1 / 17

Context-aware Anomaly Detection for Electronic Medical Record Systems

Context-aware Anomaly Detection for Electronic Medical Record Systems. Yuan Xue In collaboration with Xiaowei Li, You Chen, Bradley Malin Vanderbilt University. Outline. Background Approach Experiment Summary and Future Directions. Background.

josephpatricia
Download Presentation

Context-aware Anomaly Detection for Electronic Medical Record Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Context-aware Anomaly Detection for Electronic Medical Record Systems Yuan Xue In collaboration with Xiaowei Li, You Chen, Bradley Malin Vanderbilt University

  2. Outline • Background • Approach • Experiment • Summary and Future Directions

  3. Background • EMR system is a critical component in today’s Health Information Architecture, integrated with a variety of clinical systems, including laboratory, pharmacy, billing, decision support, etc. • EMR helps streamline clinical workflow, facilitate information sharing and health service delivery. • However, data security & privacy is challenging: • Keep the confidentiality and integrity (tamper-resistant) of patient data. • Comply with various regulations & policies, such as HIPPA, etc. • …

  4. Current EMR Security Landscape Can be bypassed by masquerader, password sharing Clinical policy &guideline not guarded. EMR Application (e.g. web portal) Firewall Patient Data Context-aware IDS Authentication Access Control Hosting OS Cannot scale well and handle dynamics Cannot handle insider threat Cannot handle insider threat

  5. Our Approach Context-aware Anomaly Detection • Objective: build an intrusion detection system (IDS), specially tailored to the EMR system, leveraging knowledge & traces from clinical environment. • Key: extract differentiating features that accurately characterize the unique behaviors of EMR users Traces Feature Extraction & Modeling Runtime Detection Response Engine Clinical Context (e.g. organization info, user role, diagnosis codes)

  6. Clinical Workflow • A clinical workflow is a sequence of operations performed on the patient record by the caregiver during the patient receives healthcare services. User Session Clinical Workflow Check Bill.lab Prescribe Bill Check Bob.lab Prescribe Bob Caregiver (Role) Patient (Diagnosis) Treatment Guideline Check lab Prescribe Bill Nancy Check lab test before prescribe Bob

  7. Three-tier Workflow Model • 1st Tier: profiling user behavior for each user/role; • 2nd Tier: decompose a session into a set of record-oriented clinical workflows. • 3rd Tier: indicating the treatment guideline applicable for the patient, involving multiple users/roles. • Modeling techniques: action set/sequence. • Other challenges: user behavior may migrate/evolve with time; a patient associated with multiple disorders. User Session Model Intra-session Record-oriented Workflow Model Across-session Record Access Workflow Model

  8. Method Overview Object-cluster Transformation Data Object Clustering Training HMM models Training Set Workflow Sequence Extract Raw Trace Web Sessions Object-specific Transformation Detect Anomaly Score Test Set Workflow Sequence Simulated Attacks

  9. Object-specific approach • Establish Hidden Markov Model for workflows on per-object basis. • Intuition: the sequence of operations can be viewed as the observations that reflect the transitions of hidden steps in the business process. There are also similar work using it. • Training: • establish HMM on per-object basis • Detection: • Based on the object; if not exist, false.

  10. Object-cluster approach • Data-object clustering: • Meta-attributes. • Based on workflow sequences • Similarity metric: normalized longest common subsequence (nLCS) • Training: • establish HMM on per-cluster basis • Detection: • based on the cluster the object belongs to; else evaluate all HMMs.

  11. Experiment • Data set: StarPanel access logs • Simulated attacks: • A1 (session piggybacking): a sequence of operations from a different user is randomly inserted into the sequence of a session; • A2 (guideline violation I): an operation is randomly removed from the sequence of a session; • A3 (guideline violation II): the position of one operation is randomly permuted with another in the sequence of a session. • User groups: • high, low, medium, based on record access frequency.

  12. Results • Web session model vs. workflow model

  13. Results • HMM vs. Distance-based • Object-specific vs. cluster-based

  14. Results HMM-based vs Distance based

  15. Results • User group comparison

  16. Summary and Future Directions • Context-aware anomaly detection technique for detecting anomalous web sessions. • Future directions • Validate the object clustering algorithm using patient diagnostic code • Validate the user clustering algorithm using user role information

  17. False positive rate "Title", J.Q. Speaker-Name

More Related