David M. Liebovitz

Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems

Experience-based access management incorporates models, techniques, and tools to reconcile differences between the ideal access model and the enforced access control.

Building bridges across electronic health record systems through inferred phenotypic topics

OBJECTIVE Data in electronic health records (EHRs) is being increasingly leveraged for secondary uses, ranging from biomedical association studies to comparative effectiveness. To perform studies at scale and transfer knowledge from one institution to another in a meaningful way, we need to harmonize the phenotypes in such systems. Traditionally, this has been accomplished through expert specification of phenotypes via standardized terminologies, such as billing codes. However, this approach may be biased by the experience and expectations of the experts, as well as the vocabulary used to describe such patients. The goal of this work is to develop a data-driven strategy to (1) infer phenotypic topics within patient populations and (2) assess the degree to which such topics facilitate a mapping across populations in disparate healthcare systems. METHODS We adapt a generative topic modeling strategy, based on latent Dirichlet allocation, to infer phenotypic topics. We utilize a variance analysis to assess the projection of a patient population from one healthcare system onto the topics learned from another system. The consistency of learned phenotypic topics was evaluated using (1) the similarity of topics, (2) the stability of a patient population across topics, and (3) the transferability of a topic across sites. We evaluated our approaches using four months of inpatient data from two geographically distinct healthcare systems: (1) Northwestern Memorial Hospital (NMH) and (2) Vanderbilt University Medical Center (VUMC). RESULTS The method learned 25 phenotypic topics from each healthcare system. The average cosine similarity between matched topics across the two sites was 0.39, a remarkably high value given the very high dimensionality of the feature space. The average stability of VUMC and NMH patients across the topics of two sites was 0.988 and 0.812, respectively, as measured by the Pearson correlation coefficient. Also the VUMC and NMH topics have smaller variance of characterizing patient population of two sites than standard clinical terminologies (e.g., ICD9), suggesting they may be more reliably transferred across hospital systems. CONCLUSIONS Phenotypic topics learned from EHR data can be more stable and transferable than billing codes for characterizing the general status of a patient population. This suggests that EHR-based research may be able to leverage such phenotypic topics as variables when pooling patient populations in predictive models.

Real-Time Tele-Monitoring of Patients with Chronic Heart-Failure Using a Smartphone: Lessons Learned

We present a smartphone-based system for real-time tele-monitoring of physical activity in patients with chronic heart-failure (CHF). We recently completed a pilot study with 15 subjects to evaluate the feasibility of the proposed monitoring in the real world and examine its requirements, privacy implications, usability, and other challenges encountered by the participants and healthcare providers. Our tele-monitoring system was designed to assess patient activity via minute-by-minute energy expenditure (EE) estimated from accelerometry. In addition, we tracked relative user location via global positioning system (GPS) to track outdoors activity and measure walking distance. The system also administered daily surveys to inquire about vital signs and general cardiovascular symptoms. The collected data were securely transmitted to a central server where they were analyzed in real time and were accessible to the study medical staff to monitor patient health status and provide medical intervention if needed. Although the system was designed for tele-monitoring individuals with CHF, the challenges, privacy considerations, and lessons learned from this pilot study apply to other chronic health conditions, such as diabetes and hypertension, that would benefit from continuous monitoring through mobile-health (mHealth) technologies.

Evolving role definitions through permission invocation patterns

In role-based access control (RBAC), roles are traditionally defined as sets of permissions. Roles specified by administrators may be inaccurate, however, such that data mining methods have been proposed to learn roles from actual permission utilization. These methods minimize variation from an information theoretic perspective, but they neglect the expert knowledge of administrators. In this paper, we propose a strategy to enable a controlled evolution of RBAC based on utilization. To accomplish this goal, we extend a subset enumeration framework to search candidate roles for an RBAC model that addresses an objective function which balances administrator beliefs and permission utilization. The rate of role evolution is controlled by an administrator-specified parameter. To assess effectiveness, we perform an empirical analysis using simulations, as well as a real world dataset from an electronic medical record system (EMR) in use at a large academic medical center (over 8000 users, 140 roles, and 140 permissions). We compare the results with several state-of-the-art role mining algorithms using 1) an outlier detection method on the new roles to evaluate the homogeneity of their behavior and 2)a set-based similarity measure between the original and new roles. The results illustrate our method is comparable to the state-of-the-art, but allows for a range of RBAC models which tradeoff user behavior and administrator expectations. For instance, in the EMR dataset, we find the resulting RBAC model contains 22% outliers and a distance of 0.02 to the original RBAC model when the system is biased toward administrator belief, and 13% outliers and a distance of 0.26 to the original RBAC model when biased toward permission utilization.

