Cluster Leader: David Liebovitz

Goal: developing ways to analyze logs of accesses to health records to catch policy violations and improve access management.

Overview of Contributions
Collecting information about access to and use of information so that the collected information can be subjected to audit review has become a key strategy for security and privacy protections for medical data. The Audit Cluster focused on a variety of aspects of audit primarily targeted at applications in hospitals. Key lines of analysis included the use of machine learning techniques to discover patterns in order to detect anomalous behavior or define security roles, formal models that allow precise representation and automated enforcement of policies, game theoretic models to inform effective management of audit resources, encryption techniques to be used in connection with audit, and survey work to understand attitudes of patients toward being allowed to participate in audits themselves. Some projects not specifically focused on audit but using similar techniques to most of the Audit Cluster projects were also included in the cluster. These focused on machine learning techniques related to understanding permissions in mobile network app stores and automated analysis of medical text, including detection of privacy-relevant terminology. Outputs of the projects included methodologies, models, data sets, validation techniques, algorithms, and software.

Projects: There were 11 projects in the Audit Cluster:

1. EBAM Experience Based Access Management, focused on a methodology for continuous process improvement in access management systems and the application of the methodology to hospital systems. Aspects of EBAM were explored in other Audit Cluster projects.

2. DATA focused on the development of data sets for testing audit methodology, particularly EBAM. A number of the SHARPS team members joined in a Data Use Agreement (DUA) that enabled sharing of audit log data from Northwestern Memorial Hospital (NMH) and Johns Hopkins Hospitals. Work on DATA included DATA included the development and refinement of large audit data sets of 4 and 12 months from NMH that were used in a number of the validations. These data sets included structured data from the patient records. A major finding of the EBAM and DATA part of the Audit Cluster was the value of having clinical information about patients in reviewing audit logs, especially because of the ability to apply ideas about workflow to access rights.

3. PATHWAYS explored the idea that the sequence in which different types of chart users access a record, the patient care pathway, has regularities that can be used to detect anomalous behavior. This work involved collaboration with operations specialists and resulted in new efficient algorithms for anomaly detection over hospital audit logs.

4. SIMILAR explored the idea of using chart access patterns and patient chart information to detect similarities between chart users and patients. For instance, one might learn that a particular chart user (like a cardiologist) tends to access a particular type of patient (like one with heart problems). Similarities between chart users and patients can then be used to detect anomalies. These techniques are also valuable for role definitions. This project produced a number of algorithms, machine learning techniques, software, and validations on real hospital data.

5. ENFORCING PURPOSE RESTRICTIONS developed a model of purpose based on ideas from the area of planning. This was used to develop ways to define formal policies based on purpose (such as the use of a patient record only for the purpose of treating the patient) and algorithms to find instances in which purpose restrictions were violated. These techniques could be used in real time based on models developed over audit logs.

6. PERMISSION REQUEST ANALYSIS studied the application of clustering techniques to the permissions offered by collections of apps in Android and Facebook. Understanding how app users will be able to understand permissions in new medical apps is an important direction and this project provided useful insight into the feasibility and value of clustering in two major app stores. MedIE studied algorithms for analyzing clinical text with a specific application to the discovery of mentions of sensitive conditions. Protection of information about sensitive conditions arose a number of times as a topic in SHARPS and refers to types of data that carry a particular stigma or special legal protection. Typical examples include records about mental health or drug abuse.

7. MedIE focused on drug abuse, developing and exploiting a number of basic advances required in NLP for medical text to handle problems like mention detection (there are many names for drugs for instance), negative mentions, co-reference and others. This project generated new algorithms and techniques.

8. HIE AUDIT focused on audit for broker-based Health Information Exchanges (HIEs), that is, on networks for exchanging health records between institutions where the sharing is facilitated by a central broker system. Many such systems are emerging for metropolitan areas and states. This project used the Illinois HIE (ILHIE) as an inspiration and exploited techniques derived from the ENFORCING DISCLOSURE POLICIES as a foundation for the audit automation, which was combined with customized encryption techniques using software from CHARM. Techniques from this project will inform the application of standards for audit in HIEs.

9. ENFORCING DISCLOSURE POLICIES developed formal logic-based methods for automated analysis of audit logs to demonstrate compliance. The project showed how to do this for HIPAA and further demonstrated its flexibility with applications to HIEs. The project produced models, algorithms, expressiveness demonstrations, and novel software.

10. ACCOUNTABILITY MECHANISMS developed models to optimize the balance of institutional resources between diverse audit functions. This project specifically focused on the problem that audit automation is unlikely to be sufficient by itself and that expensive manual review will still be required. Results of the project were algorithms and analysis techniques for optimization.

11. PERCEPTIONS OF PRIVACY – ATTITUDES TOWARD AUDIT POLICY explored attitudes toward direct involvement of patients in audit. Proposed regulations encouraged the idea that patients could see who had accessed their records even for internal access (within a given hospital for instance), but this capability has proved controversial and compromises are being explored. The project is not yet complete and will report final results at a later date.