Time series anomaly detection in medical break-the-glass.

The time-critical nature of medical emergencies, the requirements for system availability, and for real-time communication all make it exceedingly challenging to consistently enforce least-privilege access during medical emergencies (Break the Glass situations). Strict access control has to be suspended (must fail-open) when an emergency is declared, and only after the emergency has passed can a post-hoc audit be performed to determine the reasons (legitimacy) for overriding access control - standard operating procedure for healthcare facilities. Unfortunately, this does not proactively protect against misuse, but provides for identification and punishment of culprits. It is therefore essentially impossible to limit clinicians access to bare minimum permissions to perform life-saving activities during emergency access, especially in distributed medical systems. In this work we investigate the effectiveness of anomaly detection to ease the human burden of post-hoc audits in the medical Break-the-Glass (BTG) context. We use two different prediction models to perform real-time and post-BTG statistical analysis on time-series session log data for flagging anomalous user sessions and actions. Our approach combines a real-time fast analysis engine working on a partial feature set, as well as a post-hoc, slower analysis tool which works with the complete times series data of everything which occurred during the entire time of the emergency.