context-aware anomaly detection for electronic medical record systems
DESCRIPTION
Context-aware Anomaly Detection for Electronic Medical Record Systems. Yuan Xue In collaboration with Xiaowei Li, You Chen, Bradley Malin Vanderbilt University. Outline. Background Approach Experiment Summary and Future Directions. Background. - PowerPoint PPT PresentationTRANSCRIPT
Context-aware Anomaly Detection for Electronic Medical Record Systems
Yuan Xue
In collaboration with
Xiaowei Li, You Chen, Bradley Malin
Vanderbilt University
Outline
Background Approach Experiment Summary and Future Directions
Background
EMR system is a critical component in today’s Health Information Architecture, integrated with a variety of clinical systems, including laboratory, pharmacy, billing, decision support, etc.
EMR helps streamline clinical workflow, facilitate information sharing and health service delivery.
However, data security & privacy is challenging:
– Keep the confidentiality and integrity (tamper-resistant) of patient data.
– Comply with various regulations & policies, such as HIPPA, etc.
– …
Current EMR Security Landscape
EMR Application (e.g. web portal)
PatientData
Firewall Hosting OS
Cannot handle insider
threat
Authentication
Can be bypassed by masquerader, password sharing
Cannot scale well and handle dynamics
Access Control
Context-aware IDS
Clinical policy &guideline not guarded.
Cannot handle insider
threat
Our Approach
Context-aware Anomaly DetectionObjective: build an intrusion detection system (IDS), specially tailored to the EMR system, leveraging knowledge & traces from clinical environment.
Key: extract differentiating features that accurately characterize the unique behaviors of EMR users
Feature Extraction& Modeling
TracesRuntimeDetection
Response Engine
Clinical Context (e.g. organization info, user role, diagnosis codes)
Clinical Workflow
A clinical workflow is a sequence of operations performed on the patient record by the caregiver during the patient receives healthcare services.
User Session
Clinical Workflow
Caregiver
(Role) TreatmentGuideline
Patient (Diagnosis)Check
lab test before
prescribe
Nancy
Bill
Bob
Prescribe Bill Check Bob.lab Prescribe BobCheck Bill.lab
Check lab Prescribe
Three-tier Workflow Model
1st Tier: profiling user behavior for each user/role;
2nd Tier: decompose a session into a set of record-oriented clinical workflows.
3rd Tier: indicating the treatment guideline applicable for the patient, involving multiple users/roles.
Modeling techniques: action set/sequence.
Other challenges: user behavior may migrate/evolve with time; a patient associated with multiple disorders.
User Session Model
Intra-session Record-oriented Workflow Model
Across-session Record Access Workflow Model
Method Overview
Transformation
Extract
Web Sessions
WorkflowSequence
TrainingSet
Data ObjectClustering Training
HMM models
DetectAnomaly
Score
WorkflowSequence
TestSetSimulated
Attacks
RawTrace
Transformation
Object-specific
Object-cluster
Object-specific approach
Establish Hidden Markov Model for workflows on per-object basis.
Intuition: the sequence of operations can be viewed as the observations that reflect the transitions of hidden steps in the business process. There are also similar work using it.
Training: – establish HMM on per-object basis
Detection:– Based on the object; if not exist, false.
Object-cluster approach
Data-object clustering:– Meta-attributes.– Based on workflow sequences– Similarity metric: normalized longest common subsequence (nLCS)
• Training: establish HMM on per-cluster basis
• Detection: based on the cluster the object belongs to; else evaluate all HMMs.
Experiment
Data set: StarPanel access logs Simulated attacks:
– A1 (session piggybacking): a sequence of operations from a different user is randomly inserted into the sequence of a session;
– A2 (guideline violation I): an operation is randomly removed from the sequence of a session;
– A3 (guideline violation II): the position of one operation is randomly permuted with another in the sequence of a session.
User groups: – high, low, medium, based on record access frequency.
Results
Web session model vs. workflow model
Results
HMM vs. Distance-based
Object-specific vs. cluster-based
13
Results
HMM-based vs Distance based
Results
User group comparison
Summary and Future Directions
Context-aware anomaly detection technique for detecting anomalous web sessions.
Future directions– Validate the object clustering algorithm using
patient diagnostic code– Validate the user clustering algorithm using user
role information
False positive rate
"Title", J.Q. Speaker-Name 17