Once upon a time, two friends — Nick Culbertson, a former Green Beret with experience in intelligence network building, and Robert Lord, an ex-hedge-fund associate with a knack for data analytics — dropped out of Johns Hopkins medical school together to form a mission-driven health-tech startup in Baltimore.
No, this isn’t the start of a joke or the set-up for some entrepreneurial sit-com. Rather, it’s the real-life (albeit rather unlikely) story of the founding of Protenus, which uses advanced analytics to help hospitals and others solve a major problem: protecting patients’ electronic medical records from HIPAA violations. How major? Consider the $1.44 million settlement paid by Walgreens in 2013 when one of its pharmacists allegedly looked up the medical records of her husband’s ex-girlfriend.
Thus, if all goes as planned for the co-founders, this could also be the start of a fairy-tale-like adventure for the two-year-old, Canton-based company — late last year, Protenus raised $4 million in a Series A round led by Arthur Ventures and supported locally by DreamIt Ventures, TEDCO, and the Baltimore Angels, among others.
According to Lord, who serves as CEO and recently met with citybizlist, privacy protection lies at the heart of what Protenus does. While in med school both he and Culbertson realized that access to vital patient information — everything from HIV and pregnancy test results to Social Security numbers and credit card data — is not always well controlled, compared to the robust analytical and security protections systems encountered in their previous jobs. So they decided to create a better solution. “We wanted to give hospitals a better standard, and patients the privacy they deserved,” says Lord.
Calling themselves Protenus — named for the Latin word for “onward” — the two built “an immune system for medical records” that alerts health system compliance and security officers when a violation occurs and provides a forensics platform that allows officials to resolve matters quicker than before. Formed in 2014, Protenus currently works with Johns Hopkins Health System and is piloting with Inova Health System in Virginia, as well as the Chesapeake Regional Information System for our Patients, or CRISP, a regional health information exchange covering interchanges of data between nearly all health systems in the Maryland/DC area.
HENRY MORTIMER: What led you and co-founder Nicholas Culbertson to found Protenus?
ROBERT LORD: Nick and I founded Protenus when we were in medical school at Johns Hopkins, really to address a problem that we saw every day when we were on the wards working with patients with the electronic medical records.
That problem was insider threats to electronic medical records. Essentially, we rolled out tens or hundreds of billions of dollars worth of electronic health records after ARRA [the American Recovery and Reinvestment Act of 2009] and all of the incentives that were passed there. One of the big problems is we did so without a lot of thought into how we’d protect patient privacy and secure these medical records. This resulted in a big problem, where suddenly millions of patient records are now exposed to anyone who has any access to the electronic medical record—whether that’s community affiliates, nurses, doctors, staff, senior officials. And this creates a pretty big problem because those medical records contain the records of people’s friends, family, VIPs who might come into the hospital, or just medical records in general that could be gathered in bulk. What you unfortunately see, since electronic medical records really rolling out is a huge problem with identity theft, prescription fraud, medical blackmail—and a variety of other problems that really result from the fact—is that all these medical records can be taken and reused for a variety of malicious purposes.
Nick and I were familiar with a better standard from our previous lives. In Nick’s previous life, he was a Green Beret who worked on intelligence network building and analysis. I, much less interestingly, was a hedge fund associate who worked on building and managing analytical systems to trade global government markets. And so we’d seen much more robust analytical systems, much more robust privacy and security protections, and we thought that patients and hospitals just deserved much better. These aren’t easy problems, but they are solvable problems, and we felt with a little elbow grease and a terrific team, we could tackle these in a health care context.
How did you and Nick first meet?
Nick and I met a little bit before medical school, when we were on the trail to medical school; and we were ultimately both fortunate to go to Johns Hopkins, and so we became good friends. We’ve known each other for about six years now and really built the company together from that initial idea—that we just thought we could provide hospitals with a much better standard and with patients with the privacy that they deserved.
Tell us how Protenus works.
Protenus uses advanced analytics to detect and thwart HIPAA violations in real-time. What that really means is we understand in great detail what should be happening in electronic medical records, so when an individual goes outside the bounds of clinical or administratively appropriate activity, it becomes immediately clear, and then we can rapidly alert compliance or security officers and provide them with a forensics platform to resolve that in just a matter of minutes. The solution works by essentially taking information from HR records and associated systems, electronic medical records, and clinical information, and weaving them together with a variety of access and machine logs. This allows us to build multidimensional fingerprints of patient user activity and understand in great depth what people should be doing in the electronic medical records. When they go outside the bounds of clinical or administratively appropriate activity, we immediately know what that is and then we’ve got the platform to resolve those issues.
How would you describe the main benefit for customers?
Customers benefit from the technology in a variety of ways. For one, they have the ability to now see into who is using their medical records appropriately or inappropriately, resolving many, many more cases in much less time. Simultaneously, our solution allows them to allocate resources away from what’s traditionally been a lot of busy work or manual auditing and really let compliance and security officers focus on what they’re good at, which is getting to the bottom of these cases with those last few human elements that take that key investigation and resolution.
Protenus is a Latin word meaning “immediately,” “onward,” or “constantly.” How did you come up with the name?
As I mentioned, we saw privacy as a huge problem. There were a couple of other problems in lab information systems—informed consent, other things that people generally don’t like to tackle—but what became really compelling was this privacy protection problem. But when we first picked Protenus as a name, we just needed something that could have encompassed any one of those possibilities and it stuck. We loved it, so we stuck with it.