Role Prediction Using Electronic Medical Record System Audits Wen Zhang 1, Carl Gunter 3, David Liebovitz 4, Jian Tian 1, Bradley Malin 1,2 1 Dept. of.

Slides:

Advertisements

Similar presentations

Role-Based Access Control CS461/ECE422 Fall 2011.

Advertisements

Validating EMR Audit Automation Carl A. Gunter University of Illinois Accountable Systems Workshop.

Imbalanced data David Kauchak CS 451 – Fall 2013.

And the finer details of patient privacy TCH Confidential Understanding HIPAA.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

PowerChart Basics Session 1 June Goal: To acquaint the user with the basics of PowerChart patient information security. Objective: 1.State the importance.

Breaking Down Barriers to Health Information Exchange: How Clinical Leadership is Shaping ConnectingGTA e-Health Conference 2013: Accelerating Change May.

Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.

MOLEDINA-1 CSE 5810 CSE5810: Intro to Biomedical Informatics The Role of AI in Clinical Decision Support Saahil Moledina University of Connecticut

In this section think about….  What qualifications would be required for each of the HELP roles?  Describe the job descriptions for each of these roles.

Presented by Jerome Scott.  Describe the common components of Electronic Health Records (EHR).  Assess the benefits of an EHR.  Evaluate outcomes of.

What Happens after You Sign with Missouri Health Information Technology Assistance Center?

Presented by Zeehasham Rasheed

University of Minho School of Engineering Computer Science and Technology Center Uma Escola a Reinventar o Futuro – Semana da Escola de Engenharia - 24.

Personalized Ontologies for Web Search and Caching Susan Gauch Information and Telecommunications Technology Center Electrical Engineering and Computer.

project management office(PMO)

Implementation of Enterprise Wide Speech Recognition, Text-based Documentation and Automated Document Distribution May 27, 2013 Michelle Leafloor.

Current and Emerging Use of Clinical Information Systems

Information Services ProcessTechnology People Online Brand Management in a Health Organization.

Modeling and Detecting Anomalous Topic Access Siddharth Gupta 1, Casey Hanson 2, Carl A Gunter 3, Mario Frank 4, David Liebovitz 4, Bradley Malin 6 1,2,3,4.

ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF.

Continual Development of a Personalized Decision Support System Dina Demner-Fushman Charlotte Seckman Cheryl Fisher George Thoma.

Medical Informatics Basics

Occupational Medicine Recognized Specialty Since 1949 Combines Clinical Skills With Toxicology, Epidemiology, Safety, Rehabilitation, and Business Operations.

Georgia Rural HIT Forum CLINICAL HIT LEADERSHIP – ESSENTIAL ELEMENTS FOR SUCCESS Karen Graves Clinical Systems Analyst - Chestatee Regional Hospital Jennifer.

The Perfect Storm: Challenges on the Horizon for Funding and Regulatory Controls in Research Andrew Nelson Executive Director HealthPartners Research Foundation.

Steps for Success in EHR Planning Bill French, VP eHealth Strategies Wisconsin Office of Rural Health HIT Implementation Workshop Stevens Point, WI August.

Uncovering Anomalous Usage of Medical Records via Social Network Analysis You Chen, Ph.D. Biomedical Informatics Dept., School of Medicine EECS Dept.,

Networking and Health Information Exchange Unit 6b EHR Functional Model Standards.

1.Summary of Needs Analysis 2.Summary of Action Plan 3.Systems Analysis between Microsoft SharePoint® and OpenText Content Server 4.System Recommendation.

Occupational Health. Occupational Medicine Recognized Specialty Since 1949 Combines Clinical Skills With Toxicology, Epidemiology, Safety, Rehabilitation,

Enhanced Patient-Safety Intervention To Optimize Medication Education (EPITOME) Carl Sirio, MD Professor Critical Care Medicine, Medicine and Pharmacy.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

Annual School of Molecular and Cellular Biology Pathway to Health Careers Seminar and Panel Discussion October 1, 2015 Holly A Rosencranz, MD, MA, FACP.

Collaborating with FADONA to Improve Care Coordination FHA Readmission Collaborative June 4, 2010.

Career Project. Assess patient health problems and needs Maintain medical records Give patients medicines and treatments Operate and monitor medical equipment.

SSM Health Care’s Foundation of Safety and Care STEPPS: Producing Effective Medical Teams to Achieve Optimal Patient Outcomes AHRQ Annual Conference Sept.

SECURITY AND DATA NORMALIZATION COLLABORATION sharps.org Discussion by Mark Frisse and Carl Gunter.

