Role Prediction Using Electronic Medical Record System Audits

Electronic Medical Records (EMRs) provide convenient access to patient data for parties who should have it, but, unless managed properly, may also provide it to those who should not. Distinguishing the two is a core security challenge for EMRs. Strategies proposed to address these problems include Role Based Access Control (RBAC), which assigns collections of privileges called roles to users, and Experience Based Access Management (EBAM), which analyzes audit logs to determine access rights. In this paper, we integrate RBAC and EBAM through an algorithm, called Roll-Up, to manage roles effectively. In doing so, we introduce the concept of "role prediction" to identify roles from audit data. We apply the algorithm to three months of logs from Northwestern Memorial Hospital's Cerner system with approximately 8000 users and 140 roles. We demonstrate that existing roles can be predicted with 50% accuracy and intelligent grouping of roles through Roll-Up can facilitate 65% accuracy.

[1]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[2]  C. Dimick A guide to California's breaches. First year of state reporting requirement reveals common privacy violations. , 2010, Journal of AHIMA.

[3]  James E. Ries,et al.  Data Mining in Medical Record Access Logs , 2001, AMIA.

[4]  Brent J. Liu,et al.  HIPAA compliant auditing system for medical images. , 2005, Computerized medical imaging and graphics : the official journal of the Computerized Medical Imaging Society.

[5]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.

[6]  M. Amatayakul Think a privacy breach couldn't happen at your facility? Think again. , 2008, Healthcare financial management : journal of the Healthcare Financial Management Association.

[7]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[8]  George Hripcsak,et al.  An Audit Server for Monitoring Usage of Clinical Information Systems , 1998, AMIA.

[9]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[10]  Sun K. Yoo,et al.  Web-based secure access from multiple patient repositories , 2008, Int. J. Medical Informatics.

[11]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[12]  Mor Peleg,et al.  Comparing the context and the SitBAC models for privacy preservation in terms of model understanding and synthesis. , 2008, AMIA ... Annual Symposium proceedings. AMIA Symposium.

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Bradley Malin,et al.  Learning relational policies from electronic health record access logs , 2011, J. Biomed. Informatics.

[15]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[16]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[17]  Jian Pei,et al.  Data Mining: Concepts and Techniques, 3rd edition , 2006 .

[18]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[19]  Elisa Bertino,et al.  Intrusion detection in RBAC-administered databases , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[20]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[21]  Carl A. Gunter,et al.  Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems , 2011, IEEE Security & Privacy.