Pseudonymization of Information for Privacy in E-Health (PIPE)

Similar documents
What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

SHS Annual Information Privacy and Security Training

HIPAA UPDATE. Michael L. Brody, DPM

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Data Compromise Notice Procedure Summary and Guide

A Homeopath Registered Homeopath

Creative Funding Solutions Limited Data Protection Policy

Element Finance Solutions Ltd Data Protection Policy

mhealth: Privacy Challenges in Smartphone-based Personal Health Records and a Conceptual Model for Privacy Management

Cybersecurity and Hospitals: A Board Perspective

GDPR & FOSS. Marc Jones CIPP/US, CISSP Compliance Engineer & In-House Counsel

Data Protection Policy

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

In order to mine data. P. Pearl O Rourke, MD Partners HealthCare Boston, MA

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Information Technology Standards

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Executive Insights. Protecting data, securing systems

PRINCIPLES OF PROTECTION OF PERSONAL DATA (GDPR) WITH EFFICIENCY FROM

Keeping It Under Wraps: Personally Identifiable Information (PII)

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Cyberspace : Privacy and Security Issues

The Australian Privacy Act An overview of the Australian Privacy Principles (APPs) Author: Paul Green

A pill box with biometric access control and web connection (work in progress)

CC withinthe Context of the EU Privacy Seal - EuroPriSe

PRIVACY POLICY OF THE WEB SITE

NIS Platform Working Group 3 Individuals Digital Rights and Capabilities. Dr. Gisela Meister April

the processing of personal data relating to him or her.

How the GDPR will impact your software delivery processes

Preserving Data Privacy in the IoT World

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

SECURING DEVICES IN THE INTERNET OF THINGS

SECURING DEVICES IN THE INTERNET OF THINGS

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

The MovingLife Project

Cloud Communications for Healthcare

Site Builder Privacy and Data Protection Policy

Rights of Individuals under the General Data Protection Regulation

PORTICO PRIVACY NOTICE

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Employee Security Awareness Training Program

COMPUTER NETWORK SECURITY

Contract Services Europe

HIPAA and HIPAA Compliance with PHI/PII in Research

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Economic and Social Council

PRIVACY POLICY POLICY KEY DEFINITIONS: PROCESSING OF YOUR PERSONAL DATA

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

Data Encryption Policy

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Data Protection Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Privacy Policy GENERAL

Symmetric Key Services Markup Language Use Cases

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Dealing with Security and Security Breaches

Technical Requirements of the GDPR

Complete document security

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

ngenius Products in a GDPR Compliant Environment

Smile IT Ltd Privacy Policy. Hello, we re Smile IT Ltd. We offer computer and network support to businesses and home computer users.

A comprehensive approach on personal data protection in the European Union

Legal basis of processing. Place MODE AND PLACE OF PROCESSING THE DATA

Case Study Vitality Justin Skinner Group Chief Risk Officer

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

PTLGateway Data Breach Policy

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

mhealth and Integreation of Promise

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Lecture Embedded System Security Introduction to Trusted Computing

CHASE GRAMMAR SCHOOL PRIVACY STATEMENT General Data Protection Regulations (GDPR)

Securing Devices in the Internet of Things

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

Access Rights and Responsibilities. A guide for Individuals and Organisations

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Information Governance, the Next Evolution of Privacy and Security

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Regulatory Aspects of Digital Healthcare Solutions

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

Using Blockchain for Consent and Access to Private and Sensitive Data in the GDPR Environment

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Little Blue Studio. Data Protection and Security Policy. Updated May 2018


Lecture Embedded System Security Introduction to Trusted Computing

Compliance in 5 Steps

Jeff Wilbur VP Marketing Iconix

Website Privacy Policy

Security Information for SAP Asset Strategy and Performance Management

We respect your privacy and we promise to do the following: Without limitation, any of the following Data may be collected:

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Encrypting PHI for HIPAA Compliance on IBM i. All trademarks and registered trademarks are the property of their respective owners.

