Presentation is loading. Please wait.

Presentation is loading. Please wait.

Uncovering Anomalous Usage of Medical Records via Social Network Analysis You Chen, Ph.D. Biomedical Informatics Dept., School of Medicine EECS Dept.,

Published byAlfred Black Modified over 9 years ago

Similar presentations

Presentation on theme: "Uncovering Anomalous Usage of Medical Records via Social Network Analysis You Chen, Ph.D. Biomedical Informatics Dept., School of Medicine EECS Dept.,"— Presentation transcript:

1 Uncovering Anomalous Usage of Medical Records via Social Network Analysis You Chen, Ph.D. Biomedical Informatics Dept., School of Medicine EECS Dept., School of Engineering November 2, 2011 TRUST Autumn 2011 Conference (Joint work with Bradley Malin, Steve Nyemba, and Wen Zhang)

2 Anomalous Usage2© You Chen, 2011

3 3Anomalous Usage

4 Two Typical Attacks Anomalous users Anomalous Access (1)Anomalous users detection –user level a b a c 4 (2) Anomalous accesses detection –access level Intruders have little knowledge of the system and the anticipated behavior Intruders have complete knowledge of the system and its policies

5 © You Chen, 20115 Machine Learning Case- Based Reasoning Role- based Role Mining Situation- based Community Anomaly Detection K-Nearest Neighbors Spectral Analysis Specialized Anomaly Detection Do not capture the dynamic relationships among users in collaborative information systems Does not offer stability of access control model over time High- Volume Users Anomalous Usage Access Control Models Auditing Models Related Research

6 © You Chen, 20116 S3S3 S2S2 S5S5 S4S4 S1S1 S6S6 S7S7 u1u1 u6u6 u5u5 u2u2 u4u4 u3u3 Behavioral Modeling S(ubjects) U(sers) Accesses Anomalous Usage Two general objects of health information system

7 Where are We Going? User Level Anomaly Detection Community Anomaly Detection System (CADS) (ACM CODASPY’11) Access Level Anomaly Detection Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) Anomalous Usage© You Chen, 20117

8 8 Social Networks are a Novel Approach to Discovery of Electronic Medical Record Misuse SNAD: A Local view of the network CADS: Leverages a global view of the network Anomalous Usage

9 © You Chen, 20119 Example Environments Electronic Health Records (EHR) Vanderbilt University Medical Center “StarPanel” Logs 6 months in 2006 Arbitrary Week  2,300 users  35,000 patient records  66,000 accesses Anomalous Usage

10 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) – Framework of CADS – An Example of CADS – Experimental Evaluation – Limitation Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) Anomalous Usage© You Chen, 201110

11 © You Chen, 201111 Community-Based Anomaly Detection (CADS) Communities of users Nearest neighbor networks

12 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) – Framework of CADS – An Example of CADS – Experimental Evaluation – Limitation Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) Anomalous Usage© You Chen, 201112

13 © You Chen, 201113Anomalous Usage Communities Derivation Distance Measurement Nearest Neighbor Network Bipartite graph Communities Deviation Measurement Deviation Scores

14 © You Chen, 201114 How Do We Set “k”-NN? Conductance- a measure of community quality (Kannan et al) Anomalous Usage

15 © You Chen, 201115 Minimum conductance for value k k Anomalous Usage Minimum conductance at k=6

16 © You Chen, 201116 The average cluster coefficient for this network is 0.48, which is significantly larger than 0.001 for random networks Users exhibit collaborative behavior in the health information system Example 6-Nearest Neighbor Network (1 day of accesses) Anomalous Usage

17 © You Chen, 201117 Every user is assigned a radius d: – the distance to his k th nearest neighbor Smaller the radius  higher density in user’s network Measuring Deviation from k-NN Anomalous Usage

18 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) – Framework of CADS – An Example of CADS – Experimental Evaluation – Limitation Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) Anomalous Usage© You Chen, 201118

19 © You Chen, 201119 Experimental Design Datasets are not annotated for illicit behavior We simulated users in several settings to test: – Sensitivity to number of records accessed Range from 1 to 1,000 – Sensitivity to number of anomalous users simulated users correspond to 0.5% to 5% of total users Number of records accessed fixed to 5 – Sensitivity to diversity Random number of users and records accessed Anomalous Usage

20 © You Chen, 201120 Deviation and Detection Rate Increases with Number of Subjects Accessed Deviation Patients Accessed False Positive Rate Patients Accessed Anomalous Usage

21 © You Chen, 201121 Detection Rate With Various Mix Rates of Real and Simulated Users True Positive Rate False Positive Rate Anomalous Usage

22 © You Chen, 201122 CADS Outperforms Competitors (mix rate = 0.5%) True Positive Rate False Positive Rate Anomalous Usage

23 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) – Framework of CADS – An Example of CADS – Experimental Evaluation – Limitation Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) Anomalous Usage© You Chen, 201123

