2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…


Published on

Presentation about maintaining privacy of patients, while harvesting aggregated data for improvement of patient treatment and scientiffic medical research.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • These are the images we all get imprinted in our brain from pathology.This is in fact only a tiny portion of their work, the rest is dedicated to keep people of their tableThey are fighting a fight against the most deadly disseases in the world, including cancerIn most cases: a quicker and correct diagnoses greatly improves chances of survival (unlike House M.D.)
  • Non-identification makes opt-out more difficult
  • Unfortunatly, diagnosis is extremely complexThis raises questions that are crucial for a quick and correct diagnosis: for both prevention and correct diagnosis, there have to be statistics collected over the population.
  • “Upgrading” from a regular hospital to a university hospital or even a specialized hospital like the Antony van LeeuwenhoekMeans people move about 3 times....
  • Solution: reduce the resolution of data in order to protect patient privacy
  • Although we do have documented cases of opt-out, the level of information dumped on a patient does make you wonder...Some tumors are so rare that asking for them will result in 3 cases in the last 3 decades.
  • Although Technical Administrators can make themselves a part of the Application Administrators the technical implementation is such that it will be detected in the user management systems of the hosting party, and it will be logged.
  • Use two encrypted versions of the same text to break the cypher (please note that it really is a one-way hash...).
  • Use XML SEC (both AUTH and ENC)Chosen not to expose ZorgTTP to medical data....
  • Hash + Encryption
  • Please note that in the research database, the original Pseudonims are replaced by a number
  • When discussing design with developers, this role is unclear to many people.....
  • We need high availability for some systems, and just surviveability for somePlease note the location of the backups: it is at the remote location (i.e. not close to primary location)
  • Backups are challenging: it tends to cross the line unless you encrypt the database and its dumps
  • 2010-09-21 - (ISC)2 - Protecting patient privacy while enabling medical re…

