How to Organize Patient Information to Protect Patients' Data


Published on

This presentation describes what organizational steps can be taken to separate personally identifiable information from the necessary administrative information. When such procedures are applied patient data can be secured and privacy rules followed.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How to Organize Patient Information to Protect Patients' Data

  1. 1. How To Organize Patient Information To Protect Data Privacy Identity And Access Management In Healthcare. Seminar 24.01.2013 Zurich EPI-Park Bangalore Campus Dr. rer. nat. Hellmuth Broda Principal Technology Architect Retail, Consumer Goods, Life Sciences Infosys Limited
  2. 2. 2 Agenda ● About Infosys ● Privacy—An Obsolete Model? ● Challenges with Identities ● An Architecture for Trust ● How to Organize Information Pune Campus
  3. 3. 3 Over 150,000 employees from 89 nationalities Operations in 77 cities across 32 countries
  4. 4. 4 WE FUELLED OUR GROWTH 4 2000 2012 2000 2012 5389 153,761+ 200 M 1500 EMPLOYEES $50 MILLION REVENUE 4 out of top 5 Global Aerospace & Defense 4 out of top 5 US Banks 6 out of top 10 Global Telecommunication Giants 3 out of top 5 Health Plans 8 out of top 10 US Retailers 7.12 Billion
  5. 5. 5 POWERFUL FORCES ARE DRIVING OPPORTUNITIES Emerging Economies Smarter Organizations Digital Consumers New Commerce Pervasive Computing Sustainable TomorrowHealthcare Economy
  8. 8. 8 8TIME WINNER OF THE GLOBAL MOST ADMIRED KNOWLEDGE ENTERPRISES AWARD 2004 2005 2006 2007 2008 2009 2010 2011 8
  10. 10. • Click icon to add picture 10 • Click icon to add picture The World’s Largest Corporate University
  11. 11. • Click icon to add picture 11 Training 16’000 Students per Year
  12. 12. 12 Upcoming Challenges In Security, Governance, Compliance Perimeter security cannot serve the collaborative external ecosystems. It will be augmented (and eventually replaced) by application security and secure tunnels We will move from secure castles to secured tunnels
  13. 13. 13 Multiple Defence Rings Will Become Standard Perimeter security Network security NW intrusion detection Node/zone based security Laptop encryption Mobile device security Application security Data leakage prevention Compliance framework
  14. 14. 14 Privacy—An Obsolete Model? ● “You already have zero privacy anyway— get over it!” (Scott McNealy, CEO Sun Microsystems,1999) ● Mobile phones track your location ● Navigation systems track you and OnStar even records your preferred gas stations ● 200 CHF quadrocopter drones turn your neighbour into a spy ● Google traces your behaviour to offer “better services” ● “Bundestrojaner” scans German (only?) computers
  15. 15. 15 Invasion By Authorities But Also Crooks ● Are our basic privacy rights at stake? ● Is everything allowed that is technically feasible? ● Is there no limit? ● Who will control the controllers? ● Are we making it easy to become prey? Image at
  16. 16. 16 Fallacy Of Poorly Organized Information ● We are following a long tradition of “male chauvinism” by building information pyramids ● The first thing we do is look for a (global) identifier ● Then we attach all attributes to this identifier ● And then we try to sprinkle some security on top ● This model does not work and is a Blanco invitation to data security breaches
  17. 17. 17 How Do We Do It In Real Life? ● We don’t use global identifiers in real life ● My passport number is different from my Swiss ID card number ● My driver’s licence has a different number ● My bank account has another number ● We sometimes even put information into the key (which is a cardinal sin) – c.f. our old AHV number in Switzerland
  18. 18. 18 But Connecting Identities Became Easy ● Proven models for federated identity connect a person’s frequent flyer number to his car rental loyalty card ● Following the traces on the web became a real business for market research firms ● We are becoming more and more transparent ● While on the move to Personalized Medicine—will my insurer hold a copy of my DNA and “adjust” my premium according to the predicted disease probabilities? Image by alancleaver_2000 via Flickr
  19. 19. 19 What Can We Do About This? ● Many global organizations have been working on privacy protection and the organizational mechanisms to conceal personal identifiable information (PII): Liberty Alliance, Kantara Initiative, Internet Society, W3C, . . . ● Mechanisms for secure identity assertions allow combination/translation of identifiers to combine services as well as to keep identifiers and the corresponding information separate (federated identity)
  20. 20. 20 So—Here Is The Trick ● Keep separate what does not need to be in one domain ● Use masking and pseudonymization wherever possible ● Protect the connection table that equates identities really well (it is a small table—much easier to protect than an entire system) ● Selectively enable access to this table on a strict need basis
  21. 21. 21 Confused? Let Me Explain . . . ● What exactly is privacy anyway? ● What are Identity Management, Authentication, Authorization, Policies ● How can we organize such a system ● “I still did not get it—can you explain more?” ● “Glad you asked”
  22. 22. 22 What Is So Special About Privacy And Trust? ● The biggest concern (after health) of the patient is privacy ● Privacy does not mean that “nobody knows nothing about me” *) ● It is about managing the faith of the patient by adhering to the agreed scope and holding the information in trust ● Consumers and patients are afraid of “Purpose Creep” ● What could an architecture for privacy and trust management look like? *The Sopranos Purpose Creep Original Agreement
  23. 23. 23 Architecture for Trust Management Definitions A combination of business and technology practices which define how a relationship is conducted and services are performed A set of rules governing decisions about what the user can do: access to information, services or resources Assertion of validity of a set of credentials. Credentials express a person´s identity. “A Yes/No answer” Policy/Governance Authorization Authentication Identity Basic set of information that creates a “unique” entity (a name with a corresponding set of attributes)
