EMR Access Monitoring: Can Users Circumvent Detection by Clicking More?

Monitoring and auditing electronic medical records (EMRs) have long been associated with tedious manual workflows. Privacy monitoring platforms can reduce the time an auditor spends combing through data while increasing their efficacy in catching suspicious accesses. While software platforms are not new to EMR monitoring, those using statistical anomaly approaches are becoming more popular. These methods attempt to characterize typical vs. atypical user access patterns by looking at the access log in isolation. While statistical and workflow analyses can be a useful privacy monitoring tool, hospital privacy and compliance officers must also be aware of their limitations.

A popular method for ePHI statistical anomaly detection first baselines a user’s access patterns (number of accesses, timing of accesses and duration of accesses), and then alerts the privacy officer if the user deviates from normal use. While such an approach can catch large-scale data scraping, they are not well suited for small-scale violation. Similarly, due to the dynamic nature of patient care, the timing of accesses can vary greatly depending on an employee’s shift or on-call service, thus introducing false positives.

More advanced statistical anomaly detection methods will consider the order of accesses and the types of accesses (i.e., accesses to the lab system or patient’s medication history). These systems are based on the hypothesis that employees that access records in a typical order are appropriate, while one-off accesses in irregular orders are suspicious. For some situations, this hypothesis may hold true, but the dynamic nature of patient care can cause false positives. Even worse, these systems are susceptible to simple attacks in which the malicious user clicks more in the EMR system to circumvent detection. If the hospital employee readily knows a normal workflow (e.g., for a patient appointment), the user can easily get to the desired data while mimicking the normal access process and avoid detection.

A robust patient privacy monitoring system protects against adversarial attacks, even if the user clicks more records or accesses specific parts of a chart to appear normal. A general principle to consider when evaluating patient privacy monitoring systems is: “Can the metric used to determine suspiciousness be manipulated by the user easily?” If yes, the system is susceptible to adversarial attacks. One way to build more robust systems is to incorporate clinical context into the detection system. Clinical notes, encounter history and diagnosis information can be used in conjunction with the access log to better model normal behavior, and detect outliers. Without combining clinical evidence with access data, hospitals may be unable to detect a wide-range of attaches.