24 © You Chen, 201124 Simulated users are indicative of misuse of the system… …but actual illicit behavior may be more directed. “False positives” are not necessarily false! (Adjudication by EHR privacy experts under way) Need to specialize tool to account for semantics of users and subjects – User: {Role, Department, Residence} – Patient: {Diagnosis, Procedure, Demographics, Residence} Anomalous users… not anomalous accesses – Need to account for insiders that deviate by only a couple of actions – Work underway (about to be submitted), but it’s detection is “local”, not “global” Some Limitations Anomalous Usage

25 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) – Framework of SNAD – An Example of CADS – Experimental Evaluation – Limitation Anomalous Usage© You Chen, 201125

26 SNAD Framework Anomalous Usage© You Chen, 201126

27 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) – Framework of SNAD – An Example of SNAD – Experimental Evaluation – Limitation Anomalous Usage© You Chen, 201127

28 © You Chen, 201128 User Modeling Anomalous Usage

29 © You Chen, 201129 Access Network Construction Anomalous Usage

30 © You Chen, 201130 Access Network Measurement Anomalous Usage

31 Measuring Accesses for Changes in Network Similarity Anomalous Usage© You Chen, 201131 Access: u 1 ->s 3

32 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) – Framework of SNAD – An Example of SNAD – Experimental Evaluation – Limitation Anomalous Usage© You Chen, 201132

33 © You Chen, 201133 Experimental Design Datasets are not annotated for illicit behavior We simulated users in several settings to test: – Sensitivity to number of subjects accessed Range from 1 to 1,00 – Sensitivity to number of anomalous users Range from 2 to 20 Number of subjects accessed fixed to 5 – Sensitivity to diversity Random number of users and subjects accessed Anomalous Usage

34 © You Chen, 201134 SNAD: Deviation Rate Increase with Number of Subjects Accessed Number of Subjects the Intruder Accesses AUC Anomalous Usage

35 © You Chen, 201135 SNAD: Deviation Rate Increases with Number of Intruders Number of Intruders AUC Anomalous Usage

36 © You Chen, 201136 SNAD Outperforms Competitors When the Number of Intruders & Accessed Subjects is Random False positive rate True positive rate Anomalous Usage

37 Where are We Going? User Level: Community Anomaly Detection System (CADS) (ACM CODASPY’11) Access Level: Specialized Network Anomaly Detection (SNAD) (IEEE ISI’11) – Framework of SNAD – An Example of SNAD – Experimental Evaluation – Limitation Anomalous Usage© You Chen, 201137

38 Limitations SNAD has high performance in Vanderbilt’s EHR system because – organization is collaborative – access networks have high network similarity SNAD may not be appropriate for large access network with low network similarity – Absence of a user has little influence on the similarity. 38 Size of network Similarity of network

39 Conclusions It is an effective way by using social network analysis to detect anomalous usages of electronic health records, such as CADS and SNAD Adding semantic information of users and subjects will make social network analysis be more understandable 39

40 © You Chen, 201140 References Y. Chen and B. Malin. Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In Proceedings of the ACM Conference on Data and Application Security Security and Privacy, pages 63–74, 2011. (CADS) Y. Chen, S. Nyemba, W. Zhang, and B. Malin. Leveraging social networks to detect anomalous insider actions in collaborative environments. In Proceedings of the 9th IEEE Intelligence and Security Informatics, pages 119–124, 2011.(SNAD) Gallagher R, Sengupta S, Hripcsak G, Barrows R, Clayton P. An audit server for monitoring usage of clinical information systems. Proceedings of the AMIA Symposium. 1998: 1002. A. A. Boxwala, J. Kim, J. M. Grillo, and L. O. Machado. Using statistical and machine learning to help institutions detect suspicious access to electronic health records. Journal of the American Medical Informatics Association, 18:498–505, 2011. Y. Liao and V. R. Vemuri. Use of k-nearest neighbor classifier for intrusion detection. Computer Security. 2002; 21(5): 439-448. R. Kannan, S. Vempala, and A. Vetta. On clusterings: Good, bad and spectral. Journal of the ACM, 51(3):497–515, 2004. Fabbri D, LeFevre K: Explanation-based auditing. In Proceedings of 38th International Conference on Very Large Data Bases 2012:to appear. M. Shyu, S. Chen, K. Sarinnapakorn, and L. Chang. A novel anomaly detection scheme based on principal component classifier. In IEEE Foundations and New Directions of Data Mining Workshop. 2003: 172-179. Anomalous Usage

41 Acknowledgements National Science Foundation CCF-0424422 (TRUST) CNS-0964063 National Institutes of Health R01LM010207 Carl Gunter, Ph.D. Igor Svecs Funding UIUC Erik Boczko, Ph.D., Ph.D. Josh Denny, M.D. Dario Giuse, Dr. Ing Bradley Malin, Ph.D. Vanderbilt Steve Nyemba, M.S. John Paulett, M.S. Jian Tian Wen Zhang, M.S. David Liebovitz, M.D. Sanjay Mehotra, Ph.D. Northwestern © You Chen, 201141Anomalous Usage

42 © You Chen, 201142 Questions? Comments? you.chen@vanderbilt.edu Health Information Privacy Lab: http://www.hiplab.org/ Anomalous Usage

43 © You Chen, 201143 SNAD assumes that access scores are approximately distributed around a well-centered mean. Access score Number of accesses

44 © You Chen, 201144 Access score Percentage of Accesses The correlation coefficient between real and Laplace distribution is 0.886 Anomalous Usage

Download ppt "Uncovering Anomalous Usage of Medical Records via Social Network Analysis You Chen, Ph.D. Biomedical Informatics Dept., School of Medicine EECS Dept.,"

Similar presentations

T HE ROLE OF GOVERNMENTS AND STAKEHOLDERS IN THE ICT PROMOTION DEVELOPMENT.

