Securing electronic health records without impeding the flow of information
Introduction
The 1995 European Union Directive on Data Protection (“Directive”) [1] set forth stringent cross-industry standards regarding privacy and security of personal data. Pursuant to these standards, EU member states enacted data protection laws that obligate controllers of health data to provide all data subjects with: (1) notice of the purposes for which they collect and use personal data; (2) choice regarding whether their data may be disclosed to third parties or used for a different purpose than it was originally collected or subsequently authorized; (3) reasonable assurance that the data will be secured and its integrity maintained; (4) access to the data and the opportunity to correct inaccuracies; (5) legal recourse to ensure compliance with data protection requirements. EU states may allow processing of health data without patient consent for purposes of preventative medicine, diagnosis, treatment, management of medical services, or otherwise under professional confidentiality obligations, only if suitable safeguards are provided.
Similar laws in the United States [2], Canada [3], Australia [4], and Japan [5] require healthcare institutions to protect the privacy and security of personal health data. Advisory reports commissioned by the United States government [6], [7] also stress the importance of developing secure, interoperable electronic health records systems that preserve patient privacy. As countries around the world transition from paper-based to electronic health records infrastructures, compliance with these data protection laws will require sophisticated information management technologies. Healthcare organizations must implement privacy and security protections that do not unduly constrain proper use and dissemination of health data or inhibit scientific discovery. Technical and policy challenges concerning the widespread adoption of electronic health records systems have been discussed, for example, in [8] and [9].
The Hippocratic Database (“HDB”) [10] is an integrated set of technologies that manages disclosure of electronic health records in compliance with data protection laws without impeding the legitimate flow of information. HDB's Active Enforcement component limits disclosure of personal health information at a fine-grained level in strict accordance with enterprise policies, legal regulations, and individual patient choices. Its Compliance Auditing component efficiently tracks past disclosures to verify compliance with these policies. Finally, its data mining, de-identification, and information sharing components enable organizations to derive maximum value from sensitive data without compromising privacy or security.
The remainder of this paper is organized as follows. Sections 2 Active Enforcement, 3 Compliance Auditing describe Active Enforcement and Compliance Auditing. Sections 4 Privacy-Preserving Data Mining, 4.1 Privacy-Preserving Data Mining scenario, 5 Optimal, 5.1 Optimal, 6 Sovereign Information Integration discuss HDB's Privacy-Preserving Data Mining, Optimal k-Anonymization, and Sovereign Information Integration components. In each section, we include example scenarios demonstrating practical applications of these technologies. In Section 7, we suggest a number of opportunities for further research in securely managing electronic health records. We conclude in Section 8.
Section snippets
Active Enforcement
HDB Active Enforcement (“AE”) [11] is a disclosure management component that is transparent to enterprise applications and agnostic to database systems. It resides in a layer above the database, rewriting user queries to conform to the organization's data disclosure policies and individual patient choices. AE enforces disclosure policies down to the cell-level in the database, allowing health organizations to comply with detailed requirements of data protection laws without recoding their
Compliance Auditing
Pursuant to the EU Directive and member state laws enacted thereunder, health organizations must be accountable to patients for all processing of their personal data. Upon request, patients are entitled to a description of the data disclosed, the recipients of the data, and the purposes of the processing. Further, member states must provide patients with a remedy for any breach of their rights under these data protection laws. In the United States, the Health Insurance Portability and
Privacy-Preserving Data Mining
HDB's Privacy-Preserving Data Mining (“PPDM”) [17] allows health organizations to mine aggregate data without revealing individually identifiable information. Thus, it enables analysis of large data sets for epidemiological studies and other medical research without violating patient privacy.
PPDM uses a randomizing function to perturb sensitive values in a patient's record such that they cannot be estimated with reasonable precision. From the randomized data, it reconstructs the original data
Optimal k-Anonymization
The EU Directive generally prohibits the processing of personal health data without patient consent, unless required in connection with the provision of medical care. However, member states may allow exemptions to this prohibition if the data are processed under an obligation of professional secrecy or for reasons of substantial public interest, subject to suitable safeguards. In the US, HIPAA allows healthcare organizations to process personal data without patient consent if they remove all
Sovereign Information Integration
HDB's Sovereign Information Integration (“SII”) [22] component enables two or more autonomous entities to run queries across their databases in such a way that the results of the query are revealed, but no other data is exposed among the databases. SII uses a web services infrastructure to apply a set of commutative encryption functions to uniquely identifiable data in different orders and at different locations. The multiply encrypted values are then compared, and the query results provided,
Policy specification
Effective HDB Active Enforcement controls rely on the ability of policies to capture the intent of the policy maker accurately. At the same time, the policy specification should be clear enough that the patient can easily understand the policy and the implications of his choices. While privacy policy specification languages such as P3P offer vast improvement over long legal texts of privacy policies and make polices amenable to symbolic manipulation, they fall short on readability and
Conclusion
We have shown how Hippocratic Database technologies protect the security of personal health records without sacrificing the value of information for diagnosis, treatment, or research purposes. Our example scenarios demonstrate how each of these technologies enables efficient management, sharing, and processing of sensitive data in compliance with the principles of the EU Directive and other data protection laws. We have also identified a number of significant technical challenges that remain in
References (26)
Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare record in Europe
Int. J. Med. Inform.
(1998)Off. J. Eur. Commun.
(1995)- Health Insurance Portability and Accountability Act of 1996, United States Public Law, pp....
- Personal Information Protection and Electronic Documents Act, Second Session, Thirty-sixth Parliament, 48–49 Elizabeth...
- Privacy Act of 1988, Commonwealth of Australia, Act No. 119 of 1988 as...
- Law on the Protection of Personal Information, promulgated by the Diet of Japan on May 30,...
- President's Information Technology Advisory Committee, Revolutionizing Health Care through Information Technology,...
- Commission on Systemic Interoperability, Ending the Document Game: Connecting and Transforming Your Healthcare through...
Electronic health record meets digital library
J. Am. Med. Inform. Assoc.
(2000)- et al.
Hippocratic databases
Limiting disclosure in hippocratic databases
Role-based access control models
IEEE Comput.
Platform for Privacy Preferences 1.0 (P3P1.0) Specification
W3C Recommendation
Cited by (97)
RSA based encryption approach for preserving confidentiality of big data
2022, Journal of King Saud University - Computer and Information SciencesAn anonymity communication protocol for security and privacy of clients in IoT-based mobile health transactions
2021, Computer NetworksCitation Excerpt :However, using mHealth technologies increases the concerns regarding security, privacy, and anonymity. According to Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule [1–4], revealing sensitive identities over healthcare transactions conducts various privacy threats to mHealth clients [5–7]. The lack of security and privacy in different components of electronic healthcare transactions is manifested in various security flaws along with ramifications ranging from privacy violation to endangering patients’ health [5].
Do data security measures, privacy regulations, and communication standards impact the interoperability of patient health information? A cross-country investigation
2021, International Journal of Medical InformaticsResearch issues for privacy and security of electronic health services
2017, Future Generation Computer SystemsThe impacts of multiple privacy regulations and national security infrastructure on health information exchange: a study of hospitals across Europe
2024, Digital Policy, Regulation and GovernanceEnabling Health Data Sharing with Fine-Grained Privacy
2023, International Conference on Information and Knowledge Management, Proceedings
- 1
Work done while the author was at IBM Almaden Research Center.