190 likes | 333 Views
Context-aware Anomaly Detection for Electronic Medical Record Systems. Yuan Xue In collaboration with Xiaowei Li, You Chen, Bradley Malin Vanderbilt University. Outline. Background Approach Experiment Summary and Future Directions. Background.
E N D
Context-aware Anomaly Detection for Electronic Medical Record Systems Yuan Xue In collaboration with Xiaowei Li, You Chen, Bradley Malin Vanderbilt University
Outline • Background • Approach • Experiment • Summary and Future Directions
Background • EMR system is a critical component in today’s Health Information Architecture, integrated with a variety of clinical systems, including laboratory, pharmacy, billing, decision support, etc. • EMR helps streamline clinical workflow, facilitate information sharing and health service delivery. • However, data security & privacy is challenging: • Keep the confidentiality and integrity (tamper-resistant) of patient data. • Comply with various regulations & policies, such as HIPPA, etc. • …
Current EMR Security Landscape Can be bypassed by masquerader, password sharing Clinical policy &guideline not guarded. EMR Application (e.g. web portal) Firewall Patient Data Context-aware IDS Authentication Access Control Hosting OS Cannot scale well and handle dynamics Cannot handle insider threat Cannot handle insider threat
Our Approach Context-aware Anomaly Detection • Objective: build an intrusion detection system (IDS), specially tailored to the EMR system, leveraging knowledge & traces from clinical environment. • Key: extract differentiating features that accurately characterize the unique behaviors of EMR users Traces Feature Extraction & Modeling Runtime Detection Response Engine Clinical Context (e.g. organization info, user role, diagnosis codes)
Clinical Workflow • A clinical workflow is a sequence of operations performed on the patient record by the caregiver during the patient receives healthcare services. User Session Clinical Workflow Check Bill.lab Prescribe Bill Check Bob.lab Prescribe Bob Caregiver (Role) Patient (Diagnosis) Treatment Guideline Check lab Prescribe Bill Nancy Check lab test before prescribe Bob
Three-tier Workflow Model • 1st Tier: profiling user behavior for each user/role; • 2nd Tier: decompose a session into a set of record-oriented clinical workflows. • 3rd Tier: indicating the treatment guideline applicable for the patient, involving multiple users/roles. • Modeling techniques: action set/sequence. • Other challenges: user behavior may migrate/evolve with time; a patient associated with multiple disorders. User Session Model Intra-session Record-oriented Workflow Model Across-session Record Access Workflow Model
Method Overview Object-cluster Transformation Data Object Clustering Training HMM models Training Set Workflow Sequence Extract Raw Trace Web Sessions Object-specific Transformation Detect Anomaly Score Test Set Workflow Sequence Simulated Attacks
Object-specific approach • Establish Hidden Markov Model for workflows on per-object basis. • Intuition: the sequence of operations can be viewed as the observations that reflect the transitions of hidden steps in the business process. There are also similar work using it. • Training: • establish HMM on per-object basis • Detection: • Based on the object; if not exist, false.
Object-cluster approach • Data-object clustering: • Meta-attributes. • Based on workflow sequences • Similarity metric: normalized longest common subsequence (nLCS) • Training: • establish HMM on per-cluster basis • Detection: • based on the cluster the object belongs to; else evaluate all HMMs.
Experiment • Data set: StarPanel access logs • Simulated attacks: • A1 (session piggybacking): a sequence of operations from a different user is randomly inserted into the sequence of a session; • A2 (guideline violation I): an operation is randomly removed from the sequence of a session; • A3 (guideline violation II): the position of one operation is randomly permuted with another in the sequence of a session. • User groups: • high, low, medium, based on record access frequency.
Results • Web session model vs. workflow model
Results • HMM vs. Distance-based • Object-specific vs. cluster-based
Results HMM-based vs Distance based
Results • User group comparison
Summary and Future Directions • Context-aware anomaly detection technique for detecting anomalous web sessions. • Future directions • Validate the object clustering algorithm using patient diagnostic code • Validate the user clustering algorithm using user role information
False positive rate "Title", J.Q. Speaker-Name