  24. 24. 24 Architecture for Trust Management Real World Example: Drivers License 4. The fact that we do have police; the rules that allow me to drive with my national license in other countries 3. The policeman will then see which kind of vehicle you are authorized to drive and if you are allowed to drive the one you are operating now 2. Assertion of validity: The policeman compares the document with you. Result: “A Yes/No answer” Policy/Governance Authorization Authentication Identity 1. Name, address, picture identify the driver and provide together with the document the credentials expressing that the carrier is identical to the person that passed the driving tests
  25. 25. 25 Architecture for Trust Management Digitally Speaking . . . 4. Business practices to manage risk, enforce security/privacy, provide auditability. User, customer preferences, history, personalized services, 3. Determination of access rights to systems, applications and information: Match credentials against profiles, ACLs, policy 2. Log on with a UID/PW, token, certificate, biometrics etc. A process that demands the prove that the person presenting them is indeed the person to which credentials were originally issued. accept or reject 1. User, customer, device “facts”, e.g., name, address, ID, token, keys; credentials, certificates that were issued by a Certification Authority (CA) Policy/Governance Authorization Authentication Identity
  26. 26. 26 How People Will Trust Policies  Policy and its audit have to be guaranteed and certified by a approved public or private independent organization, e. g.:  Federal or state data protection agency  TÜV (private institution)  Audit firm  Chamber of Commerce  Postal Service or other basic service provider, . . .  This can be achieved with defined processes and responsibilities similar to ISO 9000 Trust is based on policies and the audit of those -- not just on security
  27. 27. 27 Where to Safeguard User's Information Health & Travel Insurance Loyalty Program Retail Bank Car Rental Hotel Chain Airline Travel Agent Insurance Records Travel History Meal PreferencesCredit History Health History Meal Preferences Car Type Preferences Single Identity Operator Credit History Health History Travel History Insurance Records Meal Preferences
  28. 28. 28 A Federated Structure Promotes Privacy and Security ● Federated structure means no single centralized data storage that would be vulnerable to attack ● End user has more control of data because permissions travel with data, guiding its use No global identifier -- this model protects against unauthorized data sharing
  29. 29. 29 How it Happens Identity Provider Authentication Federation Discovery Service Personal Profile Service Provider e.g. Pharmacy Identity-Based Web Service Provider e.g. Identity Provider Authentication Federation Discovery Service Personal Profile Principal e.g. Patient Circle of Trust Circle of Trust – organizations and individuals (example healthcare) ● Business relationships based on Liberty architecture & operational agreements ● Enables patients, physicians and healthcare organizations to safely share information in a secure and apparently seamless environment Without violating privacy Service Provider e.g. Physician Service Provider e.g. Hospital Principal e.g. Physician Principal e.g. Physician Principal e.g. Physician
  30. 30. 30 The Example: Information Management In The Practitioner’s Office ● Today your GP (house doctor) keeps a folder for each patient with administrative and medical information in one place ● Due to the sensitivity of patient data this cabinet should always be locked ● But every secretary, nurse (and visitor?) has (to have) access
  31. 31. 31 Enters The Smart Doctor ● He keeps patient’s information in two separate file cabinets ● Cabinet One holds the administrative data of patients (name, birth date, address, phone, insurance information etc.) ● Cabinet Two holds the folders with cases, a knee operation, a liver exam, a x-ray, blood exam results . . . ● But the identifiers do not point to each other, but to entries in a little black book, which the doctor keeps in a safe place. ● Only with this booklet the connection between individuals and cases can be made image at:
  32. 32. 32 Advantage Of This Data Masking ● Cabinet One holds only administrative information (phone book) and can be left open ● Cabinet Two holds only cases and can be used e.g. for Public Health research and can be left open ● Pointers are only resolved in the “Little Black Book” which is secured 23F147: H23K F23XL M4DB9
  33. 33. 33 What About the Electronic Patient Records? ● Patient owns his medical record in the cloud ● Records should be compartmentalised (“cases”) ● No patient information (PII) is needed in the records ● Patient holds the “little black book” locked ● Override for emergency services (with audit trail) can be established ● Electronic records open for public health studies
  34. 34. 34 What Can We Learn From This Example? ● By building information systems without global identifiers we can compartmentalize information so that information security and privacy become an integral property of such architecture ● Such systems can be secured and compliance to data privacy laws can much easier be followed ● The client/patient/consumer will acknowledge this and build trust into such systems
  35. 35. 35 Bangalore Campus
  36. 36. 36 THANK YOU The contents of this document are proprietary and confidential to Infosys Limited and may not be disclosed in whole or in part at any time, to any third party without the prior written consent of Infosys Limited. © 2013 Infosys Limited. All rights reserved. Copyright in the whole and any part of this document belongs to Infosys Limited. This work may not be used, sold, transferred, adapted, abridged, copied or reproduced in whole or in part, in any manner or form, or in any media, without the prior written consent of Infosys Limited.