Deploying Secure Computation in Healthcare

Deploying SMC in Practice
Khaled El Emam
Electronic Health Information Laboratory & uOttawa
EXAMPLES IN HEALTHCARE SETTINGS

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca
Researchers’ Need for Data
• Digitization, performance-based funding, greater
inter-operability and fiscal pressures make more
data available for research
• Linked data allows analyses to span more of the
continuum of care and look at social
determinants of health
• Severe competition for research funding means
there is an urgency to providing access to data
to support proposals, funding, and delivery of
results

Benefits of Sharing Research Data
• Confirmation of published results
• Availability for meta-analyses
• Feedback to improve data quality
• Cost savings from not collecting the data
again
• Minimize need for participants to provide
data repeatedly
• Data for instruction and education
1

Benefits of Sharing Data: Commercial
• Software testing
• Targeted marketing campaigns
• Post marketing surveillance
• Monetization of data
• Information product development
• Internal analytics (models for decision
support)
• Device diagnostics
1

Regulatory Framework
• Legislation and regulations cover personally-
identifiable health data
• When not mandated or permitted, use and
disclosure of health data for secondary
purposes requires either consent or
anonymization in accordance with
regulations
1

Secondary Purposes
• Secondary purposes means non-
direct care uses of personal health
information including:
– Research
– Public health
– Quality/safety measurement
– Payment
– Provider certification or accreditation
– Marketing
– Other commercial activities
1
Safran C, Bloomrosen M, Hammond E, Labkoff S, S K-F, Tang P, Detmer D. Toward a national framework for the secondary use of
health data: An American Medical Informatics Association white paper. Journal of the American Medical Informatics Association,
2007; 14:1-9.

Types of Data Flows
1

Data Flows
• Uses by an agent/affiliate for secondary
purposes (e.g., financial analysis, human
resources planning)
• Mandatory disclosures (e.g., communicable
diseases, gunshot wounds)
• Permitted discretionary disclosures for
secondary purposes (e.g., public health and
research)
• Other disclosures for secondary purposes
(e.g., marketing)
1

Facilitating Disclosure
• Privacy and confidentiality concerns have
made many health organizations very
reluctant to share data and to take
advantage of large scale analytics on the
cloud. Three factors contribute:
• Regulations that limit disclosure of
personal information
• Legitimate concerns
about potential data leaks
• Compelled disclosures

Methods to Facilitate Disclosure
• Two options now exist for disclosing
personal information for complex analytics to
avoid being the “creepy guy in the room”
– Anonymization
– Secure multi-party
computation

ANONYMIZATION

De-identification

PARAT
Providing organizations with a scalable solution to automate
the anonymization of structured & unstructured data
• Measure risk of re-identification under different
attacks
• Transform data to ensure that the risk is below
a given threshold
• Configure re-identification risk threshold
settings directly from Privacy Analytics’ online
Risk Assessment application
• Determine enterprise policies for data
sharing to ensure that administrative controls
are in place to manage risk
• Automate data sharing agreements and
certifications that confirm risks are “very small”
for re-identification

PARAT Software

SECURE COMPUTATION
What is secure computation?

Secure Computation
• A set of techniques (protocols) developed to
allow computations to be performed on
encrypted data – do analytics without
knowing or exposing the raw data
• Example computations:
 Public health surveillance: rates, categorical data analysis
 Rare adverse drug event detection using regression models
(GLM and GEE) for distributed data
 Secure matching: record lookup without revealing the
record details, matching databases without revealing
matching keys

SECURE COMPUTATION
How does secure computation work?

Public key
Encryption
9

Randomized Public key
Encryption
10

Encryption
1 2 1 2 ,If r r then c c but 
   1 2sk skDec c Dec c m 
11

Encryption
Notation denoting
an encrypted
plaintext

Additively Homomorphic
Encryption

SECURE SURVEILLANCE

ARO Surveillance from Long
Term Care Homes in Ontario
Disclosure of Colonization /
Infection Rates
Not Currently Legally Required
From LTCHs in Ontario
Objective:
 Compute colonization rates without
knowing the values for any single LTCH

DISEASE SURVEILLANCE
Data Aggregator
Key holder[count1] x [count2] x
[count3] x [count4] =
[count1 + count2 +
count3 + count4]
[count1]
[count2]
[count3]
[count4]
(count1 + count2 +
count3 + count4) / 4

High Response Rate = 82%

Region 0-60 61-120 121-180 180 + Facilities
participating /
total (%)
North 15 / 18 19 / 25 10 / 15 5 / 5 49 / 63 (77.7)
East 23 / 23 34 / 34 25 / 25 13 /15 95 / 97 (97.9)
Central East 16 / 16 35 / 41 43 / 49 30 / 34 124 / 140 (88.6)
Toronto 3 / 6 5 /7 10 / 12 12 / 13 27 / 38 (71.1)
Central West 12 / 13 40 / 46 51 / 56 19 / 22 122 / 137 (89.1)
West 23 / 34 42 / 68 23 / 34 7 /10 95 / 146 (65.1)
Total
(%)
89 / 110
(80.9)
175 / 221
(79.2)
162 / 191
(84.8)
86 / 99
(86.7)
512 / 621 (82.4)

DISEASE SURVEILLANCE (MRSA)
Regions
Facility
number of
beds
Central
West
North East Toronto West Central
East
Bed group
prevalence
0-60 3.31 1.57 3.17 -- 8.38 0.72 3.87
61-120 2.73 1.07 2.04 -- 7.88 1.8 3.34
121-180 3.15 0.56 2.54 0.91 7.83 1.08 2.94
180 + 2.91 -- 2.37 2.58 8.63 1.68 2.61
Regional
prevalence
3.00 0.79 2.42 1.86 8.04 1.44

ANONYMOUS LINKING

Anonymous Linking
• Typical use cases:
– The best fields to link databases on are quite
sensitive: health insurance number, social
security/insurance number, medical record
number
– Organizations do not have the authority to
exchange data, but need to de-duplicate
databases or do lookups
• Anonymous linking allows the linking of
records in remote databases without sharing
any sensitive or personal information or
sharing any secrets

Generation and
distribution of keys

Encryption of OHIP#
using a
public key

Encryption of local
OHIP# using the same
public key

Perform homomorphic
equality test
on the two
encrypted values

Decrypt the results of the
equality tests using the
private key

Results of matches can be
used to de-duplicate, link, or
return a lookup outcome

ONLINE & OFFLINE PURCHASES

Chlamidya Screening
 Objective: compute screening rates and evaluate impact
of interventions to improve them
 Pulling data out of EMRs (family doctors) about females
14-24 eligible for Chlamidya screening and match that
with lab data to determine how many have been
screened (match rates)
 Matching on OHIP#, name, DoB
 No release of personal information in the process

Critical Success Factors / Risks
• Embedding within a healthcare environment
• Large multi-disciplinary teams
• Supporting software after the initial prototype
• Academic evaluation criteria
• Publishing outside the traditional computer
science community
• Managing and protecting IP

Contact
kelemam@ehealthinformation.ca
@kelemam
www.ehealthinformation.ca

Deploying Secure Computation in Healthcare

Recommended

Recommended

More Related Content

What's hot

What's hot (12)

Viewers also liked

Viewers also liked (7)

Similar to Deploying Secure Computation in Healthcare

Similar to Deploying Secure Computation in Healthcare (20)

More from Khaled El Emam

More from Khaled El Emam (6)

Recently uploaded

Recently uploaded (20)

Deploying Secure Computation in Healthcare