De-identification of unstructured paper-based health records for privacy-preserving secondary use

Whenever personal data is processed, privacy is a serious issue. Especially in the document-centric e-health area, the patients’ privacy must be preserved in order to prevent any negative repercussions for the patient. Clinical research, for example, demands structured health records to carry out efficient clinical trials, whereas legislation (e.g. HIPAA) regulates that only de-identified health records may be used for research. However, unstructured and often paper-based data dominates information technology, especially in the healthcare sector. Existing approaches are geared towards data in English-language documents only and have not been designed to handle the recognition of erroneous personal data which is the result of the OCR-based digitization of paper-based health records.     

How (not) to protect genomic data privacy in a distributed network: using trail re-identification to evaluate and design anonymity protection systems

The increasing integration of patient-specific genomic data into clinical practice and research raises serious privacy concerns. Various systems have been proposed that protect privacy by removing or encrypting explicitly identifying information, such as name or social security number, into pseudonyms. Though these systems claim to protect identity from being disclosed, they lack formal proofs. In this paper, we study the erosion of privacy when genomic data, either pseudonymous or data believed to be anonymous, are released into a distributed healthcare environment. Several algorithms are introduced, collectively called RE-Identification of Data In Trails (REIDIT), which link genomic data to named individuals in publicly available records by leveraging unique features in patient-location visit patterns. Algorithmic proofs of re-identification are developed and we demonstrate, with experiments on real-world data, that susceptibility to re-identification is neither trivial nor the result of bizarre isolated occurrences. We propose that such techniques can be applied as system tests of privacy protection capabilities.     

Securing electronic health records without impeding the flow of information

OBJECTIVE: We present an integrated set of technologies, known as the Hippocratic Database, that enable healthcare enterprises to comply with privacy and security laws without impeding the legitimate management, sharing, and analysis of personal health information. APPROACH: The Hippocratic Database approach to securing electronic health records involves (1) active enforcement of fine-grained data disclosure policies using query modification techniques, (2) efficient auditing of past database access to verify compliance with policies and track security breaches, (3) data mining algorithms that preserve privacy by randomizing information at the individual level, (4) de-identification of personal health data using an optimal method of k-anonymization, and (5) information sharing across autonomous data sources using cryptographic protocols. CONCLUSIONS: Our research confirms that policies concerning the disclosure of electronic health records can be reliably and efficiently enforced and audited at the database level. We further demonstrate that advanced data mining and anonymization techniques can be employed to analyze aggregate health records without revealing individual patient identities. Finally, we show that web services and commutative encryption can be used to share sensitive information selectively among autonomous entities without compromising security or privacy.     

An 'Honest Broker' mechanism to maintain privacy for patient care and academic medical research

PURPOSE: From the Hippocratic Oath to the World Medical Association's Declaration of Geneva, physicians have sworn to protect patients' privacy. However, as systems move to more integrated architectures, protecting this medical data becomes more of a challenge. The increase in complexity of IT environments, the aggregation of data, and the desire of other entities to access this data, often 24 h/day x 7 day/week x 365 day/year, is putting serious strains on our ability to maintain its security. This problem cuts across all electronic record sources from patient care records to academic medical research records. APPROACH: In order to address this issue, we are rethinking the way we store, transmit, process, access, and federate patient data from clinical and research applications. Our groups at the University of Michigan are developing a system called the "Honest Broker" to help manage this problem. The Honest Broker will offload the burden of housing identifiable data elements of protected health information (PHI) (e.g., name and address) as well as manage data transfer between clinical and research systems. Lab results and other non-identifiable data will be stored in separate systems with either a research study ID or clinical ID number. This two-component architecture increases the burden on attackers who now need to compromise two systems, one of which is seriously hardened, in order to match health data with a patient's actual identity. CONCLUSIONS: While no security system is truly intrusion-proof, this architecture provides a high security choke point reducing the likelihood of a breach. By redesigning the method of integrating clinical care and research, we have enabled projects that would be cost prohibitive to conduct otherwise. The scalability of this mechanism is dependant on nature of the heterogenous nature of the clinical systems serving patients.     

