1 / 40

Privacy and Security Workgroup

Privacy and Security Workgroup. Big Data and Privacy. Deven McGraw, chair Stan Crosley , co-chair. October 27, 2014. Agenda. Background Definition of B ig Data Why are we developing policy recommendations regarding Big Data? Topics in Big Data, Privacy and Health Care

gwenllian-baker
Download Presentation

Privacy and Security Workgroup

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Workgroup Big Data and Privacy Deven McGraw, chair Stan Crosley, co-chair October 27, 2014

  2. Agenda • Background • Definition of Big Data • Why are we developing policy recommendations regarding Big Data? • Topics in Big Data, Privacy and Health Care • Overview of laws, risks, and mitigation strategies • Policy Questions

  3. Background Background

  4. Definition of Big Data • “There is no rigorous definition of big data” • “. . . Big data refers to things one can do at a large scale that cannot be done at a smaller one, to extract insights or create new forms of value, in ways that change markets, organizations, the relationship between citizens and governments, and more.” • “At its core, big data is about predictions. . . It’s about applying math to huge quantities of data in order to infer probabilities . . . .” Viktor Mayer-Schoenberger and Kenneth Cukier, Big Data: A Revolution that will Transform How we Live, Work, and Think, Houghton Mifflin Harcourt Publishing, 2013.

  5. Definition of Big Data • Gartner (Business): • “High‐volume, high‐velocity and high‐variety information assets that demand cost‐effective, innovative forms of information processing for enhanced insight and decision making.” • Adam Barker and Jonathan Stuart Ward (Technical): • “The storage and analysis of large and/or complex data sets using a series of techniques including, but not limited to, NoSQL, MapReduce, and machine learning.” • Privacy Context: • “. . . the term ‘big data’ typically means data about one or a group of individuals, or [data] that might be analyzed to make inferences about individuals.” President’s Council of Advisors on Science & Technology, Big Data and Privacy: A Technological Perspective, May 2014. http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf

  6. Why are we considering Big Data? - • Big Data: Seizing Opportunities, Preserving Values (May 2014): • “The government should lead a consultative process to assesshow the Health Insurance Portability and Accountability Act (HIPAA) and other relevant federal laws and regulations can best accommodate the advances in medical science and cost reduction in health care delivery enabled by big data.” Big Data: Seizing Opportunities, Preserving Values, http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf

  7. Why are we considering Big Data? • White House Open Government Partnership • “Use Big Data to Support Greater Openness and Accountability” • Ensure privacy protection for big data analyses in health. • Big data introduces new opportunities to advance medicine and science, improve health care, and support better public health.  • To ensure that individual privacy is protected while capitalizing on new technologies and data, the Administration, led by the Department of Health and Human Services, will: • (1) consult with stakeholders to assess how Federal laws and regulationscan best accommodate big data analyses that promise to advance medical science and reduce health care costs; and • (2) develop recommendations for ways to promote and facilitate research through access to data while safeguarding patient privacy and autonomy. http://www.whitehouse.gov/the-press-office/2014/09/24/fact-sheet-announcing-new-us-open-government-commitments-third-anniversa

  8. White House Big Data Report Observations • Distinction between “big data” and “small data”: Big data is characterized by 3 Vs (Volume, Variety, Velocity) • Other key observations: • De-identification is insufficient to protect privacy in big data analytics • Meta data raises significant privacy issues • Should not necessarily treat as less risky than content • Focus on assuring responsible uses, vs. trying to control collection; role of notice and consent should be re-examined

  9. White House Big Data Recommendations* • Current policy frameworks may work well enough for small data, but they do not meet the challenges of big data, including in health: • “The complexity of complying with numerous laws when data [is] combined from various sources raises the potential need to carve out special data use authorities for the health care industry if it is to realize the potential health gains and cost reductions that could come from big data analytics.” (p. 23) *partial list

