Visible to the public TWC: Small: Analysis and Tools for Auditing Insider AccessesConflict Detection Enabled

Project Details

Lead PI

Performance Period

Sep 01, 2015 - Aug 31, 2018

Institution(s)

Vanderbilt University Medical Center

Award Number


Compliance officers specify organizations' policies and procedures for mitigating risk to sensitive data. However, demands for employees' quick access to organizational data often limit which security technologies can be deployed. As a result, many organizations configure an open access environment in which authenticated employees can access any piece of data (e.g., a common practice across health care facilities). One specific risk of an open access environment is that employees may access data they do not need for their role or responsibilities, potentially resulting in data breaches or privacy violations. This insider threat is extremely challenging for compliance officers to detect because of the dynamic nature of access patterns and the large volume of accesses. This project is developing an auditing framework that allows for the simple, interpretable and efficient monitoring of accesses to detect insiders' inappropriate use. The development of this framework will allow compliance officers to drill-down into the access history, filter away accesses that occur for valid operational reasons and focus on suspicious behavior, therefore improving the overall security of sensitive data.

The main hypothesis of this research is that most appropriate accesses in specialized organizations, such as health care facilities, occur for valid operational reasons and those reasons are documented in the organization's database. Therefore, if a reason for access can be gleaned from operational and workflow data and meta-data, a log record of the access can be automatically filtered without requiring manual compliance officer review. This work contrasts with alternative methods that utilize the access log in isolation, and produce results that are difficult to interpret. This project is studying how explanations for accesses (1) are modeled and capture these operational reasons, (2) can be mined directly from the database, (3) can be enhanced by filling-in frequently missing types of data, and (4) can drastically reduce the auditing burden compared to current manual auditing approaches. The explanation methodology is being evaluated on data from a large health care system, which produces approximately one billion logged accesses per year. The empirical evaluation also compares how such an approach compares to current common methods for identifying high-risk insider accesses. Hospital compliance officers are consulting with the research team to verify the approach.