Abstract
In electronic medical record (EMR) systems, administrators often provide EMR users with broad access privileges, which may leave the system vulnerable to misuse and abuse. Given that patient care is based on a coordinated workflow, we hypothesize that care pathways can be represented as the progression of a patient through a system and introduce a strategy to model the patient’s flow as a sequence of accesses defined over a graph. Elements in the sequence correspond to features associated with the access transaction (e.g., reason for access). Based on this motivation, we model patterns of patient record usage, which may indicate deviations from care workflows. We evaluate our approach using several months of data from a large academic medical center. Empirical results show that this framework finds a small portion of accesses constitute outliers from such flows. We also observe that the violation patterns deviate for different types of medical services. Analysis of our results suggests greater deviation from normal access patterns by nonclinical users. We simulate anomalies in the context of real accesses to illustrate the efficiency of the proposed method for different medical services. As an illustration of the capabilities of our method, it was observed that the area under the receiver operating characteristic (ROC) curve for the Pediatrics service was found to be 0.9166. The results suggest that our approach is competitive with, and often better than, the existing state-of-the-art in its outlier detection performance. At the same time, our method is more efficient, by orders of magnitude, than previous approaches, allowing for detection of thousands of accesses in seconds.
- Amatayakul, M. 2009. Think a privacy breach couldn’t happen at your facility? Hospital Financial Manage. 12, 61--65.Google Scholar
- Appari, A. and Johnson, M. 2011. Information security and privacy in healthcare: Current state of research. Int. J. Internet Enterprise Manage. 6, 279--314.Google ScholarCross Ref
- Asaro, P. V. and Ries, J. E. 2001. Data mining in medical record access logs. In Proceedings of the American Medical Informatics Association Annual Symposium. 855.Google Scholar
- Ash, J. S., Berg, M., and Coiera, E. 2004. Some unintended consequences of information technology in health care: The nature of patient care information system-related errors. J. Amer. Med. Informatics Assoc. 11, 2, 104--112.Google ScholarCross Ref
- Bansal, G., Zahedi, F., and Gefen, D. 2010. The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online. Decision Support Syst. 49, 138--150. Google ScholarDigital Library
- Bhatti, R. and Grandison, T. 2007. Towards improved privacy policy coverage in healthcare using policy refinement. In Proceedings of the Secure Data Management Workshop 4721, 158--173. Google ScholarDigital Library
- Blobel, B. 2004. Authorisation and access control for electronic health record systems. Int. J. Med. Informatics 73, 3, 251--257.Google ScholarCross Ref
- Bosch, M., Faber, M. J., Cruijsberg, J., Voerman, G. E., Leatherman, S., Grol, R. P., Hulscher, M., and Wensing, M. 2009. Review article: Effectiveness of patient care teams and the role of clinical expertise and coordination: A literature review. Med. Care Res. and Rev. 66, 6 Suppl., 5S--35S.Google ScholarCross Ref
- Boxwala, A. A., Kim, J., Grillo, J. M., and Ohno-Machado, L. 2011. Using statistical and machine learning to help institutions detect suspicious access to electronic health records. J. Amer. Med. Informatics Assoc. 18, 498--505.Google ScholarCross Ref
- Buntin, M. B., Jain, S. H., and Blumenthal, D. 2010. Health information technology: Laying the infrastructure for national health reform. Health Affairs 29, 6, 1214--1219.Google ScholarCross Ref
- Campbell, E. M., Sittig, D. F., Ash, J. S., Guappone, K. P., and Dykstra, R. H. 2006. Types of unintended consequences related to computerized provider order entry. J. Amer. Med. Informatics Assoc. 13, 5, 547--556.Google ScholarCross Ref
