Data Privacy Protection of Medical Data in a National Context

Transcription

1 Data Privacy Protection of in a National Context Dr. Uwe Roth Heiko Zimmermann, Dr. Stefan Benzschawel Friday, 20 April 2012 Version v1.0 r

2 in a National Context Data Privacy and Data Security Medical data must be protected against Unauthorized access Misuse Encryption of medical data ensures confidentiality Additional plaintext metadata is needed to query for documents, e.g. Document type Circumstances of creation Author

3 in a National Context Data Privacy and Data Security Fine-grained queries requires more metadata But: Further metadata opens the risk to disclose sensitive information De-Identification of metadata as a minimal demand Replacing of demographics by pseudonyms Data sets with the same pseudonym belong to the same person (no anonymisation) Demographics must not be calculated out of the pseudonym

4 Storage and Querying of Hospitals Laboratories Doctors Offices Data Source Data Consumer Metadata Query for National ehealth Platform Data Repository Encrypted Data Storage Data Registry Metadata List of Medical Documents Uwe Roth Data Privacy Protection of in a National Context 6

5 Demographic Data and Pseudonyms Demographic Data Pseudonym Hospitals Laboratories Doctors Offices Data Source Data Consumer Metadata Query for National ehealth Platform Data Repository Encrypted Data Storage Data Registry Metadata List of Medical Documents Uwe Roth Data Privacy Protection of in a National Context 7

6 De-Identification Trusted Third Party Demographic Data Trusted Third Party De-Identification Pseudonym Hospitals Laboratories Doctors Offices Data Source Data Consumer Metadata Query for National ehealth Platform Data Repository Encrypted Data Storage Data Registry Metadata List of Medical Documents Uwe Roth Data Privacy Protection of in a National Context 8

7 De-Identification Handshaking Protocol Demo graphic Data Pseudonym Pick-Up-Ticket Demographic Data Pick-Up Ticket Trusted Third Party De-Identification Pseudonym Pick-Up Ticket Hospitals Laboratories Doctors Offices Data Source Data Consumer Query for Pick-Up Ticket National ehealth Platform Data Repository Encrypted Data Storage Data Registry Metadata List of Medical Documents Uwe Roth Data Privacy Protection of in a National Context 9

8 Trusted Third Party Organizational and Legal Only place where demographics and their pseudonyms are known Organizational and legal independent from data sources data users data registry data repositories No pass-through of medical data No de-identification/modification of medical data (integrity of signed documents) Can be put in the Internet, while users of the service stay behind firewalls Uwe Roth Data Privacy Protection of in a National Context 11

9 Trusted Third Party Identification of Patients Identifies persons by given demographics Normalization step of demographics is needed Correction of typographic errors Phonetic reduction or names Align to official addresses Weighting of attributes with respect to entropy Distance calculation to existing identities If distance closer than a certain threshold: identity matches Uwe Roth Data Privacy Protection of in a National Context 12

10 Trusted Third Party Matching and Pseudonym Creation Matching decision: Definite positive match: Take existing pseudonym Definite no match: Create new pseudonym Unclear match: Create new pseudonym for the time being Requires manual intervention to take decision Creation of source-depending pseudonyms allows later correction of matching decisions Trusted Third Party will provide all pseudonyms of the same persons on request Uwe Roth Data Privacy Protection of in a National Context 13

11 Trusted Third Party Authentication and Access Control Allows de-identification requests only for data sources and data users Allows retrieval of pseudonym only for data registry and data repositories Guaranteed by Security Token service Security Token Service provides security tokens after authentication with role information Uwe Roth Data Privacy Protection of in a National Context 15

12 Secondary Use Statistics Demo graphic Data Trusted Third Party 1 st Level De-Identification Pseudonym National ehealth Platform 2 nd Level De-Identification Patient ID Hospitals Laboratories Doctors Offices Data Source Statistical Extract National ehealth Platform Statistical Database Query for Statistics Statistics or Statistical Extract Statistics Office Researcher Data Consumer Uwe Roth Data Privacy Protection of in a National Context 18

13 Conclusion Data sources and data users never get in touch with the pseudonym Data repositories and data storage never get in touch with demographics Enforced by the use of a security token service and role based access Identity vigilance to monitor matching decisions Correction of matching decision possible Trusted third party provides data privacy for unencrypted meta data and statistical extracts Uwe Roth Data Privacy Protection of in a National Context 20

14 Data Privacy Protection of in a National Context Dr. Uwe Roth ([email protected]) Heiko Zimmermann, Dr. Stefan Benzschawel Friday, 20 April 2012 Version v1.0 r