Modeling and detecting anomalous topic access in EMR audit logs

Gupta, Siddharth

Permalink

https://hdl.handle.net/2142/44198 Copy

Description

Title

Modeling and detecting anomalous topic access in EMR audit logs

Author(s)

Gupta, Siddharth

Issue Date

2013-05-24T21:53:58Z

Director of Research (if dissertation) or Advisor (if thesis)

Gunter, Carl A.

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

M.S.

Degree Level

Thesis

Keyword(s)

• Data Mining
• Anomaly Detection
• Healthcare Security
• Electronic Health Records
• Access Logs
• Insider threats

Abstract

Recent use of Electronic Medical Records in the hospitals has raised many privacy concerns regarding confidential patient information which can be accessed by various users in the hospital's complex and dynamic environment. There has been considerable success in developing strategies to detect insider threats in healthcare information systems based on what one might call the random object access model or ROA. This approach models illegitimate users who randomly access records. The goal is to use statistics, machine learning, knowledge of hospital workflows and other techniques to support an anomaly detection framework that finds such users. In this work we introduce and study a random topic access model, RTA, aimed at the users whose access may well be illegitimate but is not fully random because it is focused on common hospital themes. We argue that this model is appropriate for a meaningful range of attacks and develop a system based on topic summarization that is able to formalize the model and provide anomalous user detection for it. We also propose a framework for evaluating the ability to recognize various types of random users called random topic access detection, or RTAD. The proposed RTAD framework is an unsupervised detection model which is a combination of Latent Dirichlet Allocation (LDA), for feature extraction, and a k-nearest neighbor (k-NN) algorithm for outlier detection. The analysis is done on the dataset from Northwestern Memorial Hospital which consists of over 5 million accesses made by 8000 users to 14,000 patients in a four month time period. Our results show varying degrees of success based on user roles and the anticipated characteristics of attackers and evaluate the ability to identify different adversarial types relevant to the hospital ecosystem.

Graduation Semester

2013-05

Permalink

http://hdl.handle.net/2142/44198

Copyright and License Information

Copyright 2013 Siddharth Gupta

Owning Collections