Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tracking Meeting Khaled El Emam, CHEO RI & uOttawa.

Published byAileen Pawson Modified over 10 years ago

Similar presentations

Presentation on theme: "Tracking Meeting Khaled El Emam, CHEO RI & uOttawa."— Presentation transcript:

1 Tracking Meeting Khaled El Emam, CHEO RI & uOttawa

2 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Example of De-identification Simple example to illustrate the key points and terminology The example is for a health care database This is based on a methodology that we have been using and modifying for the last 5 years The objective is risk management – consistent with legislation and regulations across multiple jurisdictions

3 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Case for De-identification Often, not practical to obtain consent Disadvantages of consent Custodians reluctant to disclose information even if permitted Limiting principles Data breaches are common Unplanned and unexpected disclosures Public trust Alternatives have disadvantages

4 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Methods of Sharing Remote access On-site access Remote execution Remote queries Remote analysis Tabular data release (aggregate data) Individual-level data release (de- identified data) Secure computation

5 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Steps Understand adversaries and attacks Select variables that can be used in an attack Set thresholds taking into account the context Measure risk Transform data

6 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Universe of Attacks Known data recipient: –Deliberate re-identification –Inadvertent/spontaneous re-identification –Data breach Public data: –Demonstration attack The probabilities for each of these can be estimated in a defensible way

7 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Variable Distinctions Directly identifying Variables –Can uniquely identify an individual by itself or in conjunction with other readily available information Quasi-identifiers –Can identify an individual by itself or in conjunction with other information Sensitive variables

8 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Examples of Direct Identifiers Name, address, telephone number, fax number, MRN, health card number, health plan beneficiary number, license plate number, email address, photograph, biometrics, SSN, SIN, implanted device number

9 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Examples of Quasi-Identifiers sex, date of birth or age, geographic locations (such as postal codes, census geography, information about proximity to known or unique landmarks), language spoken at home, ethnic origin, aboriginal identity, total years of schooling, marital status, criminal history, total income, visible minority status, activity difficulties/reductions, profession, event dates (such as admission, discharge, procedure, death, specimen collection, visit/encounter), codes (such as diagnosis codes, procedure codes, and adverse event codes), country of birth, birth weight, and birth plurality

10 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Setting Thresholds

11 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Managing Re-identification Risk

12 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Risk Metrics There are 8 risk metrics in total characterized along the following dimensions: –Can an adversary know who is in the database or not ? –Would an adversary attempt to re-identify a single individual or everyone in the database (matching records from two databases) ? –Do we need to worry about maximum or average risk ?

13 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Does De-identification Work ? Existing evidence shows that data sets that have been properly de-identified have a low probability of being re-identified All publicly known examples of serious re- identification attacks were done on data sets that were not properly de-identified (i.e., it is possible to show that their risk of re- identification was quite high and did not meet HIPAA de-identification standards) As far as we know, proper de-identification works effectively in managing risk

14 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0028071

15 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Hashing Hashing without a salt or key can generally be broken with a dictionary attack With salting, you need to figure out who will hold the salt – may want to consider schemes with public keys Even with a salt one can do a frequency attack – may want to consider schemes that are probabilistic Hash values are not the same size/length as the original data – may want to consider format preserving encryption

16 Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Efficient & Secure Lookups In cases where lookups in a large database need to be performed without the database knowing the value of the query (but knowing the result) We have used techniques based on homomorphic encryption to implement lookups based on health card insurance numbers (or any equivalent unique identifier) This class of approaches may be of interest for addressing some of the tracking problems

17 www.ehealthinformation.ca www.ehealthinformation.ca/knowledgebase kelemam@uottawa.ca

Download ppt "Tracking Meeting Khaled El Emam, CHEO RI & uOttawa."

Similar presentations

Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.

Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.
Statistical disclosure limitation: Balancing data confidentiality and data access.

Statistical disclosure limitation: Balancing data confidentiality and data access.
HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.

National Cancer Institute Cancer Therapy Evaluation Program (CTEP) presents: How to Obtain Protected Health Information (PHI) from an Outside Healthcare.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Informed Consent.

Informed Consent.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
 Federal Trade Commission (FTC)  Final Regulations issued November, 2007 › Effective 1/1/08 › Compliance and Enforcement Date 11/1/08  Enforcement.

 Federal Trade Commission (FTC)  Final Regulations issued November, 2007 › Effective 1/1/08 › Compliance and Enforcement Date 11/1/08  Enforcement.
Christian Vargas. Also known as Data Privacy or Data Protection Is the relationship between collection and spreading or exposing data and information.

Christian Vargas. Also known as Data Privacy or Data Protection Is the relationship between collection and spreading or exposing data and information.
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.

1 HIPAA, Researchers and the IRB: Part Two Alan Homans, IRB Chair and Nancy Stalnaker, IRB Administrator.
SPECIAL DIABETES PROGRAM FOR INDIANS Competitive Grant Program Special Diabetes Program for Indians Competitive Grant Program SPECIAL DIABETES PROGRAM.

SPECIAL DIABETES PROGRAM FOR INDIANS Competitive Grant Program Special Diabetes Program for Indians Competitive Grant Program SPECIAL DIABETES PROGRAM.

Similar presentations

Ads by Google