta for its ability to apply purpose-based access control to PHI and dynamically enforce policies in real time. The purpose is metadata-based, and is considered an attribute within Immuta’s attribute-based access control model. When users query the data, Immuta checks that a user is allowed to see it for that particular predetermined purpose.
Additionally, while the company initially deployed Immuta in a self-managed environment, it has since migrated to the Immuta SaaS deployment for ease of maintenance and upgrades.
“Immuta SaaS works well and we haven’t had any issues with it,” said the Data Platform Owner. “It’s working the way we envisioned it – transparent, quick, and real-time. That’s what matters to us.”
With Immuta, the company’s compliance team can advise data platform owners on relevant HIPAA rules and parameters, and the platform owners can then build plain-language policies that are easily understandable for the compliance team, and auditable for regulators.
Regarding the clinical trials data, the company leverages Immuta to implement its double-blind study with a service account. It defines what the service account does, ensures that the service account accesses the data, and if the data is masked, it is considered blinded. This way, the company ensures that no one has access to the data outside of well-defined and approved use cases. Immuta’s data monitoring and audit capabilities allow users to run reports at any time to prove compliant data use.
“With Immuta, you can basically emulate a user’s query and their permissions to see exactly what they see,” said the Data Platform Owner. “You can see it in a governed way and ensure that no one gets access to something they’re not supposed to.”
With Immuta you can basically emulate a user’s query and their permissions to see exactly what they see. You can see it in a governed way and ensure that no one gets access to something they're not supposed to.
Results
Immuta alleviates the burden on the company’s data team and accelerates overall productivity. The team can easily define and enforce detailed data access policies that guarantee the security and anonymity of sensitive data as required by healthcare industry regulations.
- 100x faster access to data – Immuta solved latency challenges, providing sensitive data to data scientists and analysts in the “same day, same hour.” Prior to Immuta, the company’s data scientists were constantly looking at historical snapshots of data, of which the cleansed script could be up to a month old. With Immuta, data scientists and analysts get data in seconds, all while ensuring HIPAA-compliant data use.
- Reallocating 2 FTEs – The company moved 2 full-time employees (FTEs) to new tasks because they didn’t have to spend time manually controlling access to data and managing legacy infrastructure. This increased even more sharply with the migration to Immuta SaaS, which took only 5 days, and meant that the team no longer had to spend time on maintaining Immuta.
- FDA and HIPAA compliance – Immuta empowers the company to easily prove compliant data use in its double-blind studies to the FDA, while also meeting HIPAA security compliance standards. Immuta protects more than 160 tables and facilitates secure access to service accounts for auditing purposes.
“Immuta brings stability to the business,” said the Data Platform Owner. “Without Immuta, our data scientists and data analysts can’t read the data, they can’t use the data. Immuta keeps the business moving.”
In the future, the company is looking to do more external data sharing with a partner company, clinics and healthcare providers, and/or a digital health exchange. Immuta is the platform they rely on for safe data sharing, so they can extend the value of their data.
Immuta brings stability to the business. Without Immuta, our data scientists and data analysts can't read the data, they can't use the data. Immuta keeps the business moving.
Solution details:
- Time to complete install: 1 week to install, migrate, test, and deploy to production
- Time to migrate to SaaS: Rapid deployment and migration in less than 5 days
- Number of production users: 10 and an additional service account
- Amount of data increased: 15-20%
- Number of tables protected: 160.
- Query time/performance impact: No impact after migrating to SaaS