Density-Based Outlier Detection for Safeguarding Electronic Patient Record Systems

Abstract

This research concerns the detection of abnormal data usage and unauthorised access in large-scale critical networks, specifically healthcare infrastructures. Hospitals in the UK are now connecting their traditionally isolated equipment on a large scale to Internet-enabled networks to enable remote data access. This step-change makes sensitive data accessible to a broader spectrum of users. The focus of this research is on the safeguarding of Electronic Patient Record (EPR) systems in particular. With over 83% of hospitals adopting EPRs, access to this healthcare data needs to be proactively monitored for malicious activity. Hospitals must maintain patient trust and ensure that the information security principles of Integrity, Availability and Confidentiality are applied to EPR data. Access to EPR is often heavily audited within healthcare infrastructures. However, this data is regularly left untouched in a data silo and only ever accessed on an ad hoc basis. Without proactive monitoring of audit records, data breaches may go undetected. In addition, external threats, such as phishing or social engineering techniques to acquire a clinician’s logon credentials, need to be identified. Data behaviour within healthcare infrastructures therefore needs to be proactively monitored for malicious, erratic or unusual activity. This paper presents a system that employs a density-based local outlier detection model. The system is intended to add to the defence-in-depth of healthcare infrastructures. Patterns in EPR data are extracted to profile user behaviour and device interactions in order to detect and visualize anomalous activities. The system is able to detect 144 anomalous behaviours in an unlabelled dataset of 1,007,727 audit logs. This includes 0.66% of the users on the system, 0.17% of patient record accesses, 0.74% of routine accesses, and 0.53% of the devices used in a specialist Liverpool (UK) hospital.