Surgical privacy: Information Handling in an Infectious Environment

  • 1,093 views
Uploaded on

What has privacy engineering, data flow modelling and analysis got to do with how infectious materials and the sterile field are handled in medical situations? Are there things we can learn by …

What has privacy engineering, data flow modelling and analysis got to do with how infectious materials and the sterile field are handled in medical situations? Are there things we can learn by exploiting by drawing an analogy between these seemingly different fields?

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,093
On Slideshare
0
From Embeds
0
Number of Embeds
30

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. PUBLIC Prepared by Surgical Privacy: Ian Oliver Privacy Architect - SPC 25/10/2013, updated 16/4/2014 Information Handling in an Infectious Environment
  • 2. PUBLIC2 Contents • Introduction to Infection Control • Infection Control as an Analogy • Understanding Information Contamination through Data Flow Modelling • Completing the Analogy
  • 3. PUBLIC3 The Sterile Field Key: • Sterile • Non-sterile
  • 4. PUBLIC4 The Sterile Field Key: • Sterile • Non-sterile Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items Strict protocols prevent contamination
  • 5. PUBLIC5 I know what you’re thinking…
  • 6. PUBLIC6 I know what you’re thinking… What has this got to do with information privacy and keeping consumer and business data safe?
  • 7. PUBLIC7 I know what you’re thinking… © 2013 HERE | Title | Author | Company confidential It is a great analogy for what we do. What has this got to do with information privacy and keeping consumer and business data safe?
  • 8. PUBLIC8 I know what you’re thinking… It is a great analogy for what we do. What has this got to do with information privacy and keeping consumer and business data safe? The Surgical-Privacy ’Isomorphism’*: SS P f g S SP |=S |=P *isomorphism up to some level of abstraction....sorry...
  • 9. PUBLIC9 Material Flow
  • 10. PUBLIC10 Material Flow – Direct Contamination Points Strict protocols prevent contamination • What are these protocols? • What are the risks?
  • 11. PUBLIC11 Material Flow – Possible Contamination Flow How to prevent this? • Access Control/Segregation Minimise interactions from ”untrusted” sources Acts as a checkpoint between instruments and surgeons
  • 12. PUBLIC12 Material Flow – Possible Contamination Flow How to prevent this? • Access Control (RBAC) • Physical Segregation Question: how is this split made in this environment? Question: under what circumstances would this flow happen?
  • 13. PUBLIC13 An Analogy S P Material Surgical tools Information Material Flow Passing tools into (and out of) the sterile field or between people Network connection, Data-set cross- references Role Sterile roles vs non- sterile/circulating roles Processes, eg: application, analytics, deployments etc Protocol Draping, movement, restricted areas, sterile clothing etc Consent, Filtering, Anonymisation, Access control, data handling procedures Contamination Sterile or not? (definition of sterility/clean in terms of dust, bacteria, viruses) PII, PCI, HIPPA, COPPA, location, identifiers related data Risk Infection, disease etc Deanonymisation (leading to fines etc) Measurement & Metrics Definition of sterility and cleanliness Amount and type of information content
  • 14. PUBLIC14 Material Flow For example, the typical dataflow from user via his/her app/device to the supporting backend systems, marketing, analytics and advertising...
  • 15. PUBLIC15 Material UserID, Loc, Content, DevID ID, Loc, DevID,Event UserID, Token Loc,DevID Loc, DevID f(ID), f(Loc), f(Event), f(DevID) f(Loc), f(DevID)
  • 16. PUBLIC16 Roles User User’s Device 3rd Party 3rd Party Here
  • 17. PUBLIC17 Protocol Install/Run the app? Inform/Ability to turn off in the device? Login? Service improvment opt-in? Inform what the app does Inform about any 3rd parties Inform supported by adverts Inform for support reasons Marketing opt-in? ...
  • 18. PUBLIC18 city Metrics for Contamination What does contamination mean in our context? sterile contaminated FIN HLT LOC PER TIM receipts cc numberstransaction details exercise data medical data country lat,long <50mIP/cell name email ethnicity/religion day hour second ID session(1) application device personal session(2) ... information entropy wrt to identifying a single, human being... CONT email/messagingpicturesevents passwords
  • 19. PUBLIC19 Metrics: further aspects FIN HLT LOC PER TIM ID CONT Information Longevity Temporal/ Historical Big Data
  • 20. PUBLIC20 Contamination with location data Colours depict degree of contamination: • Lat, long & accurate • City level • Country level • Unk/No data Contamination Routes
  • 21. PUBLIC21 Contamination with device ID Colours depict degree of contamination: • IMEI or similar • Hashed • ”Randomised” • Unk/No data Contamination Routes
  • 22. PUBLIC22 Information classes as metrics Metrics can be calculated over, eg: Location  DeviceID • Unk/No Data • Concern • Serious Concern Contamination, Risks, Roles & Metrics