T HE ROLE OF GOVERNMENTS AND STAKEHOLDERS IN THE ICT PROMOTION DEVELOPMENT.
Role-Based Access Control CS461/ECE422 Fall 2011.

Role-Based Access Control CS461/ECE422 Fall 2011.
Validating EMR Audit Automation Carl A. Gunter University of Illinois Accountable Systems Workshop.

Validating EMR Audit Automation Carl A. Gunter University of Illinois Accountable Systems Workshop.
A Model of eHealth Interoperability Craig Kuziemsky, Telfer School of Mgmt, University of Ottawa. James Williams, Community Care Information Management.

A Model of eHealth Interoperability Craig Kuziemsky, Telfer School of Mgmt, University of Ottawa. James Williams, Community Care Information Management.
Ranking Outliers Using Symmetric Neighborhood Relationship Wen Jin, Anthony K.H. Tung, Jiawei Han, and Wei Wang Advances in Knowledge Discovery and Data.

Ranking Outliers Using Symmetric Neighborhood Relationship Wen Jin, Anthony K.H. Tung, Jiawei Han, and Wei Wang Advances in Knowledge Discovery and Data.
Active Learning for Streaming Networked Data Zhilin Yang, Jie Tang, Yutao Zhang Computer Science Department, Tsinghua University.

Active Learning for Streaming Networked Data Zhilin Yang, Jie Tang, Yutao Zhang Computer Science Department, Tsinghua University.
Role Prediction Using Electronic Medical Record System Audits Wen Zhang 1, Carl Gunter 3, David Liebovitz 4, Jian Tian 1, Bradley Malin 1,2 1 Dept. of.

Role Prediction Using Electronic Medical Record System Audits Wen Zhang 1, Carl Gunter 3, David Liebovitz 4, Jian Tian 1, Bradley Malin 1,2 1 Dept. of.
® Introduction Low Back Pain and Physical Function Among Different Ethnicities Adelle A Safo, Sarah Holder DO, Sandra Burge PhD The University of Texas.

® Introduction Low Back Pain and Physical Function Among Different Ethnicities Adelle A Safo, Sarah Holder DO, Sandra Burge PhD The University of Texas.
Data Mining Glen Shih CS157B Section 1 Dr. Sin-Min Lee April 4, 2006.

Data Mining Glen Shih CS157B Section 1 Dr. Sin-Min Lee April 4, 2006.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.

Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.
Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.

Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.
Chen Cheng1, Haiqin Yang1, Irwin King1,2 and Michael R. Lyu1

Chen Cheng1, Haiqin Yang1, Irwin King1,2 and Michael R. Lyu1
Introduction to Automatic Email Classification Shih-Wen (George) Ke 7 th Dec 2005.

Introduction to Automatic Classification Shih-Wen (George) Ke 7 th Dec 2005.
Use of Online Resources While Using a Clinical Information System James J. Cimino, MD; Jianhua Li, MD; Mark Graham, PhD, Leanne M. Currie, RN, MS; Mureen.

Use of Online Resources While Using a Clinical Information System James J. Cimino, MD; Jianhua Li, MD; Mark Graham, PhD, Leanne M. Currie, RN, MS; Mureen.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
1 --- 6/16/2015 9:20:53 PM 9. Role-Based Access Control (RBAC) Role Classification Algorithm Prof. Bharat Bhargava Center for Education and Research in.

/16/2015 9:20:53 PM 9. Role-Based Access Control (RBAC) Role Classification Algorithm Prof. Bharat Bhargava Center for Education and Research in.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering On-line Alert Systems for Production Plants A Conflict Based Approach.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering On-line Alert Systems for Production Plants A Conflict Based Approach.
1 Preserving Privacy in Collaborative Filtering through Distributed Aggregation of Offline Profiles The 3rd ACM Conference on Recommender Systems, New.

1 Preserving Privacy in Collaborative Filtering through Distributed Aggregation of Offline Profiles The 3rd ACM Conference on Recommender Systems, New.
A Hierarchical Energy-Efficient Framework for Data Aggregation in Wireless Sensor Networks IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 55, NO. 3, MAY.

A Hierarchical Energy-Efficient Framework for Data Aggregation in Wireless Sensor Networks IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 55, NO. 3, MAY.

Similar presentations

Ads by Google