Outsourcing Medical Data Analyses: Can Technology Overcome Legal,Privacy, and Confidentiality Issues?

Background

Medical data are gold mines for deriving the knowledge that could change the course of a single patient’s life or even the health of the entire population. A data analyst needs to have full access to relevant data, but full access may be denied by privacy and confidentiality of medical data legal regulations, especially when the data analyst is not affiliated with the data owner.

Objective

Our first objective was to analyze the privacy and confidentiality issues and the associated regulations pertaining to medical data, and to identify technologies to properly address these issues. Our second objective was to develop a procedure to protect medical data in such a way that the outsourced analyst would be capable of doing analyses on protected data and the results would be comparable, if not the same, as if they had been done on the original data. Specifically, our hypothesis was there would not be a difference between the outsourced decision trees built on encrypted data and the ones built on original data.

Methods

Using formal definitions, we developed an algorithm to protect medical data for outsourced analyses. The algorithm was applied to publicly available datasets (N=30) from the medical and life sciences fields. The analyses were performed on the original and the protected datasets and the results of the analyses were compared. Bootstrapped paired t tests for 2 dependent samples were used to test whether the mean differences in size, number of leaves, and the accuracy of the original and the encrypted decision trees were significantly different.

Results

The decision trees built on encrypted data were virtually the same as those built on original data. Out of 30 datasets, 100% of the trees had identical accuracy. The size of a tree and the number of leaves was different only once (1/30, 3%, P=.19).

Conclusions

The proposed algorithm encrypts a file with plain text medical data into an encrypted file with the data protected in such a way that external data analyses are still possible. The results show that the results of analyses on original and on protected data are identical or comparably similar. The approach addresses the privacy and confidentiality issues that arise with medical data and is adherent to strict legal rules in the United States and Europe regarding the processing of the medical data.     

Privacy-preserving matching of similar patients

The identification of similar entities represented by records in different databases has drawn considerable attention in many application areas, including in the health domain. One important type of entity matching application that is vital for quality healthcare analytics is the identification of similar patients, known as similar patient matching. A key component of identifying similar records is the calculation of similarity of the values in attributes (fields) between these records. Due to increasing privacy and confidentiality concerns, using the actual attribute values of patient records to identify similar records across different organizations is becoming non-trivial because the attributes in such records often contain highly sensitive information such as personal and medical details of patients. Therefore, the matching needs to be based on masked (encoded) values while being effective and efficient to allow matching of large databases.Bloom filter encoding has widely been used as an efficient masking technique for privacy-preserving matching of string and categorical values. However, no work on Bloom filter-based masking of numerical data, such as integer (e.g. age), floating point (e.g. body mass index), and modulus (numbers wrap around upon reaching a certain value, e.g. date and time), which are commonly required in the health domain, has been presented in the literature. We propose a framework with novel methods for masking numerical data using Bloom filters, thereby facilitating the calculation of similarities between records. We conduct an empirical study on publicly available real-world datasets which shows that our framework provides efficient masking and achieves similar matching accuracy compared to the matching of actual unencoded patient records.     

Perspectives of Australian adults about protecting the privacy of their health information in statistical databases

ObjectivesThe aim of this study was to discover the public's attitude and views towards privacy in health care. This is a part of a larger project which aims to gain an insight into what kind of privacy is needed and develop technical measures to provide such privacy.MethodsThe study was a two-stage process which combined qualitative and quantitative research. Stage One of the study comprised arranging and facilitating focus groups while in Stage Two we conducted a social survey.MeasurementsWe measured attitudes towards privacy, medical research and consent; privacy concern about sharing one's health information for research; privacy concern about the possibility that some specific information from medical records could be linked to the patient's name in a situation that was not related to medical treatment.ResultsThe results of the study revealed both great support for medical research (98%), and concern about privacy of health information (66%). Participants prefer to be asked for their permission before their health information is used for any purpose other than medical treatment (92%), and they would like to know the organisation and details of the research before allowing the use of their health records (83%). Age, level of education, place of birth and employment status are most strongly associated with privacy concerns. The study showed that there are some particularly sensitive issues and there is a concern (42–60%) about any possibility of linking these kinds of data to the patient's name in a situation that is not related to medical treatment. Such issues include sexually transmitted diseases, abortions and infertility, family medical history/genetic disorders, mental illness, drug/alcohol related incidents, lists of previous operations/procedures/dates and current medications.ConclusionsParticipants believe they should be asked for permission before their health information is used for any purpose other than medical treatment. However, consent and privacy concerns are not necessary related.Assuring individuals that their personal health information is de-identified reduces their concern about the necessity of consent for releasing health information for research purposes, but many people are not aware that removing their names and other direct identifiers from medical records does not guarantee full privacy protection for their health information. Privacy concerns decrease as extra security measures are introduced to protect privacy. Therefore, instead of “tailoring concern” as proposed by Willison [1] we suggest improving privacy protection of personal information by introducing additional security measures in data publishing.     

