Big Data Meets Privacy:De-identification Maturity Model for Benchmarking and Improving De-identification Practices

Nathalie HolmesKhaled El Emam

Workshop Outline

Big Data: Opportunities and Risks in Healthcare De-identification Myths: Fact or Fiction Overview of Terms Used in Anonymization De-identification Maturity Model (DMM) Case

Studies DMM Uses and Benefits

OPPORTUNITIES AND RISKS WITH BIG DATA

How to Successfully Leverage Data While Protecting Individual Privacy

Big Data Tidal Wave is Creating UnforeseenOpportunities and Risks

Organizations with the Right Tools And a Skilled Team will

Come Out on Top

Big Data Opportunities and Risks

A lot of useful data contains personal information about patients, study participants, or consumers The challenge is getting access to the data – addressing the privacy

requirements:- Do you have authority ?

- Is it mandatory or discretionary ?- Do you patient / participant consent ?- Can you anonymize the data

These are the only ways that you get access to the data

Healthcare Breaches

Best evidence suggests at least 27% of healthcare practices have a breach every year The costs for healthcare are $200 per individual for breach notification

(Ponemon) This applies whether you have obtained consent or authority

De-identification is one piece of an enterprise privacy program that can make privacy work

“Privacy by Design” provides helpful best practices

Proactive, Preventative, Embedded and Continuous

De-Identification Facts or Fiction #1

True or False: - It’s possible to re-identify most, if not all, data.

False:- Using robust methods, evidence suggests risk

can be very small.

De-Identification Facts or Fiction #2

True or False: - Privacy regulations say that there must be zero

chance of re-identification in order for a data set to be used for secondary purposes.

False:- HIPAA states that the risk of re-identification

must be “very small”. The FTC and other regulations use a “reasonableness” standard. All of these standards take context into account

De-Identification Facts or Fiction #3

True or False: - Only covered entities should consider HIPAA as

a standard for de-identification.

False:- HIPAA is a good standard to use regardless of

the applicable regulations.

OVERVIEW OF ANONYMIZATION

How to Successfully Leverage Data While Protecting Individual Privacy

PRIVACYANALYTICS.CA

© 2012-2013, Privacy Analytics. All Rights Reserved13 of 76

Balancing Data Privacy Requires Evaluation of Privacy Protection and Data Utility

Balancing Data Privacy

Direct and In-Direct/Quasi-Identifiers

Examples of direct identifiers: Name, address, telephone number, fax number, MRN, health card number, health plan beneficiary number, license plate number, email address, photograph, biometrics, SSN, SIN, implanted device number

Examples of quasi identifiers: sex, date of birth or age, geographic locations (such as postal codes, census geography, information about proximity to known or unique landmarks), language spoken at home, ethnic origin, total years of schooling, marital status, criminal history, total income, visible minority status, profession, event dates

Terminology

A process that removes the association between the identifying data and the data

subject. (Source ISO/TS 25237:2008)

Reducing the risk of identifying a data subject to a very small level through the

application of a set of data transformation techniques without any concern for the

analytics utility of the data.

Removal of fields from a data set

A particular type of anonymization that both removes the association with a data

subject and adds an association between a particular set of characteristics to the data

subject and one or more pseudonyms (Source: ISO/TS 25237:2008)

Replacing a value in the data with a random

value from a large database of possible

values

Data Masking

Data Masking = No analytics on those fields

Reducing the risk of identifying a data subject to a very small level through the application of a set of data transformation techniques such that the

resulting data retains a very high analytics value.

Reducing the precision of a value

to a more general one

The removal of records or values (cells) in the data

Randomly selecting a subset of records or patients from a data set

The motives and capacity of thedata recipient to

re-identify the data

The security and privacy practices

that the data recipient has in place to manage

the data received.

Statistical De-identification

De-identification =High analytical value

RE-IDENTIFICATION RISKS

Risks from Basic Demographics

DE-IDENTIFICATION MATURITY MODEL

How to Successfully Leverage Data While Protecting Individual Privacy

De-identification Maturity Model (DMM)

Formal framework to evaluate maturity of de-identification services within an organization Gauges level of an organization’s readiness and experience in

relation to people, processes, technologies and consistent measurement practices “DMM” used as a measurement tool; enables the enterprise to

implement a grounded strategy based on facts Improves compliance, facilitates access, and scales support services

Three Dimensions of the DMMA

CB

Practice Dimension

DMM has five maturity levels for the de-identification practicesthat an organization has in place Level 1 is lowest level of maturity and level 5 is the highest

level of maturity

Adhoc Masking HeuristicRisk

BasedGovernance

1 2 3 4 5

A

Case Study 1 – Safe Harbor

Organization A is a disease registry They have lots of databases that they connect to and they do a lot of

data releases to internal and external data analysts Practice Dimension (what you do):

- Their primary way of anonymizing data is through following the Safe Harbor de-identification standard (L3)

Implementation Dimension (how well you do it):- There is a clear process and well defined roles for following SH,

which is well documented- Because its documented, it’s repeatable (L3)