  10. PCAST Recommendations Regarding Big Data and Privacy • Policy attention should focus more on the actual uses of big data and less on its collection and analysis. • Policies and regulation, at all levels of government, should not embed particular technological solutions, but rather should be stated in terms of intended outcomes.  • With coordination and encouragement from Office of Science and Technology Policy (OSTP), Networking and Information Technology Research and Development program (NITRD) agencies should strengthen U.S. research in privacy‐related technologies and in the relevant areas of social science that inform the successful application of those technologies. • OSTP, together with the appropriate educational institutions and professional societies, should encourage increased education and training opportunities concerning privacy protection, including professional career paths. • The US should take the lead both in the international arena and at home by adopting policies that stimulate the use of practical privacy‐protecting technologies that exist today.  This country can exhibit leadership both by its convening power (for instance, by promoting the creation and adoption of standards) and also by its own procurement practices (such as its own use of privacy‐preserving cloud services). • [E]nsureboth patient privacy and patient benefit from medical research, in a world where medical data are increasingly in electronic form and where there is a growing need for real­time or near ­real­time aggregated data to improve healthcare. PCAST, Big Data and Privacy: A Technological Perspective, May 2014. http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf

  11. Big Data in Healthcare Big Data in Healthcare

  12. Changing Healthcare Landscape is Driving Demand for Big Data Analytics • Escalating costs, shifts in therapeutic and provider reimbursement trends • Movement from fee-for-service model to risk-sharing model focused on patient outcomes – “real world evidence” • Narrowing of approved therapies on formularies drives need to demonstrate effectiveness • The data-driven “closed loop”: illness – symptoms – therapy – outcomes • The rise of actual HCP performance ratings and metrics The big-data revolution in US health care: Accelerating value and innovation http://www.mckinsey.com/insights/health_systems_and_services/the_big-data_revolution_in_us_health_care.

  13. Changing Healthcare Landscape is Driving Demand for Big Data Analytics • Shifts in clinical landscape • Clinicians begin embracing evidence-based medicine • Increased demand for “Translational Medicine” as means of more efficiently translating research/discovery into treatment protocols • Patient demand for data: self-help trend that started with early internet sites like WebMD, rapidly creating entire “patient-empowered” ecosystem that is data-driven • Following other industries: banking, financial services from provider-centric to customer-centric, all data-driven The big-data revolution in US health care: Accelerating value and innovation http://www.mckinsey.com/insights/health_systems_and_services/the_big-data_revolution_in_us_health_care.

  14. High Volume Data from Varied Sources • Supply at scale: more data and sources • Clinical data (electronic medical records) • Claims and cost data • Pharmaceutical R&D data • Socioeconomic, demographic, behavior data of patients, consumers and HCPs (data brokers) • Government data • Patient/consumer generated data • Observational and Sensor-based data The big-data revolution in US health care: Accelerating value and innovation http://www.mckinsey.com/insights/health_systems_and_services/the_big-data_revolution_in_us_health_care.

  15. Primary Data Pools The big-data revolution in US health care: Accelerating value and innovation http://www.mckinsey.com/insights/health_systems_and_services/the_big-data_revolution_in_us_health_care.

  16. Topics in Big Data, Privacy, and Health Care • Research • Personalized medicine • Pharmacogenetics • Precision and predictive medicine • Telehealth • Consumer-generated and stored data • Other topics? President’s Council of Advisors on Science & Technology, Big Data and Privacy: A Technological Perspective, May 2014. http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf

  17. Research Research

  18. Research Needs Relevant to Big Data One view of research in a Learning Health System: The future of health research and healthcare is in data • Granular data about all aspects of individuals’ health, genetic make-up, behaviors, families, environment, etc. • Data that will be collected from sensors and interactions, including EHRs, PHRs, home healthcare devices, smart phones, browsing behavior, social media interactions, embedded sensors, and a variety of other sources and analyzed as a whole system — what Lee Hood, President of the Institute for Systems Biology, describes as a “virtual cloud of billions of data points.” • This approach will facilitate the movement not only to increasingly “personalized medicine,” but to medicine that is “predictive, preventive, personalized, and participatory.” Lee Hood Group, Institute for Systems Biology, www.systemsbiology.org/hood-group