Aspects of privacy for electronic health records

Patients' medical data have been originally generated and maintained by health professionals in several independent electronic health records (EHRs). Centralized electronic health records accumulate medical data of patients to improve their availability and completeness; EHRs are not tied to a single medical institution anymore. Nowadays enterprises with the capacity and knowledge to maintain this kind of databases offer the services of maintaining EHRs and adding personal health data by the patients. These enterprises get access on the patients' medical data and act as a main point for collecting and disclosing personal data to third parties, e.g. among others doctors, healthcare service providers and drug stores. Existing systems like Microsoft HealthVault and Google Health comply with data protection acts by letting the patients decide on the usage and disclosure of their data. But they fail in satisfying essential requirements to privacy. We propose a privacy-protecting information system for controlled disclosure of personal data to third parties. Firstly, patients should be able to express and enforce obligations regarding a disclosure of health data to third parties. Secondly, an organization providing EHRs should neither be able to gain access to these health data nor establish a profile about patients.     

A search engine for virtual patient records.

Virtual patient records provide a means for integrated access to patient information that may be scattered around different healthcare settings. Within the boundaries of a health district providing all levels of care, this concept can be implemented in an Intranet environment to support longitudinal patient care activities across the participating healthcare providers. Since medical information is stored on multiple Intranet sites in various forms (e.g. codified data, transcribed documents, and images), a suite of appropriate tools is needed to enable access to such information in combined form. In most cases, however, access to medical information should be restricted to authorized users. To serve this purpose, a prototype search engine incorporating an authorization and access control functionality has been developed and presented in this paper. The system is based on the signature file access method and an experimental implementation written in JAVA is also described.     

An innovative privacy preserving technique for incremental datasets on cloud computing

Cloud computing (CC) is a magnificent service-based delivery with gigantic computer processing power and data storage across connected communications channels. It imparted overwhelming technological impetus in the internet (web) mediated IT industry, where users can easily share private data for further analysis and mining. Furthermore, user affable CC services enable to deploy sundry applications economically. Meanwhile, simple data sharing impelled various phishing attacks and malware assisted security threats. Some privacy sensitive applications like health services on cloud that are built with several economic and operational benefits necessitate enhanced security. Thus, absolute cyberspace security and mitigation against phishing blitz became mandatory to protect overall data privacy. Typically, diverse applications datasets are anonymized with better privacy to owners without providing all secrecy requirements to the newly added records. Some proposed techniques emphasized this issue by re-anonymizing the datasets from the scratch. The utmost privacy protection over incremental datasets on CC is far from being achieved. Certainly, the distribution of huge datasets volume across multiple storage nodes limits the privacy preservation. In this view, we propose a new anonymization technique to attain better privacy protection with high data utility over distributed and incremental datasets on CC. The proficiency of data privacy preservation and improved confidentiality requirements is demonstrated through performance evaluation.     

