I recently completed a MSc in Applied Cyber Security with Queen’s University Belfast, this post explains my project.

What is a Cyber incident?
A cyber incident can be thought of as a breach or disruption of the following attributes:
• Confidentiality – The unauthorised access or disclosure of information.
• Integrity – The unauthorised modification or destruction of data.
• Availability – The disruption of access to, or use of, information or an information system.

What is an EMR System?
An EMR System, or Electronic Medical Record system holds the digital version of a patient’s paper-based medical record. One such EMR system is Kainos Evolve EMR (Evolve EMR), which is deployed in 110 hospitals across the UK, and stores 33 million patient records.

Another Kainos platform is Evolve Integrated Care (Evolve IC), which automates patients care pathways across many teams and organisations. Evolve IC is a cloud based multi-tenant platform and is deployed in 38 hospitals in the United States.

The motivation for my project is pretty clear – patient information must be protected and an EMR system must be available for use. A failure in either case can have grave implications for patients being treated and clinicians using the system.

Furthermore, if you look at the statistics it’s apparent that cyber incidents are on the rise. In the 2015-16 period, there was a 63% growth in cyber incidents against US hospitals and a 243% growth in cyber incidents against UK hospitals.

The types of cyber incidents that occur range from:
• Identity Theft – Medical data is 10 to 20 times the value of credit card information.
• Insurance Fraud – Medical information is used to generate false identities for fraud.
• Malicious attack – A victim could receive an incorrect dosage or medication.
• Extortion / Blackmail – extort money from individuals or healthcare organisations.

My Project
I set off to explore how to improve cyber incident detection in EMR systems, and as my role as an architect in Kainos, I really want to know how feasible, practical and accurate cyber incident detection can actually be, in a real life setting – not just a theoretical one.

With that in mind, I wanted to build prototypes to detect confidentiality, integrity* and availability incidents against Evolve EMR and Evolve IC.

What I ended up with are two such prototypes:
• The Confidentiality prototype uses machine learning to detect anomalies in the audit events of clinicians who view patient records without permission, using Evolve IC.
• The Availability prototype uses Time Series Anomaly Detection to identify when an unexpected surge of messages is inbound to Evolve EMR. I.e. a denial of service incident.

The results
My prototype results show that confidentiality incident detection is fully achievable using machine learning, with a model known as a Support Vector Machines obtaining the highest accuracy, precision and recall of a number of models that were tested. I also explore the use of machine learning in a clinical setting, whereupon decision factors on using it, legal considerations and the data challenges I encountered are also considered.

Results from my availability prototype show that the detection of a message surge (a denial of service incident) is possible within just 10 seconds, by using a technique called Exponential Moving Average. I use it to identify and signify anomalies in the patient information messages which flow into Evolve EMR from another system.

This finding paves the way for a new automated surge defence to be developed – a significant advance over the manual mechanisms used today.

An unexpected prize
I was delighted to receive the Hawker Siddeley prize, 2017/18, from the Faculty of Engineering and Physical Sciences, Queen’s University Belfast, for an ‘outstanding industrially related project’.

Working on my project was both interesting and rewarding for me, as it combined software architecture, development and research with real life medical scenarios. I very much wanted to focus on the practical applications of machine learning and time-series anomaly detection hope that my research helps advance EMR cyber security defences.

What next?
I’ve been fortunate to present my research and prototypes at OWASP Belfast in November, and hope to do so in Dublin in January as well. My dissertation has also been submitted to Elsevier for consideration in it’s Smart Health Special Issue on ‘Security in Medical Cyber-Physical Systems’ so I’m hoping that it will be successful!

If you’d like to get in touch with me to speak at your security or healthcare event, then please drop me a note through to davey@kainos.com

None of this would have been possible without the help and support of Kainos, who enabled me to attend the Masters through their MAP academy, my colleagues in Evolve answered my endless questions and Dr Sandra Scott-Hayward who challenged my thinking at all times and who crafted the format, structure and flow of my dissertation for journal submission.