Surgical privacy: Information Handling in an Infectious Environment

1,614 views
1,421 views

Published on

What has privacy engineering, data flow modelling and analysis got to do with how infectious materials and the sterile field are handled in medical situations? Are there things we can learn by exploiting by drawing an analogy between these seemingly different fields?

Published in: Software, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,614
On SlideShare
0
From Embeds
0
Number of Embeds
1,016
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Surgical privacy: Information Handling in an Infectious Environment

  1. 1. PUBLIC Prepared by Surgical Privacy: Ian Oliver Privacy Architect - SPC 25/10/2013, updated 16/4/2014 Information Handling in an Infectious Environment
  2. 2. PUBLIC2 Contents • Introduction to Infection Control • Infection Control as an Analogy • Understanding Information Contamination through Data Flow Modelling • Completing the Analogy
  3. 3. PUBLIC3 The Sterile Field Key: • Sterile • Non-sterile
  4. 4. PUBLIC4 The Sterile Field Key: • Sterile • Non-sterile Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items Strict protocols prevent contamination
  5. 5. PUBLIC5 I know what you’re thinking…
  6. 6. PUBLIC6 I know what you’re thinking… What has this got to do with information privacy and keeping consumer and business data safe?
  7. 7. PUBLIC7 I know what you’re thinking… © 2013 HERE | Title | Author | Company confidential It is a great analogy for what we do. What has this got to do with information privacy and keeping consumer and business data safe?
  8. 8. PUBLIC8 I know what you’re thinking… It is a great analogy for what we do. What has this got to do with information privacy and keeping consumer and business data safe? The Surgical-Privacy ’Isomorphism’*: SS P f g S SP |=S |=P *isomorphism up to some level of abstraction....sorry...
  9. 9. PUBLIC9 Material Flow
  10. 10. PUBLIC10 Material Flow – Direct Contamination Points Strict protocols prevent contamination • What are these protocols? • What are the risks?
  11. 11. PUBLIC11 Material Flow – Possible Contamination Flow How to prevent this? • Access Control/Segregation Minimise interactions from ”untrusted” sources Acts as a checkpoint between instruments and surgeons
  12. 12. PUBLIC12 Material Flow – Possible Contamination Flow How to prevent this? • Access Control (RBAC) • Physical Segregation Question: how is this split made in this environment? Question: under what circumstances would this flow happen?
  13. 13. PUBLIC13 An Analogy S P Material Surgical tools Information Material Flow Passing tools into (and out of) the sterile field or between people Network connection, Data-set cross- references Role Sterile roles vs non- sterile/circulating roles Processes, eg: application, analytics, deployments etc Protocol Draping, movement, restricted areas, sterile clothing etc Consent, Filtering, Anonymisation, Access control, data handling procedures Contamination Sterile or not? (definition of sterility/clean in terms of dust, bacteria, viruses) PII, PCI, HIPPA, COPPA, location, identifiers related data Risk Infection, disease etc Deanonymisation (leading to fines etc) Measurement & Metrics Definition of sterility and cleanliness Amount and type of information content
  14. 14. PUBLIC14 Material Flow For example, the typical dataflow from user via his/her app/device to the supporting backend systems, marketing, analytics and advertising...
  15. 15. PUBLIC15 Material UserID, Loc, Content, DevID ID, Loc, DevID,Event UserID, Token Loc,DevID Loc, DevID f(ID), f(Loc), f(Event), f(DevID) f(Loc), f(DevID)
  16. 16. PUBLIC16 Roles User User’s Device 3rd Party 3rd Party Here
  17. 17. PUBLIC17 Protocol Install/Run the app? Inform/Ability to turn off in the device? Login? Service improvment opt-in? Inform what the app does Inform about any 3rd parties Inform supported by adverts Inform for support reasons Marketing opt-in? ...
  18. 18. PUBLIC18 city Metrics for Contamination What does contamination mean in our context? sterile contaminated FIN HLT LOC PER TIM receipts cc numberstransaction details exercise data medical data country lat,long <50mIP/cell name email ethnicity/religion day hour second ID session(1) application device personal session(2) ... information entropy wrt to identifying a single, human being... CONT email/messagingpicturesevents passwords
  19. 19. PUBLIC19 Metrics: further aspects FIN HLT LOC PER TIM ID CONT Information Longevity Temporal/ Historical Big Data
  20. 20. PUBLIC20 Contamination with location data Colours depict degree of contamination: • Lat, long & accurate • City level • Country level • Unk/No data Contamination Routes
  21. 21. PUBLIC21 Contamination with device ID Colours depict degree of contamination: • IMEI or similar • Hashed • ”Randomised” • Unk/No data Contamination Routes
  22. 22. PUBLIC22 Information classes as metrics Metrics can be calculated over, eg: Location  DeviceID • Unk/No Data • Concern • Serious Concern Contamination, Risks, Roles & Metrics
