Beyond privacy policies assessing inherent privacy risks of consumer health services
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services PowerPoint PPT Presentation


  • 38 Views
  • Uploaded on
  • Presentation posted in: General

Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services. Jens Weber, PhD, PEng James Williams, JD, Msc, Phd (cand). Work performed for the Privacy Commissioner of Canada. Examining consumer health informatics applications. Contributions: Taxonomy of offerings

Download Presentation

Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Beyond privacy policies assessing inherent privacy risks of consumer health services

Beyond Privacy Policies:Assessing Inherent Privacy Risks of Consumer Health Services

Jens Weber, PhD, PEng

James Williams, JD, Msc, Phd (cand)


Context

Work performed for the Privacy Commissioner of Canada.

Examining consumer health informatics applications.

Contributions:

Taxonomy of offerings

Ratings tools from a consumer perspective

Evaluation of certification regimes.

Context


Overview

Overview

  • What are consumer health applications?

  • What schemes exist to rate privacy/security concerns?

  • A new rating methodology.


Consumer health applications

Consumer Health Applications

  • prime objective of CHI: “to empower consumers by putting health information into their hands..... such as diagnoses, lab results, personal risk factors, and prescribed drugs.”

  • Not necessarily electronic.


Consumer health applications1

Consumer Health Applications

  • Taxonomy:

  • (1) information aids

  • (2) decision aids

  • (3) education aids

  • (4) management aids

  • (5) health sales services

  • (6) meta/ratings services


Cha information aids

CHA – Information Aids

  • Information aids provide consumers with services to:

  • (a) access

  • (b) store

  • (c) control

  • (d) distribute their PHI.


Cha information aids1

CHA – Information Aids


Cha decision aids

CHA – Decision Aids

  • computer-supported services that take into account PHI in order to aid consumers in making health-related decisions.

  • Eg: telemediated or automated clinics, questionnaires.


Cha education aids

CHA – Education Aids

  • Services that promote health literacy.

  • Eg, medical blogs, serious games, story collections, static websites.


Cha management aids

CHA- Management Aids

  • Applications that support consumers in the ongoing longterm management of aspects of their health

  • Support group services: forums, chat rooms, etc.

  • Telemonitoring.


Cha rating services

CHA- Rating Services

  • Provider rating services: allow consumers to rate care providers.

  • Application rating services.

  • Special case: application certification. ie. HONcode.


Rating schemes

Rating Schemes

  • What about rating privacy risks?

  • Most privacy risk assessment methods are designed for organizations that manage PHI. (i.e., IPC Ontario, David Flaherty).


Rating schemes1

Rating Schemes

  • Buffet and Kosa:

  • assess consumer privacy risk using assignment of probability and utility values to statements in privacy policies.

  • the probability represents the degree that users agree with a particular policy statement

  • Utility represents the degree that the users endorse a particular policy statement.


Rating schemes2

Rating Schemes

  • Patient Privacy Rights (PPR) foundation.

  • Uses 'report card' metaphor to assess how well privacy policies cover criteria from sources like common law, statutory law, etc.


Rating schemes3

Rating Schemes

  • Policy-based risk assessment methods are effective tools for assisting consumers to assess the privacy risks that are apparent from privacy policies.

  • Do not address the inherent risks of an entire spectrum of different service types.

  • Do not catch more subtle privacy threats, such as indirect information disclosure due to targeted advertisements and social computing


Rating schemes4

Rating Schemes

  • Ourapproach: a complementary tool to aid consumers in gauging the inherent privacy risks associated with consumer health services.

  • The tool was developed based on a systematic review of the types of services and their associated privacy risks.


Our approach

Our Approach

  • How did we come up with this?

  • Risk identification based on CSA model code.

  • Systematic literature review.

  • Legal research (case law, admin law)


Our approach1

Our Approach

  • Example: Identifying Purposes and OPPs

  • OPPs are often not prominently presented to users of CHI applications.

  • OPPs are often presented as lengthy “fine print”, written in a language and structure that may obscure important aspects.

  • OPPs are often ‘hidden’ as part of even longer legal documents on the general terms of agreement for use of the online service.


Our approach2

Our Approach

  • four main risk criteria are determined by:

  • (1) the businessmodel of the CHI application

  • (2) the CHI servicetypes provided within the application

  • (3) the service deliverymodel

  • (4) the company ownership


Risks business model

Risks – Business Model

  • Marketingfunded: (high) revenue depends on exploiting PHI. Poss. for leaks, misuse.

  • Researchfunded: (high) possibility for secondary use. (PatientsLikeMe)

  • Employer/insurer: (med) secondary uses, data portability.

  • Consumerfunded: (low) vendor profits from subscription fees.


Risks service type

Risks – Service Type

  • App ratings services, education aids: low

  • Provider ratings: moderate

  • Decision/management aids: high, since they use PHI. Telemonitoring, etc.

  • Support service (social networks): highest.

  • Information aids: high. PHRs include comprehensive information.


Risks delivery model

Risks – Delivery Model

  • Locally installed: (user's pc) lowest

  • Mobile device: elevated risk due to possibility for theft or loss.

  • Hosted services: high risk. Breaches affect multiple consumers.

  • Cloud-based: highest. Third party service providers in other jurisdictions.


Risks company ownership

Risks – Company Ownership

  • Canadian companies: subject to legislation, relatively easy to challenge.

  • Foreign controlled Canadian companies: elevated risk.

  • Entirely foreign: highest risk.


Future work

Future Work

  • Implications of CHA: privacy law, law of evidence. Much to be done.

  • Empirical studies: use our model. Focus groups, case studies, or in practice.

  • Risk levels: much more to be done in refining our risk assessment.


  • Login