Download - Primary and Secondary use of EHR systems
![Page 1: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/1.jpg)
Meeting The Technical Security Needs
Primary and Secondary use of EHR systems
Filip De Meyer12-10-2007
![Page 2: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/2.jpg)
2
Custodix: Company Introduction
Concepts & Terminology
From Concept to Technical Solutions
Example: The Custodix Anonimisation Tool (“CAT”) (screen shots)
Content
![Page 3: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/3.jpg)
3
In a few words…– Established in 2000 as a spin-off company of the
University of Ghent, Belgium– Providing Privacy Protection services, mainly in
HealthCare Trusted Third Party Services Customized Privacy EnhancedData Collection Solutions
Secure storage Privacy Consultancy …
“One stop shop” for privacy/data protection Involved in European Research since the start Operating in Europe, Australia and Asia
About Custodix
3
![Page 4: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/4.jpg)
4
Commercial & Research Activities
4
Commercial Research Programs
![Page 5: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/5.jpg)
5
Countries involved (sources of data) in Custodix protected data flows.
Scope of Activities
5
![Page 6: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/6.jpg)
6
Data Protection legislation examples:
Europe:– European Directive 95/46/EC
(accepted as one of the world’s highest privacy standards)
– Member state implementation Other:
– Health Insurance Portability and Accountability Act (H.I.P.A.A.)
– Ontario Freedom of Information and the Protection of Privacy Act in Canada
– …
Background/History of Activities
6
Ethics“What is right?”
Legislation Regulation
Cod
ifica
tion
TechnologyeSecurity & ePrivacy
Business Risk Management
Business EthicsBusiness
Advantage
“Requirement” “Choice”
![Page 7: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/7.jpg)
7
Custodix Services
7
PKI(Public Key
Infrastructure)
TSA(Time Stamping
Authority)
IM(Identity
Management)
AuthN & AuthZ(Authentication &
Authorization)
Data Protection Services
Privacy Enhanced Storage Framework
Data Protection PlatformEncrypted StoragePseudonymisation
Information Flow Management
Patient Consent ManagementAdvanced Access Control
HealthCare ID Management
Spin- off Security Services
Security Services(e.g. eProcurement )
Digital Signature webtoolsTimestamping
Patient Information Location Services
(PILS)
Master Patient Index
![Page 8: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/8.jpg)
8
Trusted Third Party
ResearchData
Repositories
Various EHRSources
(care/diagnostic purposes)
Personal HealthRecords
(e.g. personal diaries)
+ Other Sources
Additionally Collected Data(for researchpurposes)
• link• protect privacy
EHR Sources Research Use
ResearchData
Repositories
![Page 9: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/9.jpg)
9
Reduction of Identifying Information
Risk Analysis
delete identifier
transform date
produce nym personal data
de-identifieddata
Reduce Identifying Information Content
delete data items
… encrypt data items
![Page 10: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/10.jpg)
10
Starting Point: Definition of Personal Data
“'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
(Directive 95/46/EC, the “DPD”)
![Page 11: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/11.jpg)
11
Concept of Identification
A data subject is identified (within a set of data subjects) if it can be singled out among other data subjects.
Some associations between characteristics and data subjects are more persistent in time (e.g. a national security number, date of birth) than others (e.g. an e-mail address).
set of characteristics
abc
d e
f
gh
Set of data subjects
![Page 12: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/12.jpg)
12
The Concept of Anonymisation
set of characteristics
abc
d e
f
ghdata subject
Anonymisation is the process that removes the association between the identifying data set and the data subject. This can be done in two different ways:
-by removing or transforming characteristics in the associated characteristics-data-set so that the association is not unique anymore and relates to more than one data subject.
- by increasing the population in the data subjects set so that the association between the data set and the data subject is not unique anymore.
![Page 13: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/13.jpg)
13
Terminology: Pseudonymisation
set of characteristics
ac
d hPseudonym
Pseudonymisation is a particular type of anonymisation that, after removal of the association with a data subject, adds an association between a particular set of characteristics relating to a data subject and one or more pseudonyms. The pseudonym may be unique in in a domain.
In irreversible pseudonymisation, the conceptual model does not contain a method to derive the association between the data-subject and the set of characteristics from the pseudonym.
? be
f
g
Note that “pseudonymisation” and “anonymisation” terminology is not universal
![Page 14: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/14.jpg)
14
The Conceptual vs. Real Life Model
“To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible”. (Recital 26 of the DPD) refine the concept of identifiability/anonymity.
take into account “means likely and “any other person” in through re-identification risk analysis
![Page 15: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/15.jpg)
15
Privacy Risk Analysis
![Page 16: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/16.jpg)
16
Levels of De-identification (ISO/IEC DTS25237)
Level 1: removal of clearly identifying data (“rules of thumb”)
Level 2: static, model based re-identification risk analysis
Level 3: continuous re-identification risk analysis of live databases
Targets for de-identification can be set and liabilities better defined in risk analysis and policies.
![Page 17: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/17.jpg)
17
ISO TC215 / WG 4ISO/IEC DTS25237 (Approved T.S.)
