Shaping cybersecurity’s future with AI: League’s Daniela Hagen

Daniela Hagen leads from the frontlines of healthcare cybersecurity – giving her a unique pulse on the industry. Hagen brings more than 15 years of experience including banking, e-commerce, and security consulting to her role as VP of Compliance, Security and Internal Audit at League.  

I interviewed Hagen about the current state of data security in healthcare, how she would like to see regulations such as HIPAA evolve for the modern era, ways to expect AI and machine learning to play more significant security roles in the future, and more. 

Let’s start with a personal question. You are an Olympic weightlifter. What are the parallels between that degree of commitment and dedication to leading information security work in healthcare? 

Hagen: Yes, there are direct parallels. Olympic lifts are very technical and you have to do certain things at the right time while using speed to get under that often very heavy barbell. So while you rest between lifts, you use that time to prepare your strategy for the way to attack the next lift. So while I am a very calm and collected person, I always strategize and observe. I love staying on a macro level and working on strategy but then diving deep fast when I’m needed on a more micro level, solving a problem or getting something moving very quickly when need be.

Now for a reality check. What is happening on the ground today in cybersecurity that healthcare and CX professionals should understand? 

Hagen: Phishing and ransomware attacks are increasing. But why? Hackers use difficult times when people are in distress and fear and they play to their anxiety by pretending to come from a legitimate organization offering financial support, fraud protection, collection donations or pretending that they wish to help. Another significant factor is that so many people have been laid off. Some actually switch sides and become an internal threat actor or join the dark forces to either retaliate or make money. That reality and a potential recession have a huge impact not just on the increasing number of attacks, but also because healthcare organizations’ security budgets have been reduced. 

From a security perspective, we also know that hackers are using AI and machine learning to automate attacks and use AI to see how data is moving across multiple systems and different industries. They’re creating profiles to identify theft and social engineering opportunities to get to the data they need. 

Healthcare must do the same on the security side. To make sure our clients and prospects have access to world-class security, it’s important that we think further than just the typical and sometimes outdated standards that are out there. 

Speaking of current privacy and security standards, plenty of people are calling for the U.S. to update HIPAA for the digital era. What would you like to see in such an update?  

Hagen: First of all, many requirements that you see, either in the actual law or in interpretations, are very outdated. They’re often on-premise related, like old school data centers. I’ll give you an example: the requirements around microfiche. I haven’t seen any microfiche in decades. HIPAA needs to be brought up to speed for the modern cloud computing era we’re in today. 

There are certain obstacles. Data location is another example. It’s really hard for a health plan or health system to say its data will never leave a facility or specific location. When you look across the border, GDPR gives a lot of guidance in terms of how you can use information while making sure that the individual has power over their own data. People can access their data and ask what data a company is storing about them. There are ways of providing this information in a certain amount of time to the end user. That is existent under HIPAA but very, very limited and not clearly defined. There’s still a lot of confusion about what organizations can actually do with health data, and there’s not enough transparency in the end for patients or members to even know what their rights are. 

What we need is more transparency from companies about what they do with health information. That transparency would enable individuals to create a digital identity and then decide which data to share, with whom and for what purpose. 

You mentioned AI earlier. How do you see artificial intelligence and machine learning advancing the security that supports CX?

Hagen: What I would like to see, and I think a lot of companies are working on this, is true machine learning security tools that include neural networks and deep learning to analyze healthcare organizations’ information sets and pair that with what they see on the dark web in terms of security events such as movements and attacks happening to similar companies in the industry, and also beyond healthcare, to correlate that data and identify adverse events early. When that happens today, a security team receives an alert and then human beings have to take action. Instead, the machine learning tools should be able to take an attacked system offline or disconnect the vendor while the team works on remediating the security event. We’re not there yet, but I hope one day we will be.

We recently achieved HITRUST certification. How does that help us advance the League mission?

Hagen: What HITRUST does is establish a certification system that we test against certain controls to demonstrate that we are actually compliant with the privacy and security rules. It’s a third-party assurance for someone coming in to check all of our controls in regards to security, privacy, confidentiality, and availability to see that we’re doing what we’re supposed to do. Having those controls in place enables League to engage with leading healthcare organizations to make a meaningful impact.