Context-aware Anomaly Detection for Electronic Medical Record Systems

Yuan Xue

In collaboration with

Xiaowei Li, You Chen, Bradley Malin

Vanderbilt University

Outline

Background Approach Experiment Summary and Future Directions

Background

EMR system is a critical component in today’s Health Information Architecture, integrated with a variety of clinical systems, including laboratory, pharmacy, billing, decision support, etc.

EMR helps streamline clinical workflow, facilitate information sharing and health service delivery.

However, data security & privacy is challenging:

– Keep the confidentiality and integrity (tamper-resistant) of patient data.

– Comply with various regulations & policies, such as HIPPA, etc.

– …

Current EMR Security Landscape

EMR Application (e.g. web portal)

PatientData

Firewall Hosting OS

Cannot handle insider

threat

Authentication

Can be bypassed by masquerader, password sharing

Cannot scale well and handle dynamics

Access Control

Context-aware IDS

Clinical policy &guideline not guarded.

Cannot handle insider

threat

Our Approach

Context-aware Anomaly DetectionObjective: build an intrusion detection system (IDS), specially tailored to the EMR system, leveraging knowledge & traces from clinical environment.

Key: extract differentiating features that accurately characterize the unique behaviors of EMR users

Feature Extraction& Modeling

TracesRuntimeDetection

Response Engine

Clinical Context (e.g. organization info, user role, diagnosis codes)

Clinical Workflow

A clinical workflow is a sequence of operations performed on the patient record by the caregiver during the patient receives healthcare services.

User Session

Clinical Workflow

Caregiver

(Role) TreatmentGuideline

Patient (Diagnosis)Check

lab test before

prescribe

Nancy

Bill

Bob

Prescribe Bill Check Bob.lab Prescribe BobCheck Bill.lab

Check lab Prescribe

Three-tier Workflow Model

1st Tier: profiling user behavior for each user/role;

2nd Tier: decompose a session into a set of record-oriented clinical workflows.

3rd Tier: indicating the treatment guideline applicable for the patient, involving multiple users/roles.

Modeling techniques: action set/sequence.

Other challenges: user behavior may migrate/evolve with time; a patient associated with multiple disorders.

User Session Model

Intra-session Record-oriented Workflow Model

Across-session Record Access Workflow Model

Method Overview

Transformation

Extract

Web Sessions

WorkflowSequence

TrainingSet

Data ObjectClustering Training

HMM models

DetectAnomaly

Score

WorkflowSequence

TestSetSimulated

Attacks

RawTrace

Transformation

Object-specific

Object-cluster

Object-specific approach

Establish Hidden Markov Model for workflows on per-object basis.

Intuition: the sequence of operations can be viewed as the observations that reflect the transitions of hidden steps in the business process. There are also similar work using it.

Training: – establish HMM on per-object basis

Detection:– Based on the object; if not exist, false.

Object-cluster approach

Data-object clustering:– Meta-attributes.– Based on workflow sequences– Similarity metric: normalized longest common subsequence (nLCS)

• Training: establish HMM on per-cluster basis

• Detection: based on the cluster the object belongs to; else evaluate all HMMs.

Experiment

Data set: StarPanel access logs Simulated attacks:

– A1 (session piggybacking): a sequence of operations from a different user is randomly inserted into the sequence of a session;

– A2 (guideline violation I): an operation is randomly removed from the sequence of a session;

– A3 (guideline violation II): the position of one operation is randomly permuted with another in the sequence of a session.

User groups: – high, low, medium, based on record access frequency.

Results

Web session model vs. workflow model

Results

HMM vs. Distance-based

Object-specific vs. cluster-based

13

Results

HMM-based vs Distance based

Results

User group comparison

Summary and Future Directions

Context-aware anomaly detection technique for detecting anomalous web sessions.

Future directions– Validate the object clustering algorithm using

patient diagnostic code– Validate the user clustering algorithm using user

role information

False positive rate

"Title", J.Q. Speaker-Name 17