Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Privacy and Security for         Medical Applications     Or: taking responsibility for         privacy protectionGuido va...
Our future      Dutch Data Hub
Buzzwords / trends      Big Data: Extraction of medical data and anonymized data               processing for medical / po...
Our past?            Hippocratic oath (~400 BC):         “ Al hetgeen mij ter kennis komt in de    uitoefening van mijn be...
Maybe, medical privacy is not so obsolete.- HHS study, VS, 2001: 8% patiënten avoids care in (early stages) of  disease fo...
Medical data processing – possible information flowsexternal                        Doctors DOSSIER(hosted) storage       ...
(outsourced) storage of medical data (doctors dossier)GP / pharmacy systems  PharmaPartners (ca. 8 miljoen dossiers)  CGM ...
Medical data processing – possible information flowsexternal                        Doctors DOSSIER(hosted) storage       ...
Medical data processing – possible information flowsexternal                        Doctors DOSSIER(hosted) storage       ...
GP data registrations for research
Anonymous data?An IT vendor witha sense ofresponsibility,in this case.In fact: onlya few records wereused here. The goal o...
Data collectionforpolicyresearch
LINH datasetVoor de duidelijkheid zij vermeld dat de gegevensverzameling van het Netwerk geen op individuele personen herl...
LINH dataset + DIS/Vectis, gelinkt met geboortedatum, behandeling, behandeldatum:PC4 + geboortedatum + geslacht: 80,8% uni...
Anonymity?  Approximately 99.4% of a sample of the Dutch population is   unambiguously identifiable using PC6 postal code...
Privacy barometer PhD thesis work by Matthijs Koot on microdataset anonymity  and re-identifyability – UvA 2012 Theoreti...
Trusted Third Parties – consent and anonymization and theRecombination Loophole Source A                            TTP   ...
Tracking data and assessing risk / who takes responsibility? Source A                    ?                             TTP...
Is responsible party in control – or even aware?
Mondriaan – third party recombination loophole“In Nederland beschikken we over diverse goede bestanden met informatie over...
At a minimum: tracking and Transparancy Enhancing Tools (TETs)                                  Data                      ...
Data-owner centric tools
Medical data processing – possible information flowsexternal                       Doctors DOSSIER(hosted) storage        ...
Hospitals and the cloud: combining external storage with data processing?      Dutch      Data      Hub
Legal loopholes – new EU data protection regulation?
Medical data processing – possible information flows                                Doctors DOSSIER                     Me...
BioMedical research data – MRI scans – DNA data – Grids and clouds?                                           censuur     ...
Data processing policies for distributed systems       Controller is medical researcher        in hospital       In cont...
Medical data processing – possible information flowsexternal                       Doctors DOSSIER(hosted) storage        ...
Clinical health information exchange systems    Dutch electronic patient record.    Pull model where doctors can retriev...
Can the data controller still take responsibility over andcontrol data flow – particularly for sensitive medical data?Wher...
Core question: Can we take responsibility, or do we need tothrow data over the fence?(Is “trust” what we need - because we...
How to move forward?     Construct transparancy enhancing tools and consent management     tools to ensure tractability of...
Privacy and security for medical applications
Privacy and security for medical applications
Privacy and security for medical applications
Upcoming SlideShare
Loading in …5
×

Privacy and security for medical applications

491 views

Published on

Presentation SURF Research and Innovation Event 2013
February 28, The Hague University of Applied Sciences.
Guido van 't Noordende is Postdoc in the System and Network Engineering group of the Informatics Institute at the Faculty of Science of the University of Amsterdam.