Safe HarborSafe Harbor Direct Identifiers and Quasi-identifiers

1. Names2. ZIP Codes (except first

three)3. All elements of dates

(except year)4. Telephone numbers5. Fax numbers6. Electronic mail

addresses7. Social security

numbers8. Medical record

numbers9. Health plan beneficiary

numbers10.Account numbers11.Certificate/license

numbers

12.Vehicle identifiers and serial numbers, including license plate numbers

13.Device identifiers and serial numbers

14.Web Universal Resource Locators (URLs)

15.Internet Protocol (IP) address numbers

16.Biometric identifiers, including finger and voice prints

17.Full face photographic images and any comparable images;

18. Any other unique identifying number, characteristic, or code

Actual Knowledge

Case Study 1 – Safe Harbor

Automation dimension (is it automated)- They use a home grown scripts for implementing SH- The scripts do not have any external validation that they work or are

sufficient (L1) Challenges

- Despite these efforts, they have missed some key items- There have been pressures by analysts to provide more granular

data

Case Study 1 – Safe Harbor

- They have interpreted the SH regulation for dates such that they have only dealt with dates of birth rather than all dates

- They have not brought all zip down to 3, and for regions where there are fewer than 20K people replace with 000 per SH

- Some identifiers were missed (such as clinical trial participant numbers)

- Did not consider the Actual Knowledge requirement in SH

Case Study 2 – Masking

Company B is a claims processor They have a need for realistic data for software testing Practice Dimension (what you do):

- Their primary way of anonymizing is through data masking - This means they deal only with the direct identifiers (L2) Implementation Dimension (how well you do it):

- There is a clear process for doing masking and how they implement heuristics, which is well documented

- Because its documented, it’s repeatable (L3)

Case Study 2 – Masking

Automation dimension (is it automated)- They use a commercial product for masking- This product produces consistent results (L2) Challenges

- Despite these efforts, they have missed some key items – the quasi-identifiers

- Some dates and ZIP codes were not addressed- There is no evidence that the risk of re-identification was “very small”- The tool vendor architect provided assurance that this was OK

Case Study 3 – Governance

Company C is an EMR vendor They have a need to provide reports to their clients on trends and

benchmarks to help clients to improve their businesses Practice Dimension (what you do):

- They have a risk-based approach which includes anonymizing both direct identifiers (masking) and in-direct identifiers (de-identification)

Implementation Dimension (how well you do it):- There is a clear process for anonymizing the data which is well

documented- Because its documented, it’s repeatable

Case Study 3 – Governance

- They have on-going training of staff on how to do the anonymization

- They are able to quickly produce reports and metrics documenting what they did to the data before they released it

- They have automated data sharing agreements which specifies the controls that need to be in place by data users

- They have a full audit trail to demonstrate that the risk of re-identification is “very small” per HIPAA

- They track when there is overlap between the various data sets- Audits are conducted on data users to confirm compliance with

conditions

Case Study 3 – Governance

Automation Dimension (is it automated)- They use commercial software to do masking and de-

identification- The product produces consistent results- They are able to get defensible anonymization more quickly than

by doing it manually- The product has been scrutinized by other users & peers and is

upgraded on a regular basis- They are able to release more data sets, more quickly

Benefits of DMM

Determine whether an organization can defensibly ensure risk of re-identification is “very small” Provides a road map to meet regulatory and legal requirements Automation and governance allow organizations to share more data for

secondary purposes with fewer resources A higher the level of maturity results in higher quality data and greater

consistency in de-identification Significant improvement in ability to estimate resources and time

required to de-identify data sets

PRIVACYANALYTICS.CA© 2012-2013, Privacy Analytics. All Rights Reserved51 of 92

Key Learnings

Data Anonymization Resources

Book Signing: Sept 26,10:35 am Booth # 107

Khaled El Emam & Luk Arbuckle

Other Conference Activities

Session: Facilitating Analytics While Protecting Individual Privacy Using Data De-identification - Khaled El Emam- Thursday , September 26 @ 4:00pm, Salon F Office hours in the Sponsor Pavilion:

- Nathalie Holmes - Thursday, September 26 @ 3:10pm, Table D- Khaled El Emam - Thursday, September 26 @ 6:30pm, Table D

Contact

Nathalie Holmes:nholmes@privacyanalytics.ca613.369.4313 ext 122

Khaled El Emam:kelemam@ehealthinformation.ca613.738.4181

@PrivacyAnalytic

2012 Start-Up Showcase Winner

Review Quiz

What does anonymization mean? What is the difference between data masking and de-identification? Why is it important to strive for balance between privacy and data utility? How many levels of maturity (Practice Dimension) are there in the DMM? Is it possible to be at Practice Dimension 1 (Ad hoc) and score well in the

Implementation Dimension? Ex. Have a repeatable, defined and measurable process? What are some advantages of having Standard Automation (software)? What is the main difference between Practice Dimension 4 (Risk Based) and

Dimension 5 (Governance)?