Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SurvAttack: Black-Box Attack On Survival Models through Ontology-Informed EHR Perturbation

Mohsen Nayebi Kerdabadi, Arya Hadizadeh Moghaddam, Bin Liu, Mei Liu, Zijun Yao

TL;DR

SurvAttack investigates black-box adversarial perturbations on survival models trained on longitudinal EHR data, aiming to degrade the ranking of survival urgency and the accuracy of time-to-event predictions. It introduces a greedy perturbation framework enhanced by ontology-informed Synonym Code Selection (SCS), a semantic similarity encoder (SSF), and a Composite Code Scoring (CCS) that jointly optimize clinical plausibility and perturbation effect. A Dynamic SA-specific (DSA) strategy extends the attack to population-level disruption, targeting censored and observed cases to maximize ranking degradation. Extensive experiments on a large AKI-focused EHR dataset show SurvAttack outperforms baselines across multiple survival models, providing actionable insights into model vulnerabilities and interpretability. The work underscores the need for robustness and defenses before deploying survival models in high-stakes healthcare settings.

Abstract

Survival analysis (SA) models have been widely studied in mining electronic health records (EHRs), particularly in forecasting the risk of critical conditions for prioritizing high-risk patients. However, their vulnerability to adversarial attacks is much less explored in the literature. Developing black-box perturbation algorithms and evaluating their impact on state-of-the-art survival models brings two benefits to medical applications. First, it can effectively evaluate the robustness of models in pre-deployment testing. Also, exploring how subtle perturbations would result in significantly different outcomes can provide counterfactual insights into the clinical interpretation of model prediction. In this work, we introduce SurvAttack, a novel black-box adversarial attack framework leveraging subtle clinically compatible, and semantically consistent perturbations on longitudinal EHRs to degrade survival models' predictive performance. We specifically develop a greedy algorithm to manipulate medical codes with various adversarial actions throughout a patient's medical history. Then, these adversarial actions are prioritized using a composite scoring strategy based on multi-aspect perturbation quality, including saliency, perturbation stealthiness, and clinical meaningfulness. The proposed adversarial EHR perturbation algorithm is then used in an efficient SA-specific strategy to attack a survival model when estimating the temporal ranking of survival urgency for patients. To demonstrate the significance of our work, we conduct extensive experiments, including baseline comparisons, explainability analysis, and case studies. The experimental results affirm our research's effectiveness in illustrating the vulnerabilities of patient survival models, model interpretation, and ultimately contributing to healthcare quality.

SurvAttack: Black-Box Attack On Survival Models through Ontology-Informed EHR Perturbation

TL;DR

SurvAttack investigates black-box adversarial perturbations on survival models trained on longitudinal EHR data, aiming to degrade the ranking of survival urgency and the accuracy of time-to-event predictions. It introduces a greedy perturbation framework enhanced by ontology-informed Synonym Code Selection (SCS), a semantic similarity encoder (SSF), and a Composite Code Scoring (CCS) that jointly optimize clinical plausibility and perturbation effect. A Dynamic SA-specific (DSA) strategy extends the attack to population-level disruption, targeting censored and observed cases to maximize ranking degradation. Extensive experiments on a large AKI-focused EHR dataset show SurvAttack outperforms baselines across multiple survival models, providing actionable insights into model vulnerabilities and interpretability. The work underscores the need for robustness and defenses before deploying survival models in high-stakes healthcare settings.

Abstract

Survival analysis (SA) models have been widely studied in mining electronic health records (EHRs), particularly in forecasting the risk of critical conditions for prioritizing high-risk patients. However, their vulnerability to adversarial attacks is much less explored in the literature. Developing black-box perturbation algorithms and evaluating their impact on state-of-the-art survival models brings two benefits to medical applications. First, it can effectively evaluate the robustness of models in pre-deployment testing. Also, exploring how subtle perturbations would result in significantly different outcomes can provide counterfactual insights into the clinical interpretation of model prediction. In this work, we introduce SurvAttack, a novel black-box adversarial attack framework leveraging subtle clinically compatible, and semantically consistent perturbations on longitudinal EHRs to degrade survival models' predictive performance. We specifically develop a greedy algorithm to manipulate medical codes with various adversarial actions throughout a patient's medical history. Then, these adversarial actions are prioritized using a composite scoring strategy based on multi-aspect perturbation quality, including saliency, perturbation stealthiness, and clinical meaningfulness. The proposed adversarial EHR perturbation algorithm is then used in an efficient SA-specific strategy to attack a survival model when estimating the temporal ranking of survival urgency for patients. To demonstrate the significance of our work, we conduct extensive experiments, including baseline comparisons, explainability analysis, and case studies. The experimental results affirm our research's effectiveness in illustrating the vulnerabilities of patient survival models, model interpretation, and ultimately contributing to healthcare quality.

Paper Structure

This paper contains 18 sections, 9 equations, 6 figures, 5 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Preliminary of Survival Analysis
  3. Proposed Method
  4. Notation and Problem Definition
  5. Overview of the Proposed SurvAttack
  6. Ontology-informed Synonym Code Selection (SCS)
  7. Semantic Similarity Function (SSF)
  8. Composite Code Scoring (CCS)
  9. Greedy EHR Adversarial Attack
  10. Dynamic SA-specific Attack (DSA) Strategy for Population Survival Disruption
  11. Experiments
  12. Dataset Description
  13. Experimental Setting
  14. Results and Discussion
  15. Adversarial Attack shed light on survival decision-making
  16. ...and 3 more sections

Figures (6)

  • Figure 1: SurvAttack framework: Utilizing a greedy code manipulation algorithm, it assesses three potential adversarial actions (remove, replace, add) for each code using the CCS strategy, which integrates saliency and similarity elements, to disrupt the survival model's performance. The conformance of EHR perturbations to the clinical reality is maintained through the SCS strategy and the SSF function. As shown, manipulating the survival model’s ranking estimation prioritized a non-urgent patient over a more critical one.
  • Figure 2: Ontology-informed Synonym Code Selection (SCS). SCS integrates the medical ontology and co-occurrence information to identify a similar set of codes, which are conformed to the clinical reality of the patient's EHR history.
  • Figure 3: Semantic Similarity Function (SSF). SSF employs an ontological transformer-based encoder for embeddings, followed by cosine similarity to calculate the similarity index.
  • Figure 4: Frequency of adversarial attacks on Diagnosis Codes (left) and drug codes (right) executed by SurvAttack. Codes belonging to the same group in the specific ontology are distinguished by different colors.
  • Figure 5: SurvAttack's perturbation patterns for diagnosis codes (left) and drug codes (right). These heatmaps illustrate the percentage of attacks on each code (x-axis) across visits (y-axis), with darker areas indicating a higher frequency of attacks.
  • ...and 1 more figures