  • Be the first to comment

  • Be the first to like this

Privacy and security for medical applications

  1. 1. Privacy and Security for Medical Applications Or: taking responsibility for privacy protectionGuido van t NoordendeSystem and Network EngineeringUniversity of Amsterdamguido@science.uva.nl
  2. 2. Our future Dutch Data Hub
  3. 3. Buzzwords / trends Big Data: Extraction of medical data and anonymized data processing for medical / policy research - Examples: Mondriaan / IT-pharma; dutch medical registration, ... Open data - NWO Open Data Using the Grid and clouds for external data processing - Job/VM submissions from AMC to LifeScience Grid, SARA HPC clusters, Amazon EC2, HPC clouds, ... Combining external data storage with data processing - Example: Dutch Health Hub Distributed infrastructures for clinical health exchange - Example: Dutch electronic patient record
  4. 4. Our past? Hippocratic oath (~400 BC): “ Al hetgeen mij ter kennis komt in de uitoefening van mijn beroep of in het dagelijks verkeer met mensen en dat niet behoort te worden rondverteld, zal ik geheim houden en niemand openbaren.” Obsolete?
  5. 5. Maybe, medical privacy is not so obsolete.- HHS study, VS, 2001: 8% patiënten avoids care in (early stages) of disease for fear of privacy breaches or stigma- 2005 National Consumer Health Privacy Survey“One out of eight consumers has put their health at risk by engaging in such behaviors as: avoiding their regular doctor, asking their doctor to fudge a diagnosis, paying for a test because they didn’t want to submit a claim, or avoiding a test altogether. Chronically ill, younger, and racial and ethnic minority respondents are more likely than average to practice one or more of these risky behaviors.” (Note: medical data processing forbidden, unless...)
  6. 6. Medical data processing – possible information flowsexternal Doctors DOSSIER(hosted) storage (treatment team) The fence Medical confidentiality Direct communication w/doctors is Consent or allowed. For wider access, anonymization explicit permission needed Secondary use / Other health professionals research (medical (Health information or policy / statistical) Exchange systems) Medical data is considered specially sensitive data under EU data protection Legislation. Processing forbidden by default – security / protection is critical
  7. 7. (outsourced) storage of medical data (doctors dossier)GP / pharmacy systems PharmaPartners (ca. 8 miljoen dossiers) CGM - EuroNED / Microbais OmniHIS Scipio Microhis / Tetra / ...Records centrally stored by IT provider / Encryption of back-end storage system?Hospital systems: PACS for radiological scans, etc.Outsourcing / “the cloud”?Who is responsible for keeping patients data secure?
  8. 8. Medical data processing – possible information flowsexternal Doctors DOSSIER(hosted) storage (treatment team) The fence Medical confidentiality Direct communication w/doctors is Consent or allowed. For wider access, anonymization explicit permission needed Secondary use / Other health professionals research (medical (Health information or policy / statistical) Exchange systems) Medical data is considered specially sensitive data under EU data protection Legislation. Processing forbidden by default – security / protection is critical
  9. 9. Medical data processing – possible information flowsexternal Doctors DOSSIER(hosted) storage (treatment team) The fence Medical confidentiality Direct communication w/doctors is Consent or allowed. For wider access, anonymization explicit permission needed Secondary use / Other health professionals research (medical (Health information or policy / statistical) Exchange systems)
  10. 10. GP data registrations for research
  11. 11. Anonymous data?An IT vendor witha sense ofresponsibility,in this case.In fact: onlya few records wereused here. The goal of thatwas to check implementationof an automated check on quality ofregistration of dataBut the message is: the data canhardly be called anonymous.Were talking nearly the whole patientrecord – sometimes with, sometimeswithout free textProportionaliteit / minimaliteit?
  12. 12. Data collectionforpolicyresearch