Mining Deviations from Patient Care Pathways via Electronic Medical Record System Audits

In electronic medical record (EMR) systems, administrators often provide EMR users with broad access privileges, which may leave the system vulnerable to misuse and abuse. Given that patient care is based on a coordinated workflow, we hypothesize that care pathways can be represented as the progression of a patient through a system and introduce a strategy to model the patient’s flow as a sequence of accesses defined over a graph. Elements in the sequence correspond to features associated with the access transaction (e.g., reason for access). Based on this motivation, we model patterns of patient record usage, which may indicate deviations from care workflows. We evaluate our approach using several months of data from a large academic medical center. Empirical results show that this framework finds a small portion of accesses constitute outliers from such flows. We also observe that the violation patterns deviate for different types of medical services. Analysis of our results suggests greater deviation from normal access patterns by nonclinical users. We simulate anomalies in the context of real accesses to illustrate the efficiency of the proposed method for different medical services. As an illustration of the capabilities of our method, it was observed that the area under the receiver operating characteristic (ROC) curve for the Pediatrics service was found to be 0.9166. The results suggest that our approach is competitive with, and often better than, the existing state-of-the-art in its outlier detection performance. At the same time, our method is more efficient, by orders of magnitude, than previous approaches, allowing for detection of thousands of accesses in seconds.

Infection Control Practices among Interventional Radiologists: Results of an Online Survey

PURPOSE To assess current infection control practices of interventional radiologists (IRs) in the context of recommendations by the Centers for Disease Control and Prevention and the Occupational Safety and Health Administration. MATERIALS AND METHODS From November 2006 to January 2007, members of the Society of Interventional Radiology (SIR) were invited to participate in an anonymous, online infection control questionnaire. RESULTS A total of 3,019 SIR members in the United States were contacted via e-mail, and 1,061 (35%) completed the 57-item survey. Of the respondents, 283 (25%) experienced a needlestick injury within the previous year, most often as a result of operator error (76%). Less than 65% reported compliance with annual tuberculosis skin testing; notably, those who received a yearly reminder were much more likely to receive annual testing than those who did not (odds ratio, 19.0; 95% CI, 12.6-28.7; P < .05). During central venous catheter placement, only 56% wore gowns, 50% wore caps, and 54% used full barrier precautions. Only 19% reported routine hand washing between glove applications. More than 40% noted a change in infection control practices within the previous 5 years, citing new hospital guidelines and recommendations by a professional organization as the reasons for change. Only 44% had infection control training at the onset of their practice. CONCLUSIONS IRs demonstrate a wide variety of infection control practices that are not in accordance with current guidelines. IRs were most likely to change infection control practice if required to do so by their own hospitals or a professional organization. SIR can play an important role in the prevention of health care-associated infection by reinforcing current infection control guidelines as they pertain to interventional radiology.

Modeling and detecting anomalous topic access

There has been considerable success in developing strategies to detect insider threats in information systems based on what one might call the random object access model or ROA. This approach models illegitimate users as ones who randomly access records. The goal is to use statistics, machine learning, knowledge of workflows and other techniques to support an anomaly detection framework that finds such users. In this paper we introduce and study a random topic access model or RTA aimed at users whose access may be illegitimate but is not fully random because it is focused on common semantic themes. We argue that this model is appropriate for a meaningful range of attacks and develop a system based on topic summarization that is able to formalize the model and provide anomalous user detection effectively for it. To this end, we use healthcare as an example and propose a framework for evaluating the ability to recognize various types of random users called random topic access detection or RTAD. Specifically, we utilize a combination of Latent Dirichlet Allocation (LDA), for feature extraction, a k-nearest neighbor (k-NN) algorithm for outlier detection and evaluate the ability to identify different adversarial types. We validate the technique in the context of hospital audit logs where we show varying degrees of success based on user roles and the anticipated characteristics of attackers. In particular, it was found that RTAD exhibits strong performance for roles are described by a few topics, but weaker performance when users are more topic-agnostic.