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Transcription:

Pseudonymization of Information for Privacy in E-Health (PIPE) A Min Tjoa TU Wien & SBA One side of Privacy No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence nor to unlawful attacks on his honor and reputation Everyone has the right to the protection of the law against such interference or attacks (Universal Declaration of Human Rights, 1948) 2

The other side of Privacy Telekom: Data from 17 million customers stolen (Die Zeit, 04.10.08) Soupnazi stole data relating to 170M credit cards, (derstandard, 18.08.09) The National Health Service (GB): The unencrypted medical histories of 2,300 cancer patients were compromised (The Independent, 25.05.09) 3 Motivation A Medical Scenario Symptoms of weakness, fatigue, weakness, severe shortness of breath,congestion and cough Lung X-Ray shows congestion in lung Echocardiogramm rules out chronic obstructive pulmonary disease and congenial heart disease The diagnosis is acute bronchitis Statistical Analayis of echocardiogram reveals right side of heart enlarged, left side reduced only apparent when compared to hundreds of other echocardiograms Statistical Analysis suggests primary pulmonary hypertension (PPH) the only right diagnosis www.wrongdiagnosis.com/p/primary_plumonary_hypertension/intro.htm Cited by Laura Haas, IBM Director Computer Science Research [2009] 4

Motivation - Personalized Medicine Gathering knowledge of impact of lifestyle and genetic factors Application of therapy-planning not in a trial and error way 5 Three Pillars of Privacy Regulation/Legislation, e.g., Health Insurance Portability and Accountability Act (HIPAA) European Directive 95/46/EC Data Protection Act Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedom Self Regulation, e.g., TRUSTe TÜV Privacy Enhancing Technologies (PET) 6

Approaches for protecting patients privacy Identifier is removed Cannot be reversed Identifier retained Link between patient and health data Anonymization Normal Secondary Use Health data fully encrypted Reversible, but only by patient Identifier replaced with pseudonym Reversible under strictly controlled circumstances Privacy Transparency Encryption 7 Pseudonymization The need for pseudonymization Patients and commissioners for data protection have legitimate concerns about privacy and confidentiality of the stored medical (esp. genomic) data. Genomic data clearly identifies a person. 8

The PIPE Approach The PIPE approach is a pseudonymization approach based on cryptographic operations. Data is divided into personal data and pseudonymized medical data. Access is handled with smartcards (e.g., ecard). Patient as data owner may grant data access authorizations to trusted relatives and health care providers. An operator-principle acts as a secure fall-back mechanism for lost or destroyed smartcards. 9 The PIPE Approach Identification Data Patient Pseudonyms? Attacker Trusted Health Care Provider Pseudonyms Trusted Health Care Provider Health Data 10 Secondary User (Research Institution)

FIT-IT Project PIPE 1/2 The aim of this project is (a) to broaden the PIPE approach to support (semi-) structured meta data, we need to ensure that the storage structure does not reveal any association between meta data and patients or health care providers. patients and health care providers should be able to query meta data to efficiently search within medical records. (b) to develop alternative secure storage and retrieval techniques, Exísting approaches have been determined to be insecure or raise performance problems with smart cards. We reduce processing needs at the client by developing dedicated rather than general purpose storage and query techniques. 11 FIT-IT Project PIPE 2/2 The aim of this project is (c) to provide a secure viewer that prevents man-in-the-middle attacks, The authorization mechanism has to guarantee that only trusted person are granted access to the patient s health data. (d) to demonstrate our system in the context of genome analysis, storage, and retrieval. As genomic data per se identifies a person, anonymization is not enough to guarantee privacy. Case studies in the area of genomic data serve a basis for the extension to the application to hospital information systems or electronic health records. 12

Security Issues Principal Idea Minimize (Optimize) the size of the Trusted Computing Base (TCB) to decrease the number of possible attackers Distribute trust amongst multiple parties to enforce collusion (Most intruders act alone) 13 Security Issues E-health systems demand the holistic consideration of security. System level, e.g., Malicious Code Social Engineering Database level, e.g., Logging Attack Database Theft Communication level Replay Attacks Man-in-the Middle Attacks 14

Challenges The public health sector deals with many important but complex issues such as integrating legacy systems, guaranteeing the security of data and robustness of workflow processes as well as political issues with many different parties and interests. Therefore, one of the main challenges currently and in the future is and will be to integrate as many stakeholders as possible into the technical discussions to create commonly accepted approaches and concepts. The consideration of security issues is fundamental precondition for the acceptance and, thus, the success of e-health systems. 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback