Density-Based Outlier Detection for Safeguarding Electronic patient Record Systems

This paper concerns the detection of abnormal data usage and unauthorized access in large-scale critical networks, specifically healthcare infrastructures. Hospitals in the U.K. are now connecting their traditionally isolated equipment on a large scale to Internet-enabled networks to enable remote data access. This step-change makes sensitive data accessible to a broader spectrum of users. The focus of this paper is on the safeguarding of electronic patient record (EPR) systems in particular. With over 83% of hospitals adopting EPRs, access to this healthcare data needs to be proactively monitored for malicious activity. Hospitals must maintain patient trust and ensure that the information security principles of integrity, availability, and confidentiality are applied to EPR data. Access to EPR is often heavily audited within healthcare infrastructures. However, this data is regularly left untouched in a data silo and only ever accessed on an ad hoc basis. Without proactive monitoring of audit records, data breaches may go undetected. In addition, external threats, such as phishing or social engineering techniques to acquire a clinician's logon credentials, need to be identified. Data behavior within healthcare infrastructures, therefore, needs to be proactively monitored for malicious, erratic, or unusual activity. This paper presents a system that employs a density-based local outlier detection model. The system is intended to add to the defense-in-depth of healthcare infrastructures. Patterns in EPR data are extracted to profile user behavior and device interactions in order to detect and visualize anomalous activities. The system is able to detect 144 anomalous behaviors in an unlabeled dataset of 1,007,727 audit logs. This includes 0.66% of the users on the system, 0.17% of patient record accesses, 0.74% of routine accesses, and 0.53% of the devices used in a specialist Liverpool (U.K.) hospital.