SOME ISSUES OF ROLE- BASED COLLABORATION Haibin Zhu, PhD Member, IEEE, Assistant Professor Dept. of Computer Science, Nipissing University, 100 College.

Copyright © 2016 Wolters Kluwer Health | Lippincott Williams & Wilkins Chapter 18: Design Considerations for Healthcare Information Systems Chapter 18:

Flowsheet Analysis Design Concepts Introduction Acknowledgements Proposed Design By studying PICU flowsheets in the context of their actual use, we have.

ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.

This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

The Culture of Healthcare Healthcare Processes and Decision Making Lecture a This material (Comp2_Unit4a) was developed by Oregon Health & Science University,

Management Information System In Healthcare

1 Copyright © 2009, 2006, 2003, 2000, 1997, 1994 by Saunders, an imprint of Elsevier Inc. Chapter 23 Nursing Informatics.

Vanessa Lalaine Fuentes, BSN, RN. The development and evaluation of applications, tools, processes and structures which assist nurses with the management.

EMR Optimization in a Medical Clinic Environment: An Analysis of IT Support By Lydia Maples Senior Thesis Fall 2014.

BMED DEPARTMENT. what you want Do you know to be when you grow up?

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Conference on Medical Thinking University College London June 23, 2006 Medical Thinking: What Should We Do? Edward H. Shortliffe, MD, PhD Department of.

Sachin H. Jain, MD, MBA Office of the National Coordinator for Health IT United States Department of Health and Human Services The Nation’s Health IT Agenda:

Julia Knight, David Wong SEND: a System for Electronic Notification and Documentation of vital sign observations. User-centred design for optimum development,

Safeguarding and looked after children inspection.

Chapter 1 Computer Technology: Your Need to Know

Communication & organizational professionalism in clinical settings

And the finer details of patient privacy

Electronic Health Records (EHR)

Health Science touches your life

Lesson 1- Introduction to Electronic Health Records

Advanced Health Informatics Class Topic Review

Northwestern Counseling & Support Services

Clinical Engineering Lecture (3).

TRUST Autumn Conference November 11, 2008

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

Drew Hunt Network Security Analyst Valley Medical Center

Lesson 1- Introduction to Electronic Health Records

Presentation transcript:

Role Prediction Using Electronic Medical Record System Audits Wen Zhang 1, Carl Gunter 3, David Liebovitz 4, Jian Tian 1, Bradley Malin 1,2 1 Dept. of Electrical Engineering & Computer Science, Vanderbilt University 2 Dept. of Biomedical Informatics, Vanderbilt University 3 Dept. of Computer Science, University of Illinois at Urbana Champaign 4 Dept. of Medicine, Northwestern University 1

Misuse of EMR Systems is Real Medical center employees misuse medical record systems to breach privacy WhenWhereWho 2007Palisades Medical CenterGeorge Clooney 2011UCLAVarious Celebrities 2 HIPAA Security Rule  Access to EMRs should be limited The problem is not limited to celebrity snooping But how?

Challenges to Security in EMRs Basic security principle: –Least privilege –Separation of duty Access control technologies have been around since the 1970’s Information systems often provide role-based access control (RBAC) capability [1] –Privileges mapped roles –Users mapped to privileges Roles are hard to define, so EMR systems often provide broad access rights 3 [1] R.Sandhu, E.Coyne, H.Feinstein and C.Youman. IEEE computer

In “Rare” Cases – Break the Glass A user may not sufficient access rights to perform job This model allows users to temporarily escalate privilege Access is logged and reviewed by administrator May require user to specify “reason” for access 4

Rare Cases? Central Norway Health Region enabled break the glass 53,000 of 99,000 patients (54.5%)  broken glass 5,000 of 12,000 users (42.7%)  broke the glass Over 295,000 logged breakage events in one month Role UsersInvoked Glass Breaks in Past Month Nurse563336% Doctor292752% Health Secretary187652% Physiotherapist38256% Psychologist19458% 5 [3] L. Røstad and N. Øystein. Proceedings of the 2 nd International Conference on Availability, Reliability and Security (ARES)

Idea! Refine Access Control Based on Behavior Experience-based Access Management (EBAM) Combine static knowledge (RBAC) with actual actions (access logs) and organizational knowledge for feedback control 6 RBAC EMR Access Logs Medical Center Knowledge Experience- Based Access Management [2] [2] C.Gunter, D.Liebovitz, B.Malin. IEEE Security and Privacy Magazine

Use audit logs to predict if a user is associated with a role Goals: –Determine if expert-defined job titles are reasonable –Provide administrators with a better idea of how to refine roles The Role Prediction Problem for EBAM Doctor Nurse Role Classifier Biller …. 7 Access Reason Medical Service Location of Patient

