MedAttacker: Exploring Black-Box Adversarial Attacks on Risk Prediction Models in Healthcare

TL;DR

This paper introduces MedAttacker, a novel black-box adversarial attack method targeting health risk prediction models using EHR data, revealing their vulnerability and outperforming some white-box attacks in certain scenarios.

Contribution

MedAttacker is the first black-box attack method specifically designed for health risk prediction models with EHR data, combining reinforcement learning and score-based strategies.

Findings

MedAttacker achieves the highest success rate in black-box attacks.

It outperforms recent white-box attack techniques in some cases.

The study discusses potential defenses against EHR adversarial attacks.

Abstract

Deep neural networks (DNNs) have been broadly adopted in health risk prediction to provide healthcare diagnoses and treatments. To evaluate their robustness, existing research conducts adversarial attacks in the white/gray-box setting where model parameters are accessible. However, a more realistic black-box adversarial attack is ignored even though most real-world models are trained with private data and released as black-box services on the cloud. To fill this gap, we propose the first black-box adversarial attack method against health risk prediction models named MedAttacker to investigate their vulnerability. MedAttacker addresses the challenges brought by EHR data via two steps: hierarchical position selection which selects the attacked positions in a reinforcement learning (RL) framework and substitute selection which identifies substitute with a score-based principle. Particularly, by considering the temporal context inside EHRs, it initializes its RL position selection policy by using the contribution score of each visit and the saliency score of each code, which can be well integrated with the deterministic substitute selection process decided by the score changes. In experiments, MedAttacker consistently achieves the highest average success rate and even outperforms a recent white-box EHR adversarial attack technique in certain cases when attacking three advanced health risk prediction models in the black-box setting across multiple real-world datasets. In addition, based on the experiment results we include a discussion on defending EHR adversarial attacks.