Automated Detection of Anomalous Accesses to Electronic Health Records

自动检测电子健康记录的异常访问

• 批准号: 7938889
• 负责人: Bradley A. Malin
• 金额: $ 24.21万
• 依托单位: VANDERBILT UNIVERSITY
• 依托单位国家: 美国
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-30 至 2013-09-29
• 项目状态: 已结题
• 来源: https://reporter.nih.gov/project-details/7938889
• 关键词: Academic Medical Centers; Administrator; Adopted; Adoption; Architecture; Basic Science; Behavior; Businesses; Caring; Cessation of life; Clinical; Collection; Commit; Communities; Community Healthcare; Complement; Complex; Computer Security; Computer software; Computers; Data; Data Protection; Detection; Development; Documentation; Electronic Health Record; Electronics; Engineering; Ensure; Environment; Event; Face; Feedback; Foundations; Goals; Health Insurance Portability and Accountability Act; Healthcare; Hospitals; Individual; Informatics; Information Systems; Information Technology; Interdisciplinary Study; Investigation; Investments; Knowledge; Lead; Learning; Legal; Manuals; Measures; Medical; Medical Informatics; Medical Records; Medical center; Methodology; Methods; Mining; Mission; Modeling; Monitor; Nature; Neonatal; Noise; Nurses; Organizational Models; Paper; Patient Access to Records; Patients; Pattern; Physicians; Pilot Projects; Policies; Primary Health Care; Principal Investigator; Privacy; Probability; Process; Provider; Records; Regulation; Research; Research Infrastructure; Research Project Grants; Rights; Role; Running; Safety; Sampling; Science; Scientist; Secure; Security; Services; Social Network; Social Obligations; Societies; Software Engineering; Software Tools; Specific qualifier value; Spottings; Surveillance Modeling; System; Techniques; Technology; Time; Trust; Universities; Validation; Work; authority; base; biomedical informatics; computer science; cost; data mining; design; electronic recording system; expectation; experience; follow-up; forging; health information technology; health organization; interest; medical schools; member; neglect; new technology; novel; operation; organizational structure; patient privacy; point of care; prevent; psychologic; repository; response; software development; tool

DESCRIPTION (provided by applicant): The decreasing cost of information technologies has rapidly enabled the collection, storage, and application of highly sensitive personal information in healthcare environments, which until recently, were dependent on paper documentation, face-to-face interactions, and physical protections for all matters trust-related. As these environments migrate to the electronic setting, it is imperative, as well as our legal and social obligation, to protect the privacy of patients" electronic health records (EHRs) from threats that are external, as well as internal, to healthcare organizations (HCOs). For the most part, the medical informatics and computer science communities have focused on the external threat, which has led to the development of sophisticated information and computer security mechanisms. However, the internal threat has been neglected, mainly due to the dynamic nature of complex HCOs, such as large distributed medical centers. One of the most significant challenges of data protection in HCOs is that we cannot limit service providers' access to the records in mission critical settings. Consider when a hospital patient requires treatment and a care provider's access to their EHR is delayed or denied, the patient may suffer considerable harm or death. Federal regulations, such as the Security Rule of the Health Insurance Portability and Accountability Act, require HCOs to stockpile access logs, but there are no clear mechanisms for auditing beyond simple manual spot checks, which are limited in scope. Thus, the overarching goal of this project to develop automated methods to data mine EHR access logs to detect when potentially privacy-violating accesses have been committed, so that the appropriate authorities may be alerted to follow-up with an investigation. Our primary goal is to develop informatics tools to monitor how users (e.g., physicians) access the records of subjects (e.g., patients) in the system and flag potentially privacy-compromising actions (e.g., an unauthorized "peek"). The proposed tools will integrate HCO knowledge and access log repositories to represent the system as a dynamic social network of teams and business processes that are applied to score the "safety" of each recorded access. The specific objectives of the proposed project are (1) to develop a scientific foundation for automatically learning and modeling the normal business operations of HCOs from EHR access logs, (2) to automatically detect EHR accesses that are suspicious in the context of learned HCO operations, (3) to evaluate our approach with expert feedback, and (4) to implement our approaches in an extendable software tool that is rapidly reconfigurable to any EHR system. In support of these goals, we will evaluate real world access logs from the EHR system of the Vanderbilt University Medical Center, which is a detailed repository with data covering tens of thousands of users and over a million patients. We believe that auditing tools for EHR systems, such as those developed through this research, are crucial to the continued adoption of health information technologies without sacrificing patients' privacy rights.

描述（由申请人提供）： 信息技术成本的下降迅速使得医疗保健环境中高度敏感的个人信息的收集、存储和应用成为可能，直到最近，这些信息还依赖于纸质文档、面对面的互动以及对所有信任事项的物理保护。有关的。随着这些环境迁移到电子环境，我们必须保护患者电子健康记录 (EHR) 的隐私，使其免受医疗机构外部和内部的威胁，这也是我们的法律和社会义务。大多数情况下，医学信息学和计算机科学界都关注外部威胁，这导致了复杂的信息和计算机安全机制的发展，但内部威胁却被忽视了，这主要是由于其动态性。复杂 HCO 的性质，例如作为大型分布式医疗中心，HCO 中数据保护的最重大挑战之一是我们无法限制服务提供商在关键任务环境中访问记录。延迟或拒绝，患者可能会遭受相当大的伤害或死亡，联邦法规（例如《健康保险流通和责任法案》的安全规则）要求 HCO 存储访问日志，但除了简单的手动抽查之外，没有明确的审核机制。 ，其限制在 范围。因此，该项目的总体目标是开发自动化方法来数据挖掘 EHR 访问日志，以检测何时发生了潜在的侵犯隐私的访问，以便通知有关当局进行后续调查。我们的主要目标是开发信息学工具来监控用户（例如医生）如何访问系统中受试者（例如患者）的记录并标记潜在的隐私泄露行为（例如未经授权的“偷看”）。拟议的工具将集成 HCO 知识和访问日志存储库，将系统表示为团队和业务流程的动态社交网络，用于对每个记录的访问的“安全性”进行评分。拟议项目的具体目标是 (1) 为从 EHR 访问日志中自动学习和建模 HCO 的正常业务运营奠定科学基础，(2) 自动检测在学习的 HCO 操作背景下可疑的 EHR 访问，（3）根据专家反馈评估我们的方法，（4）在可扩展的软件工具中实施我们的方法，该软件工具可快速重新配置到任何 EHR 系统。为了支持这些目标，我们将评估范德比尔特大学医学中心 EHR 系统的真实世界访问日志，该系统是一个详细的存储库，包含覆盖数万用户和超过 100 万患者的数据。我们相信，EHR 系统的审计工具（例如通过本研究开发的工具）对于在不牺牲患者隐私权的情况下继续采用健康信息技术至关重要。