Title: Augmenting Accountability, Security and Fraud Detection in Health Data Sharing Systems

Musheer Ahmed

School of Computer Science

College of Computing

Georgia Institute of Technology

Date: Thursday, March 24, 2014

Time: 1:00 PM - 3:00 PM

Location: Klaus 3126 (GTISC War Room)

Committee:

----------

Prof. Mustaque Ahamad, School of Computer Science (Advisor)

Prof. Douglas M. Blough, School of Electrical & Computer Engineering

Prof. Mark Braunstein, School of Computer Science and Health Systems Institute

Prof. Wenke Lee, School of Computer Science

Prof. Ling Liu, School of Computer Science

(Listed in alphabetical order)

Abstract:

---------

The U.S. government has introduced federal incentive programs to accelerate the adoption of meaningful use of electronic health records (EHR). These electronic records are expected to improve healthcare quality, reduce costs, and facilitate their sharing across different healthcare enterprises. However, electronic health data has already been subjected to various threats. The Washington Post declared 2015 as the year of the health-care hack where we saw major breaches at healthcare institutions that affected the identities of over 111 million individuals. Reports say one in three Americans were affected by healthcare breaches in 2015 alone. These identities are then used to defraud health insurance programs by submitting fraudulent claims for reimbursement which are difficult to identify due to the large volume of claims received by them. Healthcare fraud already costs the country about $272 billion and this will increase in magnitude if we do not actively secure the health information sharing infrastructure.

Healthcare data is unique in comparison to other sensitive data as it is usually governed by the 'break the glass' access control policy. This allows medical personnel to view sensitive healthcare data under emergency circumstances even when such personnel do not have the necessary system access privileges. We keep this unique characteristic of healthcare data in mind and make the dissertation hypothesis that middleware in systems which exchange health information can be augmented to support better accountability and security of health data and reduce losses due to fraud. As an example, we apply these techniques to the specifications, developed under the auspices of the U.S. Office of the National Coordinator for Health Information Technology (ONC), that establish secure connections across different healthcare systems called the eHealth Exchange. The ONC has been legislatively mandated to be the principal federal entity responsible for the coordination and implementation of nationwide efforts for the electronic exchange of health information in America. The eHealth Exchange forms a widely distributed system that allows these connected healthcare systems to share electronic health data across the United States. We also apply our end device security mechanisms to mobile devices as they are increasingly being used to access health data. We make the following contributions in this dissertation:

• We introduce mechanisms that augment accountability and cannot be circumvented as long as multiple independent parties that interact with one another are not compromised simultaneously.

• We introduce sharing provenance which securely records the identities and path along which a particular document is shared. This helps us identify the medical practitioner or healthcare organization that may be a source of leak of information or the unauthorized node that fraudulently releases or acquires a particular patient’s data.

• We enhance the eHealth Exchange architecture to support awareness over how a particular patient’s data is consumed within the distributed network. This eases patient concerns about who is viewing and sharing their data and also enables early detection of unauthorized and malicious sharing of health data, which can help limit the resulting damage.

• We develop a fraud, waste and abuse detection system that helps accurately detect suspicious medical insurance claims in a faster manner and provides them a rank and risk score to prioritize their investigation and maximize savings.

• We improve end device security by developing a framework that enforces security policies that govern access to sensitive health data on mobile devices. We also develop a user consent detection mechanism which can help distinguish actual user input from scripted events that can be generated by malware.

Our contributions help implement some of the recommendations to the ONC set by the JASON advisory group, which is an independent group of scientists that advise the U.S. government on matters of science and technology. We augment existing standards and widely used healthcare software to include our enhancements and demonstrate feasibility of our work. These enhancements help support better accountability and further secure health data from threats, thereby allowing for a safer arena to exchange healthcare information.