This presentation describes what organizational steps can be taken to separate personally identifiable information from the necessary administrative information. When such procedures are applied patient data can be secured and privacy rules followed.
Unveiling the Soundscape Music for Psychedelic Experiences
How to Organize Patient Information to Protect Patients' Data
1. How To Organize Patient Information
To Protect Data Privacy
Identity And Access Management In Healthcare. Seminar
24.01.2013 Zurich EPI-Park
Bangalore Campus
Dr. rer. nat. Hellmuth Broda
Principal Technology Architect
Retail, Consumer Goods, Life Sciences
Infosys Limited
4. 4
WE FUELLED
OUR GROWTH
4
2000 2012 2000 2012
5389
153,761+
200 M
1500 EMPLOYEES $50 MILLION REVENUE
4 out of top 5
Global Aerospace & Defense
4 out of top 5
US Banks
6 out of top 10
Global Telecommunication
Giants
3 out of top 5
Health Plans
8 out of top 10
US Retailers
7.12 Billion
5. 5
POWERFUL FORCES ARE DRIVING
OPPORTUNITIES
Emerging Economies
Smarter Organizations
Digital Consumers New Commerce
Pervasive Computing
Sustainable TomorrowHealthcare Economy
6. 66
WE PARTNER WITH CLIENTS TO
BUILD
TOMORROW’S
ENTERPRISE
ACCELERATE
INNOVATION
BUSINESS
TRANSFORMATIO
N
OPTIMIZE
OPERATIONS
8. 8
8TIME WINNER OF
THE GLOBAL MOST ADMIRED
KNOWLEDGE ENTERPRISES
AWARD
2004 2005 2006 2007 2008 2009 2010 2011
8
9. 9
IT HAS COST US THE EQUIVALENT
OF A SPACE SHUTTLE LAUNCH TO
BUILD OUR TRAINING CENTER
10. •
Click icon to add picture
10
•
Click icon to add picture
The World’s Largest Corporate University
11. •
Click icon to add picture
11
Training 16’000 Students per Year
12. 12
Upcoming Challenges In Security,
Governance, Compliance
Perimeter security cannot serve the collaborative
external ecosystems. It will be augmented
(and eventually replaced) by
application security and
secure tunnels
We will move from secure castles to secured tunnels
13. 13
Multiple Defence Rings Will Become
Standard
Perimeter security
Network security
NW intrusion detection
Node/zone based
security
Laptop encryption
Mobile device security
Application security
Data leakage prevention
Compliance framework
14. 14
Privacy—An Obsolete Model?
●
“You already have zero privacy anyway—
get over it!” (Scott McNealy, CEO Sun
Microsystems,1999)
●
Mobile phones track your location
●
Navigation systems track you and OnStar
even records your preferred gas stations
●
200 CHF quadrocopter drones turn your
neighbour into a spy
●
Google traces your behaviour to offer
“better services”
●
“Bundestrojaner” scans German (only?)
computers
15. 15
Invasion By Authorities But Also Crooks
●
Are our basic privacy rights at stake?
●
Is everything allowed that is technically feasible?
●
Is there no limit?
●
Who will control the
controllers?
●
Are we making it easy
to become prey?
Image at datonel.deviantart.com
16. 16
Fallacy Of Poorly Organized Information
●
We are following a long tradition of
“male chauvinism” by building
information pyramids
●
The first thing we do is look for a
(global) identifier
●
Then we attach all attributes to this
identifier
●
And then we try to sprinkle some
security on top
●
This model does not work and is a
Blanco invitation to data security
breaches
17. 17
How Do We Do It In Real Life?
●
We don’t use global identifiers in real life
●
My passport number is different from my Swiss
ID card number
●
My driver’s licence has a different number
●
My bank account has another number
●
We sometimes even put information into the key
(which is a cardinal sin) – c.f. our
old AHV number in Switzerland
18. 18
But Connecting Identities Became Easy
●
Proven models for federated identity
connect a person’s frequent flyer number
to his car rental loyalty card
●
Following the traces on the web became a
real business for market research firms
●
We are becoming more and more
transparent
●
While on the move to Personalized
Medicine—will my insurer hold a copy of
my DNA and “adjust” my premium
according to the predicted disease
probabilities?
Image by alancleaver_2000 via Flickr
19. 19
What Can We Do About This?
●
Many global organizations have been working on
privacy protection and the organizational
mechanisms to conceal personal identifiable
information (PII): Liberty Alliance, Kantara
Initiative, Internet Society, W3C, . . .
●
Mechanisms for secure identity assertions allow
combination/translation of identifiers to combine
services as well as to keep identifiers and the
corresponding information separate (federated
identity)
20. 20
So—Here Is The Trick
●
Keep separate what does not need
to be in one domain
●
Use masking and pseudonymization wherever
possible
●
Protect the connection table that equates
identities really well (it is a small table—much
easier to protect than an entire system)
●
Selectively enable access to this table on a strict
need basis
21. 21
Confused? Let Me Explain . . .
●
What exactly is privacy anyway?
●
What are Identity Management, Authentication,
Authorization, Policies
●
How can we organize such a system
●
“I still did not get it—can you explain more?”
●
“Glad you asked”
22. 22
What Is So Special About Privacy And
Trust?
●
The biggest concern (after health) of the patient is
privacy
●
Privacy does not mean that “nobody knows nothing about
me” *)
●
It is about managing the faith of the patient by adhering to
the agreed scope and holding the information in trust
●
Consumers and patients are afraid of
“Purpose Creep”
●
What could an architecture for privacy
and trust management look like?
