Automated Detection of Anomalous Accesses to Electronic Health Records

自动检测电子健康记录的异常访问

• 批准号: 7938889
• 负责人: Bradley A. Malin
• 金额: $ 24.21万
• 依托单位: VANDERBILT UNIVERSITY
• 依托单位国家: 美国
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-30 至 2013-09-29
• 项目状态: 已结题
• 来源: https://reporter.nih.gov/project-details/7938889
• 关键词: Academic Medical Centers; Administrator; Adopted; Adoption; Architecture; Basic Science; Behavior; Businesses; Caring; Cessation of life; Clinical; Collection; Commit; Communities; Community Healthcare; Complement; Complex; Computer Security; Computer software; Computers; Data; Data Protection; Detection; Development; Documentation; Electronic Health Record; Electronics; Engineering; Ensure; Environment; Event; Face; Feedback; Foundations; Goals; Health Insurance Portability and Accountability Act; Healthcare; Hospitals; Individual; Informatics; Information Systems; Information Technology; Interdisciplinary Study; Investigation; Investments; Knowledge; Lead; Learning; Legal; Manuals; Measures; Medical; Medical Informatics; Medical Records; Medical center; Methodology; Methods; Mining; Mission; Modeling; Monitor; Nature; Neonatal; Noise; Nurses; Organizational Models; Paper; Patient Access to Records; Patients; Pattern; Physicians; Pilot Projects; Policies; Primary Health Care; Principal Investigator; Privacy; Probability; Process; Provider; Records; Regulation; Research; Research Infrastructure; Research Project Grants; Rights; Role; Running; Safety; Sampling; Science; Scientist; Secure; Security; Services; Social Network; Social Obligations; Societies; Software Engineering; Software Tools; Specific qualifier value; Spottings; Surveillance Modeling; System; Techniques; Technology; Time; Trust; Universities; Validation; Work; authority; base; biomedical informatics; computer science; cost; data mining; design; electronic recording system; expectation; experience; follow-up; forging; health information technology; health organization; interest; medical schools; member; neglect; new technology; novel; operation; organizational structure; patient privacy; point of care; prevent; psychologic; repository; response; software development; tool

DESCRIPTION (provided by applicant): The decreasing cost of information technologies has rapidly enabled the collection, storage, and application of highly sensitive personal information in healthcare environments, which until recently, were dependent on paper documentation, face-to-face interactions, and physical protections for all matters trust-related. As these environments migrate to the electronic setting, it is imperative, as well as our legal and social obligation, to protect the privacy of patients" electronic health records (EHRs) from threats that are external, as well as internal, to healthcare organizations (HCOs). For the most part, the medical informatics and computer science communities have focused on the external threat, which has led to the development of sophisticated information and computer security mechanisms. However, the internal threat has been neglected, mainly due to the dynamic nature of complex HCOs, such as large distributed medical centers. One of the most significant challenges of data protection in HCOs is that we cannot limit service providers' access to the records in mission critical settings. Consider when a hospital patient requires treatment and a care provider's access to their EHR is delayed or denied, the patient may suffer considerable harm or death. Federal regulations, such as the Security Rule of the Health Insurance Portability and Accountability Act, require HCOs to stockpile access logs, but there are no clear mechanisms for auditing beyond simple manual spot checks, which are limited in scope. Thus, the overarching goal of this project to develop automated methods to data mine EHR access logs to detect when potentially privacy-violating accesses have been committed, so that the appropriate authorities may be alerted to follow-up with an investigation. Our primary goal is to develop informatics tools to monitor how users (e.g., physicians) access the records of subjects (e.g., patients) in the system and flag potentially privacy-compromising actions (e.g., an unauthorized "peek"). The proposed tools will integrate HCO knowledge and access log repositories to represent the system as a dynamic social network of teams and business processes that are applied to score the "safety" of each recorded access. The specific objectives of the proposed project are (1) to develop a scientific foundation for automatically learning and modeling the normal business operations of HCOs from EHR access logs, (2) to automatically detect EHR accesses that are suspicious in the context of learned HCO operations, (3) to evaluate our approach with expert feedback, and (4) to implement our approaches in an extendable software tool that is rapidly reconfigurable to any EHR system. In support of these goals, we will evaluate real world access logs from the EHR system of the Vanderbilt University Medical Center, which is a detailed repository with data covering tens of thousands of users and over a million patients. We believe that auditing tools for EHR systems, such as those developed through this research, are crucial to the continued adoption of health information technologies without sacrificing patients' privacy rights.

描述（由申请人提供）： 信息技术的降低成本迅速使医疗保健环境中高度敏感的个人信息的收集，存储和应用能够依赖于纸质文档，面对面的互动以及对所有问题相关的物理保护。随着这些环境迁移到电子环境，保护患者的隐私是“电子健康记录（EHR）免受外部和内部的威胁，对医疗保健组织（HCOS）（HCOS）的威胁。在最多的角度上，医疗信息和计算机科学社区对外部威胁进行了机构，该机构是在机构中的发展，该机构是在机构上的发展，该机构的发展范围是多种多样的。忽略了复杂的HCO的动态性质，例如大型分布式医疗中心。需要HCO来库存访问日志，但是除了简单的手动点检查外，没有明确的审核机制，这些机制受到范围的限制。因此，该项目开发自动化方法的总体目标是数据挖掘EHR访问日志，以检测何时实施潜在的隐私竞争访问，以便可以通过调查来提醒适当的当局以进行跟进。我们的主要目标是开发信息学工具，以监视用户（例如，医生）如何访问系统中受试者（例如患者）的记录，并可能会访问潜在的隐私性掌握动作（例如，未经授权的“ PEEK”）。所提出的工具将集成HCO知识和访问日志存储库，以将系统表示为动态的团队和业务流程的社交网络，用于对每个记录的访问权限的“安全性”进行评分。拟议项目的具体目的是（1）为自动学习和建模来自EHR访问日志的HCO的正常业务运营的科学基础，（2）自动检测EHR访问，这些EHR访问在学习的HCO操作的上下文中是可疑的，（3）可以用专家反馈来评估我们的方法，以快速地将我们的求解方法评估我们的方法。为了支持这些目标，我们将评估范德比尔特大学医学中心EHR系统的现实世界访问日志，该系统是一个详细的存储库，其中涵盖了数以万计的用户和超过一百万的患者。我们认为，用于EHR系统的审计工具（例如通过这项研究开发的工具）对于不牺牲患者的隐私权而在不牺牲患者的隐私权的情况下继续采用健康信息技术至关重要。