  23. 23. PUBLIC23 I know what you’re thinking…again… So what? We know this already? Don’t we?
  24. 24. PUBLIC24 …well… So what? We know this already? Don’t we? O.R. protocols and terms are very well defined and adhered to; Privacy terms are loosely defined, formal underpinning and adherence is often minimal.
  25. 25. PUBLIC25 …ah ha… (or “uh oh”?) So what? We know this already? Don’t we? O.R. protocols and terms are very well defined and adhered to; Privacy terms are loosely defined, formal underpinning and adherence is minimal. Classification structures and aspects, eg: what does ”Secret” mean? What does location data mean? What does ”anonymised data” mean?
  26. 26. PUBLIC26 So what do we need?
  27. 27. PUBLIC27 So what do we need? Classification • one or more information classes • purpose (primary vs secondary) • usage (context defined) • security class (maybe) Inference Rules • eg: default handling for certain kinds of information Metrics • Comparison and calculation over classifications Policies, Protocols, Maxims and Requirements • Evaluation of compliance, not enforcement of compliance • Non-monotonicity & retrenchment • Architectural patterns • Catalouging and automatic ”enforcement” • Mathematics and engineering
  28. 28. PUBLIC28 So what do we have? Classification • one or more information classes • purpose (primary vs secondary) • usage (context defined) • security class (maybe) Inference Rules • eg: default handling for certain kinds of information Metrics • Comparison and calculation over classifications Policies, Protocols, Maxims and Requirements • Evaluation of compliance, not enforcement of compliance • Non-monotonicity & retrenchment • Architectural patterns • Catalouging and automatic ”enforcement” • Mathematics and engineering
  29. 29. PUBLIC29 Classifying Information © 2013 HERE | Title | Author | Company confidential Each data point (and by inference data-set) is classified by • one or more information classes • purpose (primary vs secondary) • usage (context defined) • security class (maybe)
  30. 30. PUBLIC30 Classification by Inference © 2013 HERE | Title | Author | Company confidential Security classifications can be made by inference over what data is being handled, context etc.. For example: • Data sets containing ”Lat,Longs should be handled according to the ”confidential” classification” • If a dataset can be inferred to contain confidential and secret data, then we take the highest level of secrecy
  31. 31. PUBLIC31 So… Starting with a simple analogy: • the transfer of infectious materials
  32. 32. PUBLIC32 So… Starting with a simple analogy: • the transfer of infectious materials • defined the transfer points • defined the transfer mechanisms • identified the protocols to minimise transfer • defined a mechanism for classifying the infectious agents • defined a metric for measuring the amount of infectious agent • identified the risk of the infectious agents We:
  33. 33. PUBLIC33 • transfer of infectious materials • defined the transfer points • defined the transfer mechanisms • identified the protocols to minimise transfer • defined a mechanism for classifying the infectious agents • defined a metric for measuring the amount of infectious agent • identified the risk of the infectious agents • placed all of the above into a formal, generally applicable context • ie: externalised OUR internal knowledge => R&D team can more effectively apply this. So… Starting with a simple analogy: We: and most importantly:
  34. 34. PUBLIC34 …some maxims… S P All tools are considered unsterile unless explicitly stated and proven to be sterile. All information is considered to be containing PII, PCI/HIPPA/COPPA/SOX uncompliant,secret etc unless explicitly stated and documented Only designated persons/roles are allowed to handle sterile items Access control is based upon the need to handle that information, eg: only PCI compliant system can handle financial data Passing or transport of a sterile items to a unsterile person/role/area makes them unsterile Moving data means that the target and transport be as protecting and compliant and the source, unless the data can be cleaned Potential contamination routes are explicitly known and guaraded against Storage, transport and processing of data must adhere to the requirements or better for the data being handled Contamination guards exist inherently in the system through protocol, procedure or physical barrier Contamination is prevented by the source ensuring data is cleaned sufficiently in explicity stated/mandated manners The stronger the disinfectant the more sterile an item will be The more information content removed the cleaner the dataset will be
  35. 35. PUBLIC35 Exercise left for reader • what materials are being transported? • what protocols for controlling the flow are there? • where are the control points? • how much contamination could happen? • how much risk do we take? sterilecontaminated Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items
  36. 36. PUBLIC36 fin.

×