Sensor Systems for Monitoring Congestive Heart Failure: Location-based Privacy Encodings

Edmund Seto, Posu Yan, Ruzena BajcsyUniversity of California, Berkeley

TRUST Autumn 2011 ConferenceNovember 2, 2011

Congestive Heart Failure

Inability for the heart to pump enough blood to the rest of the body. Cardiovascular disease is the #1 killer in the U.S. Approximately 5.7 million Americans have Congestive Heart Failure. Each year 670,000 Americans will be newly diagnosed with CHF. The estimated direct and indirect cost of CHF in the U.S. for 2009 is

$37.2 billion.

Congestive Heart Failure CHF is a chronic disease Treatable

Medications Lifestyle changes (diet, smoking, physical activity, weight, etc.) Frequent monitoring (every 3-6 months w/doctor) Attention to symptoms (cough, fatigue, weight gain, swollen feet)

Telemonitoring Systematic review by Louis, et al., 2003 18 observational studies and 6 randomised controlled trials Findings suggest telemonitoring benefits:

Early detection of deterioration Reduce readmission rates Reduce length of hospital stay Reduce readmissions Reduced mortality

Case Study: Congestive Heart Failure

Mobile deviceGPSAccelerometerBT digital scaleBT blood pressure

Data sent to serverat Vanderbilt

Patient receives regular feedback messages

Privacy Considerations

• Device security (authentication, device loss, etc.)• Wireless security (eavesdropping, DoS, Phishing, etc.)• Data security (encryption, access rights, audit trails, etc.)

• Privacy policies– Patients control their data– Some potential benefits to sharing their data– But, also some potential risks to sharing their data

Secure Communication Framework for Networked Tele-Health ApplicationsAaron Bestick, Posu Yan, Ruzena Bajcsy

Defining Contextual Exposure

For example, doctor may be interested in:• Where is patient getting physical activity?• Where is patient having high blood pressure?• Where is patient having lunch?

Elaboration on contextual exposureProblem: Where is patient getting physical activity?

• “Physical activity” defined by p(t)(e.g., physical activity obtained from accelerometry)

• “Where” defined by x(t) (e.g., location obtained from GPS)

• Hence: x(t) for all t when p(t)>threshold intensity of activity

• Furthermore: g(x(t)) = places (e.g., parks, schools, home, etc.)

• and… Σ g(x(t)) / T (i.e., proportion of monitoring period that exposure occurred)

Privacy of Inferred Context

• Location of home, work, etc.

Introduce random error

Aggregation (1 km)

Aggregation (2 km)

Model of the patient

What might influence a patient’s encoding decisions?

• Risk adversity (cost)– Less data shared, the lower the privacy risk– Factors in various aspects of “trust” (of their physician, the

network, data security, laws, etc.)

• Possible reward– Sharing more data, might lead to better care

• … and obviously, these vary between individuals

Model of the doctor

What might influence a doctor’s perspective on encoded data?• Generally more detailed data is better than less• Up to a point (saturation)

• … and presumably, less variation between doctors (e.g., standard treatment protocols)

Privacy in the Federal Health IT Plan: a Game Theoretic ApproachDaniel Aranki, Ruzena Bajcsy

What is the optimal “move” of the device?

Future work

• Finish implementation of the recipe architecture, including the collaboration server

• User studies to define useful encodings • User studies to define utility functions• Analyze (and optimize) the patients’ decisions by extending

this framework to consider various privacy and security threats.

THANKS!