- Campbell, H., Hotchkiss, R., Bradshaw, N., and Porteous, M. 1998. Integrated care pathways increase use of guidelines. British Med. J. 316, 133--137.Google ScholarCross Ref
- Cavusoglu, H., Mishra, B., and Raghunathan, S. 2005. The value of intrusion detection systems in information technology security architecture. Inform. Syst. Res. 16, 1, 28--46. Google ScholarDigital Library
- Chaudhry, B., Wang, J., Wu, S., Maglione, M., Mojica, W., Roth, E., Morton, S. C., and Shekelle, P. G. 2006. Systematic review: Impact of health information technology on quality, efficiency, and costs of medical care. Ann. Intern. Med. 144, 10, 742--752.Google ScholarCross Ref
- Chen, W.-H., Hsu, S.-H., and Shen, H.-P. 2005. Application of SVM and ANN for intrusion detection. Comput. Op. Res. 32, 2617--2634. Google ScholarDigital Library
- Chen, Y. and Malin, B. 2011. Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In Proceedings of 1st ACM Conference on Data and Application Security and Privacy. 63--74. Google ScholarDigital Library
- Chen, Y., Nyemba, S., and Malin, B. 2012a. Auditing medical records accesses via healthcare interaction networks. In Proceedings of the American Medical Informatics Association Annual Symposium. 93--102.Google Scholar
- Chen, Y., Nyemba, S., Zhang, W., and Malin, B. 2012b. Specializing network analysis to detect anomalous insider actions. Security Informatics 1, 5, 1--24.Google ScholarCross Ref
- Chou, C., Du, T., and Lai, V. S. 2007. Continuous auditing with a multi-agent system. Decis. Supp. Syst. 42, 2274--2292. Google ScholarDigital Library
- Davis, D. and Having, K. 2006. Compliance with HIPAA security standards in U.S. hospitals. J. Healthcare Inform. Manage. 20, 108--115.Google Scholar
- Dimick, C. 2010. A guide to California’s breaches: First year of state reporting requirement reveals common privacy violations. J. Amer. Health Inform. Manage. Assoc. 81, 34--36.Google Scholar
- Fabbri, D. and LeFevre, K. 2011. Explanation-based auditing. In Proceedings of the VLDB Endowment, 5. 1--12. Google ScholarDigital Library
- Fabbri, D. and LeFevre, K. 2013. Explaining accesses to electronic medical records using diagnosis information. J. Amer. Med. Informatics Assoc. 20, 1, 52--60.Google ScholarCross Ref
- Ferreira, A., Correia, R. J. C., Antunes, L., Farinha, P., Oliveira-Palhares, E., Chadwick, D. W., and da Costa Pereira, A. 2006. How to break access control in a controlled manner. In Proceedings of 19th IEEE International Symposium on Computer-Based Medical Systems. 847--854. Google ScholarDigital Library
- Gallagher, R. J., Sengupta, S., Hripcsak, G., Barrows, R. C., and Clayton, P. D. 1998. An audit server for monitoring usage of clinical information systems. In Proceedings of the American Medical Informatics Association Annual Symposium.Google Scholar
- Georgiadis, C., Mavridis, I., Nikolakopoulou, G., and Pangalos, G. 2002. Implementing context and team based access control in healthcare intranets. Med. Informatics Internet Medicine 27, 185--201.Google ScholarCross Ref
- Goldberg, I. V. 2000. Electronic medical records and patient privacy. Health Care Manager 18, 3, 63--69.Google ScholarCross Ref
- Goldschmidt, P. G. 2005. Hit and mis: Implications of health information technology and medical information systems. Comm. ACM 48, 10, 68--74. Google ScholarDigital Library
- Gunter, C. A., Liebovitz, D., and Malin, B. 2011. Experience-based access management: A life-cycle framework for identity and access management systems. IEEE Security Privacy 9, 5, 48--55. Google ScholarDigital Library
- Holton, C. 2009. Identifying disgruntled employee systems fraud risk through text mining: A simple solution for a multi-billion dollar problem. Decision Supp. Syst. 46, 853--864. Google ScholarDigital Library