Health Informatics: Pseudonymisation Result of work in ISO/ TC 215/ WG4 Based on conceptual model as explained in
this presentation Lists a number of Healthcare scenarios
– clinical trials– clinical research– public health monitoring– patient safety reporting (adverse drug events)
Current status: Approved Technical Specification
![Page 18: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/18.jpg)
18
Disease Management, Clinical Trials, … requirements – Dynamic data collection of individual line data…
Longitudinal studies Processing data of individual patients
– Protection of data subjects towards data collector Data must be stored in protected form Different from disclosure control
Requires– De-identified individual line data
Pseudonymisation / anonymisation no protection through aggregation, data swapping, …
– A-priory estimation of privacy risks and required data protection measures
Privacy risk based on statistical modelscfr. re-identification theory
– Protection of the “context” in which data is considered anonymous
Common Healthcare Requirements
18
![Page 19: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/19.jpg)
19
Goal:– Protection of identity and privacy of individuals or
organizations– Allowing linkage of data associated with pseudo-IDs
irrespective of the collection time (cf. longitudinal studies) and collection place (cf. multi-center studies)
Simplified:– Translating a given identifier into a pseudo-
identifier by using secure, dynamic and (preferably ir-)reversible cryptographic techniques
Tricky part:– Making sure that data is truly de-identified
(within a predefined context)– Removing “indirectly identifying” content
Pseudonymisation
19
![Page 20: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/20.jpg)
20
Batch Data Collection
20
SourcesData Collection Site
Trusted Third Party
• Build custom solutions using standard components• Integrate security & privacy components into existing and new projects
![Page 21: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/21.jpg)
21
The “interactive pseudonymisation system” Reconciling the concept of a “central anonymous
database” with “nominative access”
Interactive Pseudonymisation
21
Research Community
Collective Records Access}
RegisterPseudonymous Database (at data warehouse)
On-the-fly–Pseudonymisation–Encryption
Pseudonymisationserver at TTP
Nominative Data RealmDoctor(Dealing with nominative patient information)
Pseudonymous Data Realm
Doctor(Dealing with nominative patient information)
PrivacyProtectionGateway
![Page 22: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/22.jpg)
22
Data Protection Service (acting as reverse proxy)Non-intrusive to the application (transparent)Key Management ServiceSecured Search Service Provides Authentication and user management to the application
Web Enabled Implementation of Privacy Enhanced Storage Framework
22
SourcesData Collection Site
PESF Service
available as FLASH or Java/JavaScript
toolkit
Browser API
![Page 23: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/23.jpg)
23
Secure Communication Anonymous Data Collection Secured Repository
Case: Combined Trust Services
23
State-of-the-art Implementation based on innovative security technology
Secure Information eXchange
SIXCustodix Module
Custodix PKI
Export and access according to a strict policy
anonymisation
encryption
communication
EHR
Direct Messaging
Providing- Authentication- Addressing- Directory Services- Account Management
Anonymous Data
Upload + Feedback
Custodix Policy ControlledEnvironment
CustodixData Repository
![Page 24: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/24.jpg)
24
HospitalDatasources
PhysicianPatient
Clinical Trial
ACGTInfrastructure
Core Activities
Integration… of clinical history, medical imaging and genetic data.
Knowledge Grid… distributed mining for knowledge extraction.
Clinical Trials… breast cancer & pediatric nephroblastoma
Developing a Biomedical GRID infrastructure for sharing Clinical and Genomic expertise
![Page 25: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/25.jpg)
25
Pseudonymisation Tool
![Page 26: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/26.jpg)
26
Center for Data Protection
Act as "data controller" or assist "data controllers" in the sense of the European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
Be a think-tank for everyone professionally involved or interested in practical data protection;
Promote the application of novel technology in the context of data protection (ePrivacy , eSecurity), and act as a dissemination point for practical solutions;
Get involved with the development and promotion of standards and certification related to privacy protection;
Provide assistance in dealing with complex data protection issues on an international level by offering access to a multidisciplinary pool of expertise.
![Page 27: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/27.jpg)
27
Generate privacy protection profiles that can be run on heterogeneous data.
Create (profile) once, run many times....
![Page 28: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/28.jpg)
28
CAT:Overview
![Page 29: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/29.jpg)
29
CAT: Variable Mappings Editor, XML
Variable mappings (dicom, xml, csv, custom) Define a privacy type /variable
– Identifier– Free text– Undefined– ...
![Page 30: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/30.jpg)
30
CAT: Transformation Editor
Operands– named variable (e.g. patientID)– privacy type
Flexible and detailed configuration– simple nym transformation– secure vaults (single or multiple argument)
– random– replace with value– clear– make date relative– ...
![Page 31: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/31.jpg)
31
CAT: Transformation Editor, XML
![Page 32: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/32.jpg)
32
CAT XML Example: Result
“firstname” replaced by calculated nym
“last name” cleared
before after
![Page 33: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/33.jpg)
33
CAT: Key Handling
generate keys store keys import/export ...
![Page 34: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/34.jpg)
34
CAT, DICOM Example
![Page 35: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/35.jpg)
35
CAT: Variable Mappings Editor, DICOM
![Page 36: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/36.jpg)
36
CAT: Transformation Editor, DICOM
![Page 37: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/37.jpg)
37
CAT: DICOM Examples
replaced by nym
cleared
original
examples
![Page 38: Primary and Secondary use of EHR systems](https://reader033.vdocument.in/reader033/viewer/2022061610/568146b9550346895db3e6df/html5/thumbnails/38.jpg)
38
Custodix NVVerlorenbroodstr. 120B-9820 MerelbekeBelgium
http://www.custodix.com/[email protected]
Thank you for your attention!
38
Any Questions?