    1. 1. Privacy and scientific research<br />Enabling the battle against cancer while maintaining patient privacy<br />Jaap van Ekris<br />21 September 2010<br />
    2. 2. Jaap van Ekris<br />
    3. 3. Agenda<br />What is Pathology<br />Who is PALGA<br />The privacy challenge<br />A case of rebuilding central infrastructure<br />Open ends...<br /> Slide 2<br />
    4. 4. Pathology as seen on TV...<br />
    5. 5. Stichting PALGA<br />Foundation founded in 1971<br />An official medical registration, as described in Dutch Privacy laws<br />Helps pathologist connect to colleagues on a case-to-case basis, since medical relevancy for diagnosis is measured in decades<br />Enabler for statistical medical research from Universities that can be observed through pathology reports<br />Supports national policy development through: Dutch Cancer registration, Cervical and Breast Cancer Screening Programs, Health Care Evaluation and Epidemiological Research Survey<br />National coverage since 1990<br />Patients can opt-out through responsible pathology lab<br /> Slide 4<br />
    6. 6. Example scientific questions<br />How effective is the cervix cancer screening program?<br />Is there an effect of innoculations and specific types of cancer?<br />Is there a relation between being born in the 1944 hunger winter and risk of colon cancer?<br />Is there a relation between living in specific geographic locations or regions and the risk of cancer?<br />What is the chance of a type of cancer re-occuring after treatment?<br />Is there an increased risk of having another type of cancer when surviving a specific type of cancer?<br /> Slide 5<br />
    7. 7. Our privacy challenge<br />We do notwant to know the patient’s identity<br />Directly (name, adress, etc.)<br />Indirectly (by combining information)<br />We do want to correlate medical diagnosis across the lifetime of a subject:<br />Patients change hospital when an illness escalates<br />Current “health waiting list mediation” increases patient mobility<br />People move<br />Medical relevancy is about 20 years<br /> Slide 6<br />
    8. 8. Indirect identification is challenging<br />Correlating information to real people by combining seemingly innocent information<br />Researchers in the US have been able to corrolate real people with “innocent” information found on the internet using the US public survey data<br />In the Netherlands we have less people per postal code than US citizens per zipcode<br />Some illnesses or combination of illnesses are extremely rare<br /> Slide 7<br />
    9. 9. Organisational measures<br />Patients can opt-out per investigation through pathology lab<br />External privacy commission evaluates every request made. Judging:<br />legality of a request<br />balance between the medical relevancy and the potential impact on patient privacy<br />privacy of the pathology employees and labs<br />All personnel is screened and under non-diclosure contract (even external ones)<br />Operational guidelines that aim to escalate requests that on hindsight might harm patient privacy<br />Operational guidelines to prevent sharing any information that can be used for indirect identification<br />Processes are audited every year<br /> Slide 8<br />
    10. 10. Slide 9<br />Why rebuild?<br />Technology used was 12 years old, without means to upgrade<br />Contained End of Life technology on crucial spots (like file processing)<br />Software was tied to dying hardware, reaching technical End Of Life<br />
    11. 11. Why completely re-engineer?<br />Despite being fully compliant with privacy laws, we thought we could do better:<br />Stronger pseudonimisation through a Trusted Third Party prevented mistakes (key collisions did occur too often)<br />Create a better foundation for potential future requirements<br />Better separation between maintenance personnel and operational users<br />Better separation of concerns<br />Isolate high-availability systems better<br />Easier intermediate step towards national electronic patient files (EPD)<br /> Slide 10<br />
    12. 12. A first scetch<br /> Slide 11<br />
    13. 13. Fundamental design principles<br />Patient identifying information is pseudonomised at the source<br />All communication is encrypted and authenticated<br />Any information is need to know basis only<br />If you really need to know:<br />You will only have to access to the data when absolutely necessary<br />We log every access and every move on the data<br />Only crucial information will be duplicated<br /> Slide 12<br />
    14. 14. Implications of this design<br />Operational users will be granted access only to those databases they really require for their work, through controlled interfaces<br />Application administrators:<br />Will use adminstrative interface for day-to-day operations, blocking any data access<br />Will only see data when they need to in order to troubleshoot issues<br />Technical administrators will never see medical data at all<br /> Slide 13<br />
    15. 15. An overview<br /> Slide 14<br />
    16. 16. Seperation of goals<br />Needed for a separation of concerns, as well as realizing availability demands<br />Needed in order to prevent potential weakening of the pseudonyms<br />We hope to turn off the direct patient care system someday...<br /> Slide 15<br />
    17. 17. Trust and encryption<br /> Slide 16<br />
    18. 18. Technical solution: pseudonimisation<br />Remove patient identifying information without losing the ability to reconstruct a chain of medical episodes through history<br />One-way hash of all patient-identifying information at the source<br />Is nearly collision-proof identifyer for the coming future<br />Is protected against name enumeration attacks<br />Centralised systems don’t know the underlying algorithm, just see it as an externally controlled key<br />Use different pseudonimization algorithms for different goals<br /> Slide 17<br />
    19. 19. Privacy effects<br /> Slide 18<br />
    20. 20. Role of ZorgTTP<br />Second pseudonimisation of patient identifiers used for scientific research<br />Allows for collaboration between medical registrations, providing there is legal clearance and the go-ahead privacy commission<br />Provides a trusted route for medical researchers with identifying data, providing clearance of the privacy commission<br />ZorgTTP is never exposed to medical data, only to “meaningless” identifiers<br /> Slide 19<br />
    21. 21. Aiming for targetted availability<br /> Slide 20<br />
    22. 22. A seperation of powers...<br />Application management<br />Access to database (only if required)<br />Monitor application progress<br />Responsible for data quality<br />Technical management<br />Management OS<br />System backup management<br />Responsible for user management<br />Responsible for secure logging actions application management<br /> Slide 21<br />
    23. 23. Most challenging aspects<br />Moving from old to new pseudonimisation without creating a permanent route for attacking current pseudonimisation<br />Destruction of old data, especially on backups<br />Moving hosting centers and to a new solution, without any disruption in service<br /> Slide 22<br />
    24. 24. Conclusion<br />System is designed to conform to NEN7510<br />Reduced identifying information as much as possible, without making the resulting data useless<br />Minimised exposure of sensitive medical data<br /> Slide 23<br />
    25. 25. Open Ends<br />We are there for 99%, still fighting for the last 1%<br />Logging without creating information overload is challenging<br />Decryption of data without being able to eavesdrop is extremely difficult<br /> Slide 24<br />
    26. 26. It is a delicate dynamic balance...<br />Computing power increases, and thus the posibilities of indirect identification<br />People themselves have become less stringent with personal information on the internet (Facebook, Twitter), unintentionally opening doors for indirect identification<br />We all learn about new potential ways to attacks on privacy<br />The public debate about what is considered an acceptable level of privacy still rages on<br /> Slide 25<br />
    27. 27. 26<br />Safeguarding life, property and the environment<br />www.dnv.com<br />