  19. Research Needs Relevant to Big Data • Access to Data • Aggregation of data from clinical trials for disease/therapeutic areas • Clinical data within and across EHRs • Genetic/biomarker, epidemiological and environmental data • Patient-level data without having direct patient identifiers • Dates are typically important • Access to analytics • Closed loop cycle: research to treatment to research

  20. Personalized Medicine Personalized Medicine

  21. Personalized Medicine • Personalized medicine: • “providing ‘the right patient with the right drug at the right dose at the right time.’” • “the tailoring of medical treatment to the individual characteristics, needs, and preferences of a patient during all stages of care, including prevention, diagnosis, treatment, and follow-up.” http://www.fda.gov/scienceresearch/specialtopics/personalizedmedicine/default.htm

  22. Pharmacogenetics • Personalized medicine is often based on pharmacogenetics modeling • Pharmacogenetics is the study of genetic differences in metabolic pathways which can affect individual responses to drugs, both in terms of therapeutic effect as well as adverse effects. • Machine learning models are used to guide medical treatments based on a patient’s genotype and background. Pharmacogenetics. http://en.wikipedia.org/wiki/Pharmacogenetics Matthew Fredrikson, Eric Lantz, SomeshJha, Simon Lin†, David Page, Thomas Ristenpart. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. University of Wisconsin, Marshfield Clinic Research Foundation. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/fredrikson_matthew

  23. Precision and Predictive Medicine • Precision medicine is the application of panomic analysis and systems biology to analyze the cause of an individual patient's disease at the molecular level and then to utilize targeted treatments (possibly in combination) to address that individual patient's disease process. • Predictive medicine is a field of medicine that entails predicting the probability of disease and instituting preventive measures in order to either prevent the disease altogether or significantly decrease its impact upon the patient (such as by preventing mortality or limiting morbidity). Precision Medicine. http://en.wikipedia.org/wiki/Precision_medicine Predictive Medicine. http://en.wikipedia.org/wiki/Predictive_medicine

  24. Telehealth Telehealth

  25. Big Data & Telehealth • Telehealthis “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration.” Examples include: • Live interactive video or the use of store and forward transmission of diagnostic images, vital signs and/or video clips along with patient data for later review. • Remote patient monitoring to collect and send data to a home health agency or a remote diagnostic testing facility (RDTF) for interpretation. • Internet and wireless device usage for consumers to obtain specialized health information, education, and on-line discussion groups to provide peer-to-peer support. http://www.hrsa.gov/ruralhealth/about/telehealth/ http://www.americantelemed.org/about-telemedicine/what-is-telemedicine#.VC8UFvldXW8

  26. Consumer Generated and Stored Health Data Consumer Generated and Stored Health Data

  27. Consumer-generated Data • “Wearablescan unobtrusively gather and transmit objective, experiential data in real time, 24 hours a day, seven days a week. With this approach, research can evolve from looking at a very small number of data points and burdensome pencil-and-paper patient diaries collected sporadically to analyzing hundreds of readings per second from thousands of patients and attaining a critical mass of data to detect patterns and make new discoveries.” • Mobile devices might help aging people to detect diseases, such as Alzheimer’s. • Clear trend to aggregate devices on platforms, e.g., Qualcomm 2net and Apple IO HealthKit. Bolluyt, Jess. August 29, 2014. http://wallstcheatsheet.com/technology/what-are-wearable-devices-really-capable-of.html/?a=viewall#ixzz3ESIxMZpX President’s Council of Advisors on Science & Technology, Big Data and Privacy: A Technological Perspective, May 2014. http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf

  28. Consumer Stored Data • Health record banks/Personal Health Records • Secure repositories with internet-based interfaces that store personal health information. • Provides individual accounts that contain copies of medical records and additional information that may be added by the consumer optionally • Administrative functions include authentication, authorization, and certification • May be locally, regionally, or nationally based • Provided by employers, health insurers and independent consumer-facing entities. http://www.healthbanking.org/ http://www.healthbanking.org/docs/HRBA%20Architecture%20White%20Paper%20Jan%202013.pdf