- Jakkula, V. R. and Cook, D. J. 2008. Anomaly detection using temporal data mining in a smart home environment. Methods Inform. Medicine 47, 1, 70--75.Google ScholarCross Ref
- Jakkula, V. R., Crandall, A. S., and Cook, D. J. 2008. Advanced Intelligent Environments. Chapter Enhancing anomaly detection using temporal pattern discovery, 175--194, Spriger.Google Scholar
- Kannampallil, T. G., Schauer, G. F., Cohen, T., and Patel, V. L. 2011. Considering complexity in healthcare systems. J. Biomed. Informatics 44, 6, 943--947. Google ScholarDigital Library
- Kim, J., Grillo, J. M., Boxwala, A. A., Jiang, X., Mandelbaum, R. B., Patel, B. A., Mikels, D., Vinterbo, S. A., and Ohno-Machado, L. 2011. Anomaly and signature filtering improve classifier performance for detection of suspicious access to ehrs. In Proceedings of the American Medical Informatics Association Annual Symposium. 723--731.Google Scholar
- King, J. T., Smith, B., and Williams, L. 2012. Modifying without a trace: General audit guidelines are inadequate for open-source electronic health record audit mechanisms. In Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium. 305--314. Google ScholarDigital Library
- Kwon, J. and Johnson, M. 2013. Security practices and regulatory compliance in the healthcare industry. J. Amer. Med. Informatics Assoc. 20, 1, 44--50.Google ScholarCross Ref
- Lane, T. and Brodley, C. E. 1999. Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inform. Syst. Secur. 2, 3, 295--331. Google ScholarDigital Library
- Le, X., T. Doll, Barbosu, M., Luque, Z., and Wang, D. 2012. An enhancement of the role-based access control model to facilitate information access management in context of team collaboration and workflow. J. Biomed. Informatics 45, 1084--1107. Google ScholarDigital Library
- Lee, H. and Chang, S. 2012. RBAC-matrix-based EMR rights management system to improve HIPAA compliance. J. Med. Syst 36, 2981--2992. Google ScholarDigital Library
- Li, X., Xue, Y., and Malin, B. 2012. Detecting anomalous behaviors in workflow-driven web applications. In Proceedings of the 31st IEEE International Symposium on Reliable Distributed Systems. 1--10. Google ScholarDigital Library
- Loomis, G. A., Ries, J. S., Saywell, R. M., and Thakker, N. R. 2002. If electronic medical records are so great, why aren’t family physicians using them? J. Family Practice 51, 7, 636--641.Google Scholar
- Ludwick, D. A. and Doucette, J. 2009. Adopting electronic medical records in primary care: lessons learned from health information systems implementation experience in seven countries. Int. J. Med. Informatics 78, 1, 22--31.Google ScholarCross Ref
- Malin, B., Nyemba, S., and Paulett, J. 2011. Learning relational policies from electronic health record access logs. J. Biomed. Informatics 44, 2, 333--342. Google ScholarDigital Library
- Manos, D. September 12 2012. Four reasons for CIOs to celebrate stage 2 meaningful use. Gov. Health IT Mag.Google Scholar
- Marinovic, S., Craven, R., Ma, J., and Dulay, N. 2011. Rumpole: A flexible break-glass access control model. In Proceedings of the 16th ACM Symposium on Access Control Models and Technologies. 73--82. Google ScholarDigital Library
- Menon, A., Jiang, X., Kim, J., Vaidya, J., and Ohno-Machado, L. 2013. Detecting inappropriate access to electronic health records using collaborative filtering. Mach. Learn., 1--1.Google Scholar
- Motta, G. and Furuie, S. 2003. A contextual role-based access control authorization model for electronic patient records. IEEE Trans. Inform. Technol. Biomed. 7, 202--207. Google ScholarDigital Library
- Park, J. S., Sandhu, R., and Ahn, G.-J. 2001. Role-based access control on the Web. ACM Trans. Inform. Syst. Secur. 4, 1, 37--71. Google ScholarDigital Library
- Peleg, M., Beimel, D., Dori, D., and Denekamp, Y. 2008. Situation-Based Access Control: Privacy management via modeling of patient data access scenarios. J. Biomed. Informatics 41, 6, 1028--1040. Google ScholarDigital Library