*The Sopranos Purpose Creep
Original
Agreement
23. 23
Architecture for Trust Management
Definitions
A combination of business and
technology practices which define how a
relationship is conducted and services
are performed
A set of rules governing decisions about
what the user can do: access to
information, services or resources
Assertion of validity of a set of credentials.
Credentials express a person´s identity.
“A Yes/No answer”
Policy/Governance
Authorization
Authentication
Identity Basic set of information that creates a
“unique” entity (a name with a
corresponding set of attributes)
24. 24
Architecture for Trust Management
Real World Example: Drivers License
4. The fact that we do have police; the rules that
allow me to drive with my national license in other
countries
3. The policeman will then see which kind of
vehicle you are authorized to drive and if you are
allowed to drive the one you are operating now
2. Assertion of validity: The policeman compares
the document with you. Result: “A Yes/No answer”
Policy/Governance
Authorization
Authentication
Identity 1. Name, address, picture identify the driver and
provide together with the document the credentials
expressing that the carrier is identical to the
person that passed the driving tests
25. 25
Architecture for Trust Management
Digitally Speaking . . .
4. Business practices to manage risk, enforce
security/privacy, provide auditability.
User, customer preferences, history,
personalized services,
3. Determination of access rights to systems,
applications and information: Match credentials
against profiles, ACLs, policy
2. Log on with a UID/PW, token, certificate,
biometrics etc. A process that demands the
prove that the person presenting them is indeed
the person to which credentials were originally
issued. accept or reject
1. User, customer, device “facts”, e.g., name,
address, ID, token, keys; credentials,
certificates that were issued by a Certification
Authority (CA)
Policy/Governance
Authorization
Authentication
Identity
26. 26
How People Will Trust Policies
Policy and its audit have to be guaranteed and
certified by a approved public or private
independent organization, e. g.:
Federal or state data protection agency
TÜV (private institution)
Audit firm
Chamber of Commerce
Postal Service or other basic service provider, . . .
This can be achieved with defined processes and
responsibilities similar to ISO 9000
Trust is based on policies and the
audit of those -- not just on security
27. 27
Where to Safeguard User's Information
Health & Travel
Insurance
Loyalty
Program
Retail
Bank
Car
Rental
Hotel
Chain
Airline
Travel
Agent
Insurance Records
Travel
History
Meal PreferencesCredit History
Health History
Meal Preferences Car Type Preferences
Single Identity
Operator
Credit History
Health History
Travel History
Insurance Records
Meal Preferences
28. 28
A Federated Structure Promotes
Privacy and Security
●
Federated structure means no single centralized
data storage that would be vulnerable to attack
●
End user has more control of data because
permissions travel with data, guiding its use
No global identifier -- this model
protects against unauthorized
data sharing
29. 29
How it Happens
Identity Provider
Authentication
Federation
Discovery Service
Personal Profile
Service
Provider
e.g. Pharmacy
Identity-Based
Web Service
Provider
e.g.
ePrescriptions.com
Identity Provider
Authentication
Federation
Discovery Service
Personal Profile
Principal
e.g. Patient
Circle of Trust
Circle of Trust – organizations and individuals
(example healthcare)
●
Business relationships
based on Liberty
architecture & operational
agreements
●
Enables patients,
physicians and healthcare
organizations to safely
share information in a
secure and apparently
seamless environment
Without violating privacy
Service
Provider
e.g.
Physician
Service
Provider
e.g. Hospital
Principal
e.g. Physician
Principal
e.g. Physician
Principal
e.g. Physician
30. 30
The Example: Information Management
In The Practitioner’s Office
●
Today your GP (house
doctor) keeps a folder for
each patient with
administrative and medical
information in one place
●
Due to the sensitivity of
patient data this cabinet
should always be locked
●
But every secretary, nurse
(and visitor?) has (to have)
access
31. 31
Enters The Smart Doctor
●
He keeps patient’s information
in two separate file cabinets
●
Cabinet One holds the administrative data of
patients (name, birth date, address, phone,
insurance information etc.)
●
Cabinet Two holds the folders with cases, a
knee operation, a liver exam, a x-ray, blood
exam results . . .
●
But the identifiers do not point to each other,
but to entries in a little black book, which the
doctor keeps in a safe place.
●
Only with this booklet the connection
between individuals and cases can be made
image at: uniforms-4all.com
32. 32
Advantage Of This Data Masking
●
Cabinet One holds only administrative
information (phone book) and can be
left open
●
Cabinet Two holds only cases and can
be used e.g. for Public Health research
and can be left open
●
Pointers are only resolved in the
“Little Black Book” which is secured 23F147: H23K
F23XL
M4DB9
33. 33
What About the Electronic Patient
Records?
●
Patient owns his medical
record in the cloud
●
Records should be
compartmentalised (“cases”)
●
No patient information (PII)
is needed in the records
●
Patient holds the “little black book” locked
●
Override for emergency services (with audit trail)
can be established
●
Electronic records open for public health studies
34. 34
What Can We Learn From This Example?
●
By building information systems without global
identifiers we can compartmentalize information
so that information security and privacy become
an integral property of such architecture
●
Such systems can be secured and compliance to
data privacy laws can much easier be followed
●
The client/patient/consumer will acknowledge this
and build trust into such systems
quickbase.intuit.com