400 likes | 470 Vues
Automatic Detection of Policies from Electronic Medical Record Access Logs. John M. Paulett †, Bradley Malin†‡ † Department of Biomedical Informatics ‡ Department of Electrical Engineering and Computer Science Vanderbilt University. TRUST Autumn Conference November 11, 2008.
E N D
Automatic Detection of Policies from Electronic Medical Record Access Logs John M. Paulett †, Bradley Malin†‡ † Department of Biomedical Informatics ‡ Department of Electrical Engineering and Computer Science Vanderbilt University TRUST Autumn Conference November 11, 2008
Privacy in Healthcare Sensitive Data • Patients speak with expectation of confidentiality • Socially taboo diagnoses • Employment • HIPAA
TRUST Language for specifying temporal policies • Barth et al. Framework for integrating policies with system and workflow models • Werner et al. Model Integrated Clinical Information System (MICIS) • Mathe et al.
Status TRUST tool to formally specify, model, and managing policies in the context of existing and evolving clinical information systems But, where do these policies come from?
External Threat Success with standard security best-practices
Insider Threat Motivation • Celebrities • Friends / Neighbors • Coworkers • Spouse (divorce) Evidence of misuse • 6 fired, 80 re-trained – University of California, Davis • 13 fired for looking at Britney Spears’ record – March 2008 • George Clooney – October 2007
Protecting Against Insiders • Access Control • Limit users to only the set of patients they need to care for • Stop improper accesses from occurring • Auditing • Catch improper accesses after the fact
Access Control in Healthcare Upfront definition of policies is problematic • “Experts” have incomplete knowledge • Healthcare is dynamic: workflows and interactions change faster than experts can define them “False Positives” cause a negative impact on clinical workflow and potentially patient harm • “Break the glass”
Auditing in Healthcare Huge amount of data, every day: • Hundreds to thousands of providers • Millions of patients Which accesses are improper?
Current Auditing Vanderbilt University Medical Center • 1 Privacy Officer • 2 staff Auditing focus • Monitor celebrities • Monitor employee-employee access • Follow-up on external suspicion • Spot checks
Our Goal Inform Policy Definition Tools • Werner et al. • Barth et al. Assist auditing by defining what is normal
Our Approach Characterize normal operations, workflows, and relationships • Use access logs as proxy for this information
Our Approach Relational Network • Two providers related if they access the record of the same patient • Strength of the relationship # records accessed in common Association Rules • What is the probability that we see two users or two departments interacting together? • Head → Body • Confidence - probability of seeing the Body, given the Head • Support - probability of seeing the Head and the Body
Association Rules Geriatric Psychology Ob-Gyn Neonatology 1 patient 172 patients
Association Rules Geriatric Psychology Ob-Gyn Neonatology 1 patient 172 patients Strong Relationship
Association Rules Geriatric Psychology Ob-Gyn Neonatology 1 patient 172 patients Weak Relationship
HORNET Healthcare Organization Relational Network Extraction Toolkit Open Source Easy and informative tool for privacy officials Rich platform for developers
Design Goals Easily handle healthcare sized networks • 103 to 104 nodes • 106 to 107 edges Easily configurable for users Extendable by developers Log format agnostic
Plugins HORNET Core Task API Parallel & Distributed Computation Association Rule Mining Network API Social Network Analysis File API Network Visualization Network Abstraction File Network Builder Database Network Builder … Graph, Node, Edge, Network Statistics Noise Filtering CSV … Database API Oracle, MySQL, Etc.
Plugin Architecture Plugin Chaining • Plugins use Observer Pattern to notify each other • Allows complex piping of results between plugins • Chains defined in configuration file
Plugin Configuration Association Rule Mining Social Network Analysis Network Abstraction File Network Builder Network Visualization
Results from Vanderbilt 5 months of access logs from StarPanel, Vanderbilt’s EMR > 9000 users > 350,000 patients > 7,500,000 views
Edge Distribution • Distribution of Relationships per User in 1 week
Decay of Relationships How long do relationships last? Healthcare is dynamic!
Department Relationships Relationships (edges) between departments (nodes)
Department Relationships 20 departments with most relationships labeled
Association Rules For 16 weeks, 55,944 department-department rules (unfiltered)
Association Rules Sample of rules with high support
Association Rules Sample of rules with high confidence and occurring at least 3 weeks
Future Plans Temporal relationships • Find if certain users or departments are predictive of a patient seeing another user or department Filter Network • Remove noise, keep important relationships User interface • Tool for privacy officers to examine their organization’s logs
Future Plans Evaluation of rules by privacy and domain experts Integrate with MICIS access control system • Werner et al., Barth et al., Mathe et al.
Acknowledgements NSF grant CCF-0424422, the Team for Research in Ubiquitous Secure Technologies Dr. Randolph Miller and Kathleen Benitez Dr. Dario Giuse and David Staggs NetworkX, Numpy, Cython, Matplotlib
More Information http://hiplab.mc.vanderbilt.edu/projects/hornet john.paulett@vanderbilt.edu
Care Provider Relationships Children’s Hospital