Patients' and healthcare providers' perceptions of a mobile portal application for hospitalized patients

BackgroundHospital-based patient portals have the potential to better inform and engage patients in their care. We sought to assess patients’ and healthcare providers’ perceptions of a hospital-based portal and identify opportunities for design enhancements.MethodsWe developed a mobile patient portal application including information about the care team, scheduled tests and procedures, and a list of active medications. Patients were offered use of tablet computers, with the portal application, during their hospitalization. We conducted semi-structured interviews of patients and provider focus groups. Text from transcribed interviews and focus groups was independently coded by two investigators using a constant comparative approach. Codes were reviewed by a third investigator and discrepancies resolved via consensus.ResultsOverall, 18 patients completed semi-structured interviews and 21 providers participated in three focus groups. Patients found information provided by the portal to be useful, especially regarding team members and medications. Many patients described frequent use of games and non-clinical applications and felt the tablet helped them cope with their acute illness. Patients expressed a desire for additional detail about medications, test results, and the ability to record questions. Providers felt the portal improved patient engagement, but worried that additional features might result in a volume and complexity of information that could be overwhelming for patients. Providers also expressed concern over an enhanced portal’s impact on patient-provider communication and workflow.ConclusionsOptimizing a hospital-based patient portal will require attention to type, timing and format of information provided, as well as the impact on patient-provider communication and workflow.

Medical Inpatients’ Use of Information Technology: Characterizing the Potential to Share Information Electronically

Abstract:Hospitalized patients frequently have an incomplete understanding of important aspects of their care. Patient-facing technologies, increasingly used in outpatient settings to exchange information between patient and provider, may have utility in the hospital setting. We conducted structured interviews of hospitalized medical patients to assess current use of information technology, gauge interest in receiving information electronically, and prioritize potential content options. Overall, 150 of 175 (86%) eligible patients completed interviews. A majority (69%) of patients used the Internet prior to hospital admission. One third (32%) of patients had used the Internet during their hospitalization with half of those reporting use for health information. Overall, nearly half (42%) reported interest in receiving health information electronically during hospitalization and a majority (59%) were interested in receiving health information electronically after hospitalization. Patients expressed high interest in receiving information to help them learn more about diagnoses and treatments, medication lists, lists of planned tests, and summaries of completed tests and procedures. Many general medical patients are interested in receiving health information electronically from hospital providers. Our findings support the development of hospital-based patient-facing health information technologies and prioritize content options patients find most beneficial.

Use of more than one electronic medical record system within a single health care organization

Healthcare organizations vary in the number of electronic medical record (EMR) systems they use. Some use a single EMR for nearly all care they provide, while others use EMRs from more than one vendor. These strategies create a mixture of advantages, risks and costs. Based on our experience in two organizations over a decade, we analyzed use of more than one EMR within our two health care organizations to identify advantages, risks and costs that use of more than one EMR presents. We identified the data and functionality types that pose the greatest challenge to patient safety and efficiency. We present a model to classify patterns of use of more than one EMR within a single healthcare organization, and identified the most important 28 data types and 4 areas of functionality that in our experience present special challenges and safety risks with use of more than one EMR within a single healthcare organization. The use of more than one EMR in a single organization may be the chosen approach for many reasons, but in our organizations the limitations of this approach have also become clear. Those who use and support EMRs realize that to safely and efficiently use more than one EMR, a considerable amount of IT work is necessary. Thorough understanding of the challenges in using more than one EMR is an important prerequisite to minimizing the risks of using more than one EMR to care for patients in a single healthcare organization.