  13. 13. LINH datasetVoor de duidelijkheid zij vermeld dat de gegevensverzameling van het Netwerk geen op individuele personen herleidbare gegevens bevat en zodoende buiten de werkingssfeer van het wetsontwerp persoonsregistratie valt.Bij de automatisering van de patiëntenbestanden wordt slechts een beperkt aantal gegevensopgenomen in de gegevensverzameling. Dit zijn - naast een anoniem codenummer - gegevensover leeftijd, geslacht en verzekeringsvorm.De categorieën van gegevens die bij het contact tussen patiënt en huisarts/praktijkassistente/huisarts in opleiding worden geregistreerd zijn:1. patiëntgegevens (geboortedatum, geslacht, verzekeringsvorm);2. contactgegevens (avond/weekenddienst, soort contact, initiatief tot contact, aard contact,etc.);3. gegevens over klachten en diagnose/werkhypotheses;4. gegevens over diagnostische verrichtingen (klinische diagnostiek, bloedonderzoek, urine,reden van diagnostiek, bloedchemie etc.);5. behandelingsgegevens (soort en aard van de behandeling, vaccinatie);6. prescriptiegegevens (middel, hoeveelheid, dosis per dag);7. verwijzingsgegevens (inclusief opname): (medisch specialisme, paramedici, initiatief totverwijzing);8. gegevens over eventueel overleg naar aanleiding van het contact: (met wie en met welkdoel);
  14. 14. LINH dataset + DIS/Vectis, gelinkt met geboortedatum, behandeling, behandeldatum:PC4 + geboortedatum + geslacht: 80,8% uniek identificeerbaarFiguur: M. Koot et al., HotPETs, 2010
  15. 15. Anonymity?  Approximately 99.4% of a sample of the Dutch population is unambiguously identifiable using PC6 postal code, gender and date of birth, and 67.0% by PC4 and date of birth alone.  … and we haven’t even discussed including other identifying data yet..  [ref. Matthijs Koot et al., 2010]  Latanya Sweeney got similar results in the US around 2000 when linking up medical data with massachusetts voter list ZIP/sex/DoB = pseudo ID allowing recombination
  16. 16. Privacy barometer PhD thesis work by Matthijs Koot on microdataset anonymity and re-identifyability – UvA 2012 Theoretical assessment of the uniqueness of subjects in to- be-combined datasets, based on (known or estimated) distributions (e.g., age, length, ...) within columns Likely, even with a relatively small number of columns, re- identification probability will be high We must think about risk mitigation: encrypt columns, distribute keys with strict key management protocols, etc. You legally really cant (re)combine disparately collected microdata without consent if (re)combination crosses some re-identification treshold..
  17. 17. Trusted Third Parties – consent and anonymization and theRecombination Loophole Source A TTP (recombine Risk ass? Recombined with 1 key/ Terms of Data-set pseudonym) Contract? Source B Recombination loophole
  18. 18. Tracking data and assessing risk / who takes responsibility? Source A ? TTP (recombine audit? Recombined with 1 key/ Data-set ? pseudonym) audit? Source B (Possible Other data)
  19. 19. Is responsible party in control – or even aware?
  20. 20. Mondriaan – third party recombination loophole“In Nederland beschikken we over diverse goede bestanden met informatie over de gezondheidszorg. Maar deze bestanden staan los van elkaar. De gegevens zijn verspreid, moeilijk toegankelijk en niet altijd volledig. Daardoor is onderzoek naar het gebruik van geneesmiddelen en de effecten in de dagelijkse praktijk ook kostbaar en tijdrovend. In het project Mondriaan worden databestanden van zorginstellingen, zorgverzekeraars en huisartsennetwerken aan elkaar gekoppeld via een “Trusted Third Party”. Dit betekent dat de medische en onderzoeksgegevens worden gescheiden van de persoonsgegevens, zoals naam en adres. Deze gegevens worden niet vastgelegd in de door Mondriaan gekoppelde databases en raken dus ook niet bekend bij de onderzoekers. Hierdoor is de privacy van patiënten optimaal beschermd.
  21. 21. At a minimum: tracking and Transparancy Enhancing Tools (TETs) Data subject Source A TTP (recombine Recombined with 1 key/ Data-set pseudonym) Source B (Possible Other data)
  22. 22. Data-owner centric tools
  23. 23. Medical data processing – possible information flowsexternal Doctors DOSSIER(hosted) storage (treatment team) The fence Medical confidentiality Direct communication w/doctors is Consent or allowed. For wider access, anonymization explicit permission needed Secondary use / Other health professionals research (medical (Health information or policy / statistical) Exchange systems) Medical data is considered specially sensitive data under EU data protection Legislation. Processing forbidden by default – security / protection is critical
