The decreasing cost of information technologies has rapidly enabled the collection, storage, and application of highly sensitive personal information in healthcare environments, which until recently, were dependent on paper documentation, face-to-face interactions, and physical protections for all matters trust-related. As these environments migrate to the electronic setting, it is imperative, as well as our legal and social obligation, to protect the privacy of patients" electronic health records (EHRs) from threats that are external, as well as internal, to healthcare organizations (HCOs). For the most part, the medical informatics and computer science communities have focused on the external threat, which has led to the development of sophisticated information and computer security mechanisms. However, the internal threat has been neglected, mainly due to the dynamic nature of complex HCOs, such as large distributed medical centers. One of the most significant challenges of data protection in HCOs is that we cannot limit service providers'access to the records in mission critical settings. Consider when a hospital patient requires treatment and a care provider's access to their EHR is delayed or denied, the patient may suffer considerable harm or death. Federal regulations, such as the Security Rule of the Health Insurance Portability and Accountability Act, require HCOs to stockpile access logs, but there are no clear mechanisms for auditing beyond simple manual spot checks, which are limited in scope. Thus, the overarching goal of this project to develop automated methods to data mine EHR access logs to detect when potentially privacy-violating accesses have been committed, so that the appropriate authorities may be alerted to follow-up with an investigation. Our primary goal is to develop informatics tools to monitor how users (e.g., physicians) access the records of subjects (e.g., patients) in the system and flag potentially privacy-compromising actions (e.g., an unauthorized "peek"). The proposed tools will integrate HCO knowledge and access log repositories to represent the system as a dynamic social network of teams and business processes that are applied to score the "safety" of each recorded access. The specific objectives of the proposed project are (1) to develop a scientific foundation for automatically learning and modeling the normal business operations of HCOs from EHR access logs, (2) to automatically detect EHR accesses that are suspicious in the context of learned HCO operations, (3) to evaluate our approach with expert feedback, and (4) to implement our approaches in an extendable software tool that is rapidly reconfigurable to any EHR system. In support of these goals, we will evaluate real world access logs from the EHR system of the Vanderbilt University Medical Center, which is a detailed repository with data covering tens of thousands of users and over a million patients. We believe that auditing tools for EHR systems, such as those developed through this research, are crucial to the continued adoption of health information technologies without sacrificing patients'privacy rights.

Public Health Relevance

To ensure wide-scale adoption of electronic health records (EHRs), it is crucial to apply technologies that uphold patient privacy in the face of complex demands and healthcare operations. In this research, we will develop technologies to assist healthcare administrators' surveillance efforts by monitoring EHR access logs. The specific goals of this project are to (1) develop a scientific foundation for learning business operations from EHR access logs, (2) tailor data mining techniques to detect anomalous accesses, (3) evaluate our approaches with real logs and healthcare experts, and (4) deploy a reconfigurable and extendible software toolkit to support access log mining and surveillance for any EHR system.

Agency
National Institute of Health (NIH)
Institute
National Library of Medicine (NLM)
Type
Research Project (R01)
Project #
5R01LM010207-04
Application #
8323988
Study Section
Biomedical Library and Informatics Review Committee (BLR)
Program Officer
Sim, Hua-Chuan
Project Start
2009-09-30
Project End
2014-09-29
Budget Start
2012-09-30
Budget End
2014-09-29
Support Year
4
Fiscal Year
2012
Total Cost
$231,155
Indirect Cost
$82,979
Name
Vanderbilt University Medical Center
Department
Internal Medicine/Medicine
Type
Schools of Medicine
DUNS #
004413456
City
Nashville
State
TN
Country
United States
Zip Code
37212
Chen, You; Lorenzi, Nancy; Nyemba, Steve et al. (2014) We work with them? Healthcare workers interpretation of organizational relations mined from electronic health records. Int J Med Inform 83:495-506
Malin, Bradley; Nyemba, Steve; Paulett, John (2011) Learning relational policies from electronic health record access logs. J Biomed Inform 44:333-42
Gunter, Carl A; Liebovitz, David; Malin, Bradley (2011) Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems. IEEE Secur Priv 9:48-55
Zhang, Wen; Gunter, Carl A; Liebovitz, David et al. (2011) Role prediction using Electronic Medical Record system audits. AMIA Annu Symp Proc 2011:858-67