  29. Laws and Policies Laws and Policies

  30. Laws and Policies That May Apply to Protecting Privacy in Health Care • Federal laws and regulations • Health Insurance Portability and Accountability Act (HIPAA) • Applies to covered entities • Health care providers, health plans, and health care clearinghouses • Privacy Rule • Security Rule • Health Information Technology for Economic and Clinical Health (HITECH) Act • Extends HIPAA to business associates • Are pharmaceutical providers considered business associates? • The Common Rule, 45 CFR Part 46 • Genetic Information Non-Discrimination Act (GINA) • Federal Trade Commission Act, Section 5 • Deceptiveness • Unfairness • Fair Credit Reporting Act (related to inference of health status) • Various state laws and regulations McEwen, Julie. TelehealthPrivacy Challenges: Reducing the Risk, March 2014. The MITRE Corporation.

  31. Laws and Policies That May Apply to Protecting Privacy in Health Care Laws and Policies Indiana University, Center for Law, Ethics and Applied Research in Health Information

  32. Laws and Policies That May Apply to Protecting Privacy in Health Care Laws and Policies Indiana University, Center for Law, Ethics and Applied Research in Health Information

  33. Policy Questions Policy Questions

  34. Policy Questions (1 of 2) • Research: • Are updates or additional policies needed to address ethical privacy frameworks and research standards? • Personalized Medicine, Pharmacogenetics, Predictive & Precision Medicine: • What policies and technologies exist to protect the privacy of databases? • What policies should be considered (including w/r/t trasnparency, notice/consent) for identifying disease traits, cohort matches, testing recommendations for patients based on data within their EHR? Based on face-face interaction with Clinician?

  35. Policy Questions (2 of 2) • Telehealth/Consumer: • What are individuals’ protections against privacy risks pursuant to telehealth, health apps, sensor-based data generation? • What policies should exist around use of health and non-health data to infer health status of individuals? • Access to and use of data to create inference. • Use of inferred health status – treatment, marketing, research • Disclosure of inferred health status – to HCP, to third party, if app-based to app manufacturer • What if this is a stated condition of use of the app?   • Analytics • What policies can be enacted to encourage the wide-spread implementation of current methods? • Recognizing the limitations of current guidance, what are additional solutions for the de-identification of data? • General Policy Questions • The PCAST notes that “the framework of notice and consent is also becoming unworkable as a useful foundation for policy.” What frameworks should be explored within the healthcare environment? For research, treatment, sharing. • How can we use big data to improve public health and balance collection, use, and retention needs with privacy and security imperatives?

  36. Back-up Back-Up

  37. Risks Risks

  38. Potential Big Data Privacy Risks in Health Care • There is an opportunity to re-define the conversation around risks with respect to privacy and big data in health care • “ . . . the concept of risk needs a broad frame, beyond the typical tangible harms like loss of employment or insurance discrimination and encompassing risks like stereotyping, harms to dignity and harms to trust in the historic confidentiality of the clinician-patient relationship.” Deven McGraw, Policy Frameworks to Enable Big Health Data

  39. Potential Big Data Privacy Risks in Health Care • Notice and Consent • Patients may not understand the privacy notices that are provided with health care services • Patients may feel that they must consent to the privacy policies and practices stated in the privacy notice in order to receive treatment • Big data challenges traditional concepts of notice and consent • Collection and Use Limitation • Medical device transmissions may be collected by the technology manufacturer in addition to the health care provider • Patients may be unaware that their use of technology may provide other types of sensitive information about them besides medical information • Patient information collected by technology may be used in ways that the patient may not have anticipated • Big data value is driven by the opportunity for n = all • Access and Accuracy • Patients may not be provided with access to the information about them that is collected by technology • Security • Adequate security mechanisms may not be in place within technology and the environment in which it is used. McEwen, Julie. TelehealthPrivacy Challenges: Reducing the Risk, March 2014. The MITRE Corporation.

  40. Potential Risks of De-Identification in Big Data • One of the biggest risks around de-identification is that “. . . de-identification does not eliminate risk of re-identification, protections are still needed for the residual re-identification and other privacy risks that remain in the data.” • There are no standards beyond what is set forth in HIPAA • Non-covered entities are not required to follow HIPAA standards Deven McGraw, Policy Frameworks to Enable Big Health Data

More Related