Disassociation for electronic health record privacy

The dissemination of Electronic Health Record (EHR) data, beyond the originating healthcare institutions, can enable large-scale, low-cost medical studies that have the potential to improve public health. Thus, funding bodies, such as the National Institutes of Health (NIH) in the U.S., encourage or require the dissemination of EHR data, and a growing number of innovative medical investigations are being performed using such data. However, simply disseminating EHR data, after removing identifying information, may risk privacy, as patients can still be linked with their record, based on diagnosis codes. This paper proposes the first approach that prevents this type of data linkage using disassociation, an operation that transforms records by splitting them into carefully selected subsets. Our approach preserves privacy with significantly lower data utility loss than existing methods and does not require data owners to specify diagnosis codes that may lead to identity disclosure, as these methods do. Consequently, it can be employed when data need to be shared broadly and be used in studies, beyond the intended ones. Through extensive experiments using EHR data, we demonstrate that our method can construct data that are highly useful for supporting various types of clinical case count studies and general medical analysis tasks.     

Situation-Based Access Control: privacy management via modeling of patient data access scenarios

Access control is a central problem in privacy management. A common practice in controlling access to sensitive data, such as electronic health records (EHRs), is Role-Based Access Control (RBAC). RBAC is limited as it does not account for the circumstances under which access to sensitive data is requested. Following a qualitative study that elicited access scenarios, we used Object-Process Methodology to structure the scenarios and conceive a Situation-Based Access Control (SitBAC) model. SitBAC is a conceptual model, which defines scenarios where patient’s data access is permitted or denied. The main concept underlying this model is the Situation Schema, which is a pattern consisting of the entities Data-Requestor, Patient, EHR, Access Task, Legal-Authorization, and Response, along with their properties and relations. The various data access scenarios are expressed via Situation Instances. While we focus on the medical domain, the model is generic and can be adapted to other domains.     

Security for the digital information age of medicine: Issues, applications, and implementation

Privacy and integrity of medical records is expected by patients. This privacy and integrity is often mandated by regulations. Traditionally, the security of medical records has been based on physical lock and key. As the storage of patient record information shifts from paper to digital, new security concerns arise. Digital cryptographic methods provide solutions to many of these new concerns. In this article we give an overview of new security concerns, new legislation mandating secure medical records and solutions providing security.     

Differentially private genome data dissemination through top-down specialization

Advanced sequencing techniques make large genome data available at an unprecedented speed and reduced cost. Genome data sharing has the potential to facilitate significant medical breakthroughs. However, privacy concerns have impeded efficient genome data sharing. In this paper, we present a novel approach for disseminating genomic data while satisfying differential privacy. The proposed algorithm splits raw genome sequences into blocks, subdivides the blocks in a top-down fashion, and finally adds noise to counts to preserve privacy. The experimental results suggest that the proposed algorithm can retain certain data utility in terms of a high sensitivity.     

Statistical disclosure control architectures for patient records in biomedical information systems

Patient record data are potentially highly sensitive and their secondary use raises both ethical and data protection issues. Disclosure of patient data could cause serious difficulties for the medical profession and be potentially damaging for individual patients and clinicians. Yet at the same time patient records are a hugely valuable resource in terms of clinical research and patient treatment. A secure, remote access system for such data would therefore provide numerous benefits. In this paper we outline the statistical disclosure risks posed by patient record data in the context of establishing a grid based medical data repository. We review good practice in existing patient databases, outline a scenario model for assessing risk and suggest a new model for statistical disclosure control of patient data. The architecture and the research method we have described have general relevance for any remote data access system where maximizing both data utility and security is a priority, and has specific relevance to medical data and bioinformatics. It can straightforwardly be integrated into data access and analysis tools.     

A framework to preserve the privacy of electronic health data streams

The anonymization of health data streams is important to protect these data against potential privacy breaches. A large number of research studies aiming at offering privacy in the context of data streams has been recently conducted. However, the techniques that have been proposed in these studies generate a significant delay during the anonymization process, since they concentrate on applying existing privacy models (e.g., k-anonymity and l-diversity) to batches of data extracted from data streams in a period of time. In this paper, we present delay-free anonymization, a framework for preserving the privacy of electronic health data streams. Unlike existing works, our method does not generate an accumulation delay, since input streams are anonymized immediately with counterfeit values. We further devise late validation for increasing the data utility of the anonymization results and managing the counterfeit values. Through experiments, we show the efficiency and effectiveness of the proposed method for the real-time release of data streams.     