  • 23. PUBLIC23 I know what you’re thinking…again… So what? We know this already? Don’t we?
  • 24. PUBLIC24 …well… So what? We know this already? Don’t we? O.R. protocols and terms are very well defined and adhered to; Privacy terms are loosely defined, formal underpinning and adherence is often minimal.
  • 25. PUBLIC25 …ah ha… (or “uh oh”?) So what? We know this already? Don’t we? O.R. protocols and terms are very well defined and adhered to; Privacy terms are loosely defined, formal underpinning and adherence is minimal. Classification structures and aspects, eg: what does ”Secret” mean? What does location data mean? What does ”anonymised data” mean?
  • 26. PUBLIC26 So what do we need?
  • 27. PUBLIC27 So what do we need? Classification • one or more information classes • purpose (primary vs secondary) • usage (context defined) • security class (maybe) Inference Rules • eg: default handling for certain kinds of information Metrics • Comparison and calculation over classifications Policies, Protocols, Maxims and Requirements • Evaluation of compliance, not enforcement of compliance • Non-monotonicity & retrenchment • Architectural patterns • Catalouging and automatic ”enforcement” • Mathematics and engineering
  • 28. PUBLIC28 So what do we have? Classification • one or more information classes • purpose (primary vs secondary) • usage (context defined) • security class (maybe) Inference Rules • eg: default handling for certain kinds of information Metrics • Comparison and calculation over classifications Policies, Protocols, Maxims and Requirements • Evaluation of compliance, not enforcement of compliance • Non-monotonicity & retrenchment • Architectural patterns • Catalouging and automatic ”enforcement” • Mathematics and engineering
  • 29. PUBLIC29 Classifying Information © 2013 HERE | Title | Author | Company confidential Each data point (and by inference data-set) is classified by • one or more information classes • purpose (primary vs secondary) • usage (context defined) • security class (maybe)
  • 30. PUBLIC30 Classification by Inference © 2013 HERE | Title | Author | Company confidential Security classifications can be made by inference over what data is being handled, context etc.. For example: • Data sets containing ”Lat,Longs should be handled according to the ”confidential” classification” • If a dataset can be inferred to contain confidential and secret data, then we take the highest level of secrecy
  • 31. PUBLIC31 So… Starting with a simple analogy: • the transfer of infectious materials
  • 32. PUBLIC32 So… Starting with a simple analogy: • the transfer of infectious materials • defined the transfer points • defined the transfer mechanisms • identified the protocols to minimise transfer • defined a mechanism for classifying the infectious agents • defined a metric for measuring the amount of infectious agent • identified the risk of the infectious agents We:
  • 33. PUBLIC33 • transfer of infectious materials • defined the transfer points • defined the transfer mechanisms • identified the protocols to minimise transfer • defined a mechanism for classifying the infectious agents • defined a metric for measuring the amount of infectious agent • identified the risk of the infectious agents • placed all of the above into a formal, generally applicable context • ie: externalised OUR internal knowledge => R&D team can more effectively apply this. So… Starting with a simple analogy: We: and most importantly:
  • 34. PUBLIC34 …some maxims… S P All tools are considered unsterile unless explicitly stated and proven to be sterile. All information is considered to be containing PII, PCI/HIPPA/COPPA/SOX uncompliant,secret etc unless explicitly stated and documented Only designated persons/roles are allowed to handle sterile items Access control is based upon the need to handle that information, eg: only PCI compliant system can handle financial data Passing or transport of a sterile items to a unsterile person/role/area makes them unsterile Moving data means that the target and transport be as protecting and compliant and the source, unless the data can be cleaned Potential contamination routes are explicitly known and guaraded against Storage, transport and processing of data must adhere to the requirements or better for the data being handled Contamination guards exist inherently in the system through protocol, procedure or physical barrier Contamination is prevented by the source ensuring data is cleaned sufficiently in explicity stated/mandated manners The stronger the disinfectant the more sterile an item will be The more information content removed the cleaner the dataset will be
  • 35. PUBLIC35 Exercise left for reader • what materials are being transported? • what protocols for controlling the flow are there? • where are the control points? • how much contamination could happen? • how much risk do we take? sterilecontaminated Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items
  • 36. PUBLIC36 fin.