UserPatientTimeServiceUser Position (Role)ReasonLocation u1u1 p1p1 8/4/10OBSTETRICSNMH Physician Office - CPOEAttending Phys/ProvWard A u2u2 p2p2 12/14/10OBSTETRICSNMH Physician - CPOEPatient CareWard A u 23 p3p3 12/14/10PEDIATRICSUnit Secretary 2Unit Secretary OrdersWard B Evaluation with Cerner EMR of Northwestern Memorial Hospital Represent users as vectors Statistics 8 UsersRolesReasonsServicesLocations Example audit logs

To assist in role management, we worked with organization experts to build a hierarchy (specialized to Northwestern) Optimization Tradeoff: Goal 1: Accuracy (should increase as we step up in hierarchy) Goal 2: Separation of Duty (will increase as we step down) Leveraging Role Hierarchies Employee Doctor Specific Clinician Dietitian Junior Dietitian Senior Dietitian PhysicianNurse … … … … … … General (62 roles) Conceptual (5 roles) Specific (140 roles) 9

Basis of a “Role-Up” Algorithm General idea: Audit roles at different levels of the hierarchy 1.Score each role in conceptual position & general position 2.Select role with the highest score & generalize its children 3.Repeat 1 & 2 until a threshold score is reached 10 Allow administrators to balance between the prediction accuracy and separation of duties (number of roles)

Balanced Scoring Function R measures the extent to which specificity could be kept by the node A measures the extent to which predictablity could be achieved by the node 11

Employee Doctor Specific Clinician Dietary Junior Dietician Senior Dietician PhysicianNurse Nurse 1Nurse 2 Physician 2 Physician α = 0.5, Threshold =

Employee Doctor Specific Clinician Dietary Junior Dietician Senior Dietician PhysicianNurse Nurse 1Nurse α = 0.5, Threshold = 0.4

Employee Doctor Specific Clinician DietaryNurse Nurse 1 Nurse 2 After one iteration, the role set is {Doctor, Nurse 1, Nurse 2, Dietary} 14 α = 0.5, Threshold = 0.4

Training & Testing at the Same Level of the Role Hierarchy Employee Specific Clinician Nurse Nurse 1 15 Conceptual General Specific 82.38% 52.45% 51.34% Accuracy Level

Distribution of Accuracy Over the Role Hierarchy 16

RankRoleAccuracyUsers 1 (tie)AP-Technologist100%54 1 (tie)ED Assistant100%26 1 (tie)ED NMH Physician-CPOE100%43 1 (tie)NMH Resident/Fellow ID Clinic-CPOE100%10 1 (tie)Patient Care Staff Nurse – Lactation100%14 17 Most Predictable Roles

Least Predictable Roles RankRoleAccuracyUsers 140Patient Care Staff Nurse7.6% Rehab OT14.3%28 138Transfer20.0%20 137View Only PC 321.4%14 136Patient Care Staff Nurse (Pilot)22.1%217 18

Number of Users in the Role Can Influence Accuracy 19

Case Study: Most Likely Mispredictions for Patient Care Staff Nurse Predicted RolePrediction Patient Care Staff Nurse - Lactation19.6% View Only PC 114.3% Radiology – Nurse14.0% Patient Care Staff Nurse (Pilot)10.4% SN-RN/Customer Service5.8% 20

Original RolePredicted RoleProbability Rehab OTRehab PT85.7% Patient Care Staff Nurse - Agency Patient Care Staff Nurse - Lactation 75.0% Rehab PTRehab OT60.0% View Only PC 3 Patient Care Staff Nurse - Lactation 50.0% Medical Records - Scanner Medical Records47.4% 21 Most Likely Mispredictions

Parameter Bias Trades Between Accuracy and Separation of Duty Biased toward Accuracy: number of roles is small (27) accuracy is highest (63%) 22  0.1… Number of Roles Recommended 27…6064 Accuracy of Role Predictions 63.3%…51.8%51.3% Biased toward Specificity: number of roles is high (60) accuracy is lower (52%)

Conclusion and Future Plans 23 EHR audit logs can be analyzed to determine if the users’ behaviors are consistent with their designated job titles Role hierarchies enable automatic discovery of appropriate levels of role management Plan to expand Role-“up” to allow for Role-“down” and Role-“over” Need to evaluate Role-up with real hospital administrators, to assess its usability and acceptance of results

Acknowledgements National Science Foundation –CCF –CNS National Library of Medicine –R01-LM Office of the National Coordinator for HIT –SHARPS (sharps.org) 24

Questions? 25