  24. 24. Hospitals and the cloud: combining external storage with data processing? Dutch Data Hub
  25. 25. Legal loopholes – new EU data protection regulation?
  26. 26. Medical data processing – possible information flows Doctors DOSSIER Medical researcherexternal(hosted) storage (treatment team) The fence Medical confidentiality Direct communication w/doctors is Consent or allowed. For wider access, anonymization explicit permission needed Secondary use / Other health professionals research (medical (Health information or policy / statistical) Exchange systems) Medical data is considered specially sensitive data under EU data protection Legislation. Processing forbidden by default – security / protection is critical
  27. 27. BioMedical research data – MRI scans – DNA data – Grids and clouds? censuur Can analysis be done externally?
  28. 28. Data processing policies for distributed systems  Controller is medical researcher in hospital  In control, but.. How much control?  Control where data goes  Assess trustworthiness of Grid nodes / Cloud Vms  “declarative” descriptions / host property definitions  Microcontracts  Provenance / auditingN.D. Jebessa PhD work @ UvA
  29. 29. Medical data processing – possible information flowsexternal Doctors DOSSIER(hosted) storage (treatment team) The fence Medical confidentiality Direct communication w/doctors is Consent or allowed. For wider access, anonymization explicit permission needed Secondary use / Other health professionals research (medical (Health information or policy / statistical) Exchange systems) Medical data is considered specially sensitive data under EU data protection Legislation. Processing forbidden by default – security / protection is critical
  30. 30. Clinical health information exchange systems  Dutch electronic patient record.  Pull model where doctors can retrieve information from other doctors systems  Protection: smartcard(S) and logging  Where is control? Access control policies?
  31. 31. Can the data controller still take responsibility over andcontrol data flow – particularly for sensitive medical data?Where can data subject go when things go wrong?How about transparancy?Big Data: anonymized (or identifyable data with consent) are no longer controlled by data subject / or the party who collected it; we need transparancy and pro-active risk assessements and risk mitigationOpen data- NWO Open Data – NWO manages and owns the data – not the researcher who collected itUsing the Grid and clouds for external data processing- Data owner (controller) is in control – but where does the data go?Combining external data storage with data processing- How easy may data be extracted in the future? (EU Regulation changes)?Distributed infrastructures for clinical health exchange- Dutch EPD: who controls policies and access to clinical health data? How much control does a doctor have?
  32. 32. Core question: Can we take responsibility, or do we need tothrow data over the fence?(Is “trust” what we need - because we cant control things?)We need to take responsibility and take control. Do weoutsource this, or will we get control back?Legal obligation to audit, assess, safeguard, and managetransparancy and consent for data flows?- examples: data lifetime data transfer auditing / lifecycleprovenance, active risk assessments before disclosing data,transparancy.- Need to ask consent again when changing goals or when re-identifyability increases- Transprancy enhancing or data subject centric tools place control with the data subjectEnsure designs and architecture allow control by theperson(s) who is (are) responsible;medical data: data controller = doctor, medical researcher.(And dont forget the patient - if possible)
  33. 33. How to move forward? Construct transparancy enhancing tools and consent management tools to ensure tractability of data flows – and to increase control and have the data subject assess and prevent recombination loopholes Dont throw data over the fence: audit, and control – throughout the datas lifetime Enable active privacy risk assessments or security risk assessments at the source - before releasing or processing data Ensure access control can be managed by the person who is responsible (controller, e.g., the doctor) in a fine-grained manner We need much moare critical thinking in the systems design phase, avoid jumping on the bandwagon with naive or disruptive design or policy decisions that cut responsible parties out of the loop ....

×