Files in this item



application/pdfSiddharth_Gupta.pdf (3MB)
(no description provided)PDF


Title:Modeling and detecting anomalous topic access in EMR audit logs
Author(s):Gupta, Siddharth
Advisor(s):Gunter, Carl A.
Department / Program:Computer Science
Discipline:Computer Science
Degree Granting Institution:University of Illinois at Urbana-Champaign
Subject(s):Data Mining
Anomaly Detection
Healthcare Security
Electronic Health Records
Access Logs
Insider threats
Abstract:Recent use of Electronic Medical Records in the hospitals has raised many privacy concerns regarding confidential patient information which can be accessed by various users in the hospital's complex and dynamic environment. There has been considerable success in developing strategies to detect insider threats in healthcare information systems based on what one might call the random object access model or ROA. This approach models illegitimate users who randomly access records. The goal is to use statistics, machine learning, knowledge of hospital workflows and other techniques to support an anomaly detection framework that finds such users. In this work we introduce and study a random topic access model, RTA, aimed at the users whose access may well be illegitimate but is not fully random because it is focused on common hospital themes. We argue that this model is appropriate for a meaningful range of attacks and develop a system based on topic summarization that is able to formalize the model and provide anomalous user detection for it. We also propose a framework for evaluating the ability to recognize various types of random users called random topic access detection, or RTAD. The proposed RTAD framework is an unsupervised detection model which is a combination of Latent Dirichlet Allocation (LDA), for feature extraction, and a k-nearest neighbor (k-NN) algorithm for outlier detection. The analysis is done on the dataset from Northwestern Memorial Hospital which consists of over 5 million accesses made by 8000 users to 14,000 patients in a four month time period. Our results show varying degrees of success based on user roles and the anticipated characteristics of attackers and evaluate the ability to identify different adversarial types relevant to the hospital ecosystem.
Issue Date:2013-05-24
Rights Information:Copyright 2013 Siddharth Gupta
Date Available in IDEALS:2013-05-24
Date Deposited:2013-05

This item appears in the following Collection(s)

Item Statistics