1 / 9

Identity Protection and Pseudonymisation

Identity Protection and Pseudonymisation. White Paper Proposal for 2008/09 A. Estelrich (GIP-DMP) S. Bittins (Fraunhofer ISST). Motivation. Primary Use scenarios: Pseudonymisation as a potential security mechanism

lanza
Download Presentation

Identity Protection and Pseudonymisation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Protection and Pseudonymisation White Paper Proposal for 2008/09 A. Estelrich (GIP-DMP) S. Bittins (Fraunhofer ISST)

  2. Motivation • Primary Use scenarios: • Pseudonymisation as a potential security mechanism • reducing the actual protection requirement by decoupling the concrete patient’s identity from the health information • Secondary use scenarios (clinical research, public health): • data leaves the context of the physician where they are protected by professional discretion • the concrete identity of the patient is often of no interest • the utilisation of anonymisation/pseudonymisation means is mandatory for secondary use scenarios

  3. Pseudonymisation Models • Model 0: Identity Protection for Primary Use • Incorporates encryption & pseudonymisation for identity protection • Model 1: Identity Removal • For one-time secondry use • Identity is completely anonymised (e. g. for research purposes) • Model 2: Multiple data sources, one-time socondary use • Aims at linking multiple sources (e. g. XDS registries, repositories) • Incorporates one-way pseudonyms, generated by a TPP • the data source encrypts all medical data with the secondary users key • the encrypted data and the PID is send to a TPP building pseudonyms • the PSN and the encrypted data is forwarded to the secondary user • = the TPP cannot read data, the secondary user cannot tell the identity

  4. Flow-of-Data (Model 2) • one-way pseudonyms (no de-identification) due to one-way function • typically featuring asymmetric encryption in order to prevent the TPP from being able to actually read any medical data

  5. Pseudonymisation Models • Model 3: One-Time secondary use with re-identification • Incorporates two TPP, one for substituting the concrete identity, one for the actual pseudonymisation • the PID service knows the identity of the patient but contains no data • the PSEUD service can recover the PID by decrypt the PSN but does not know the concrete identity • Model 4:Pseudonymous Research Data Pool • is based on Model 3 but incorporates a data pool for research • pseudonym and medical data are permanently stored in the data pool • Model 5: Central DB with many secondary uses • Potential for research involving a central (clinical) database • the clinical database contains medical data but no identities • the concrete reference to the pseudonymised medical data is established over a TPP being able to assign a PID that is connected to the data

  6. The 5 Models 5 models proposed are quite flexible and they are entirely dependent on the local, national, and regional policies. The following documents are proposed for examination (some have been started already) as to investigate further which model could be applied where, but the local policies must be taken into consideration: ISO TS 25237 - Health informatics – Pseudonymisation HITSP Anonymize Component-C25 HITSP Pseudonymize Transaction-T24 HITSP Quality Interoperability Specification-IS06 HITSP Biosurveillance Interoperability Specification-IS02 HITSP Public Health Case Reporting Interoperability Specification-IS11

  7. Expected Acceptance • data protection and extended liability issues are gradually moving into the focus • cooperative health care networks have a extremely strong demand for compliant solutions • this profile provides essential building-blocks for designing those solutions • The eCR Initiative is currently providing and using various of the components presented here for full compliance • Significant potential for cross-border usability • May serve as a foundation for a pan-European identity protection framework

  8. Done • definition of pseudonymisation models • exemplary implementations for some of the models • introduction of model extensions: • provider pseudonymisation / transparency • integration into policy-based security architectures

  9. To-Do • Application of Pseudonymisation onto content profiles from PCC and QRPH • developing and definition of a set of “building-blocks” • implementation and deployment (policy-driven) • compose an „umbrella model“ to fully integrate Europe‘s special demands in safe-guarding and data protection while keeping compatibility and feasibility with the other participants needs and limiting implementation efforts

More Related