BioGrid Australia facilitates collaborative medical and bioinformatics research across hospitals and medical research institutes by linking data from diverse disease and data types

BioGrid Australia is a federated data linkage and integration infrastructure that uses the Internet to enable patient specific information to be utilized for research in a privacy protected manner, from multiple databases of various data types (e.g. clinical, treatment, genomic, image, histopathology and outcome), from a range of diseases (oncological, neurological, endocrine and respiratory) and across more than 20 health services, universities and medical research institutes. BioGrid has demonstrated an ability to facilitate powerful research into the causation of human disease and the prediction of disease and treatment outcomes. BioGrid has successfully implemented technology and processes that allow researchers to efficiently extract data from multiple sources, without compromising data security and privacy. This article reviews BioGrid's first seven years and how it has overcome 9 of its top 10 challenges.     

Current status and trends in the development of medical information systems for morphological research]

The time of cooperative action of the information medical systems is coming. Standardization of clinical laboratory information systems is one of the most difficult but important problems for clinical laboratory community and technicians. Electronic data exchange requires agreement on the data element format by which healthcare institutions can exchange. Computerization of health care service raises the problem of security because the risk of violation of medical privacy is dramatically increasing. Unauthorized users can access, copy, alter, delete or distort hundreds or thousands of medical records within minutes. Information can be faulted by individuals or system failure. It is necessary to discuss and make a final decision of joining some standard for the purpose of integration.     

Wireless medical sensor networks: design requirements and enabling technologies

This article analyzes wireless communication protocols that could be used in healthcare environments (e.g., hospitals and small clinics) to transfer real-time medical information obtained from noninvasive sensors. For this purpose the features of the three currently most widely used protocols-namely, Bluetooth(?) (IEEE 802.15.1), ZigBee (IEEE 802.15.4), and Wi-Fi (IEEE 802.11)-are evaluated and compared. The important features under consideration include data bandwidth, frequency band, maximum transmission distance, encryption and authentication methods, power consumption, and current applications. In addition, an overview of network requirements with respect to medical sensor features, patient safety and patient data privacy, quality of service, and interoperability between other sensors is briefly presented. Sensor power consumption is also discussed because it is considered one of the main obstacles for wider adoption of wireless networks in medical applications. The outcome of this assessment will be a useful tool in the hands of biomedical engineering researchers. It will provide parameters to select the most effective combination of protocols to implement a specific wireless network of noninvasive medical sensors to monitor patients remotely in the hospital or at home.     

Continuance compliance of privacy policy of electronic medical records: the roles of both motivation and habit

Background

Hospitals have increasingly realized that wholesale adoption of electronic medical records (EMR) may introduce differential tangible/intangible benefits to them, including improved quality-of-care, reduced medical errors, reduced costs, and allowable instant access to relevant patient information by healthcare professionals without the limitations of time/space. However, an increased reliance on EMR has also led to a corresponding increase in the negative impact exerted via EMR breaches possibly leading to unexpected damage for both hospitals and patients. This study investigated the possible antecedents that will influence hospital employees’ continuance compliance with privacy policy of Electronic Medical Records (EMR). This is done from both motivational and habitual perspectives; specifically, we investigated the mediating role of habit between motivation and continuance compliance intention with EMR privacy policy.

Methods

Data was collected from a large Taiwanese medical center by means of survey methodology. A total of 312 responses comprised of various groups of healthcare professionals was collected and analyzed via structural equation modeling.

Results

The results demonstrated that self-efficacy, perceived usefulness, and facilitating conditions may significantly predict hospital employees’ compliance habit formation, whereas habit may significantly predict hospital employees’ intention to continuance adherence to EMR privacy policy. Further, habit partially mediates the relationships between self-efficacy, perceived usefulness, facilitating conditions and continuance adherence intention.

Conclusions

Based on our findings, the study suggests that healthcare facilities should take measures to promote their employees’ habitualization with continuous efforts to protect EMR privacy parameters. Plausible strategies include improving employees’ levels of self-efficacy, publicizing the effectiveness of on-going privacy policy, and creating a positive habit-conducive environment leading to continued compliance behaviors.