- Pizziferri, L., Kittler, A. F., Volk, L. A., Honour, M. M., Gupta, S., Wang, S., Wang, T., Lippincott, M., Li, Q., and Bates, D. W. 2005. Primary care physician time utilization before and after implementation of an electronic health record: A time-motion study. J. Biomed. Informatics 38, 3, 176--188. Google ScholarDigital Library
- Probst, C. W., Hansen, R. R., and Nielson, F. 2007. Where can an insider attack? In Proceedings of the 4th International Conference on Formal Aspects in Security and Trust. 127--142. Google ScholarDigital Library
- R Development Core Team. 2008. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria.Google Scholar
- Rostad, L. and Nytro, O. 2006. A study of access control requirements for healthcare systems based on audit trails from access logs. In Proceedings of the 22nd Annual Computer Security Applications Conference. 175--186. Google ScholarDigital Library
- Sandhu, R. and Samarati, P. 1994. Access control: Principle and practice. IEEE Comm. Mag. 32, 40--48. Google ScholarDigital Library
- Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control. IEEE Comput. 26, 38--47. Google ScholarDigital Library
- Schoenberg, R. and Safran, C. 2000. Internet based repository of medical records that retains patient confidentiality. British Med. J. 321, 1199--1203.Google ScholarCross Ref
- Schultz, E. 2002. A framework for understanding and predicting insider attacks. Comput. Security 21, 526--531.Google ScholarDigital Library
- Smith, E. and Eloff, J. 1999. Security in health-care information systems---Current trends. Int. J. Med. Informatics 54, 39--54.Google ScholarCross Ref
- Stolfo, S., Bellovin, S., Hershkop, S., Keromytis, A., Sinclair, S., and Smith, S. 2008. Insider Attack and Cyber Security: Beyond the Hacker. Springer, New York, NY. Google ScholarDigital Library
- Sun, J., Tao, D., and Faloutsos, C. 2006. Beyond streams and graphs: Dynamic tensor analysis. In Proceedings of KDD. 374--383. Google ScholarDigital Library
- Ye, N., Li, X., Chen, Q., Emran, S. M., and Xu, M. 2001. Probabilistic techniques for intrusion detection based on computer audit data. IEEE Trans. Syst., Man, and Cybern. A, Syst. Humans 31, 4, 266--274. Google ScholarDigital Library
- Zhang, L., Ahn, G.-J., and Chu, B.-T. 2003. A rule-based framework for role-based delegation and revocation. ACM Trans. Inform. Syst. Security 6, 3, 404--441. Google ScholarDigital Library
- Zhang, W., Gunter, C. A., Liebovitz, D., Tian, J., and Malin, B. 2011. Role prediction using electronic medical record system audits. In Proceedings of the American Medical Informatics Association Annual Symposium. 858--867.Google Scholar
- Zhou, Z. and Liu, B. J. 2005. HIPAA compliant auditing system for medical images. Comput. Med. Imaging Graphics 29, 2--3, 235--241.Google ScholarCross Ref
Recommendations
Anomaly detection: A survey
Anomaly detection is an important problem that has been researched within diverse research areas and application domains. Many anomaly detection techniques have been specifically developed for certain application domains, while others are more generic. ...
Detection of anomalous insiders in collaborative environments via relational analysis of access logs
CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacyCollaborative information systems (CIS) are deployed within a diverse array of environments, ranging from the Internet to intelligence agencies to healthcare. It is increasingly the case that such systems are applied to manage sensitive information, ...
Modifying without a trace: general audit guidelines are inadequate for open-source electronic health record audit mechanisms
IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics SymposiumWithout adequate audit mechanisms, electronic health record (EHR) systems remain vulnerable to undetected misuse. Users could modify or delete protected health information without these actions being traceable. The objective of this paper is to assess ...
Comments