privacy challenges and solutions for health information systems n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy Challenges and Solutions for Health Information Systems PowerPoint Presentation
Download Presentation
Privacy Challenges and Solutions for Health Information Systems

Loading in 2 Seconds...

play fullscreen
1 / 37

Privacy Challenges and Solutions for Health Information Systems - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

Privacy Challenges and Solutions for Health Information Systems. John C Mitchell, Stanford University. Themes. Privacy Two approaches Policy-based systems: provide info only if privacy policy allows Anonymization : perturb publicly released data to preserve privacy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Privacy Challenges and Solutions for Health Information Systems' - kaspar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
privacy challenges and solutions for health information systems

Privacy Challenges and Solutions for Health Information Systems

John C Mitchell, Stanford University

themes
Themes
  • Privacy
    • Two approaches
      • Policy-based systems: provide info only if privacy policy allows
      • Anonymization: perturb publicly released data to preserve privacy
  • Healthcare provides practical example
    • Some background information on US healthcare trends
    • HIPAA regulation (also HITECH, additional hospital policies)
    • Balance: want good medical care, privacy from insurers
  • Formalization of privacy policy
    • Add policy-based reasoning to information systems
    • Also enables educational tools, other applications
  • Many unsolved problems
    • Combine related policies
    • Integrate individual, aggregate privacy
us healthcare crisis ahead
US Healthcare Crisis Ahead
  • Aging population
    • Not enough care facilities
  • Increasing costs
    • Cannot afford care if current trends continue
  • What can we do?
    • Keep patients out of the hospital
      • 5% of population incurs 30% of total cost, ~10% incurs 60% [NPR]
      • Help people stay in their homes longer
  • Information systems
    • Better bidirectional communication with patients
    • Better information better diagnosis, fewer errors
    • Telemedicine, home monitoring can serve outpatients
some terminology
Some terminology
  • Electronic Health Record (EHR)
    • Hospitals starting to store information electronically
    • Allow patients to interact with physicians
  • Personal Health Record (PHR)
  • Health Information Exchange (HIE)
    • Regional networking between hospitals, clinics
  • Telemedicine (Tel)
    • Remote monitoring, other applications
privacy in organizational processes
Privacy in Organizational Processes

Patient medical bills

Patient

information

Hospital

Insurance Company

Drug Company

Advertising

Patient

GOAL: Respect privacy expectations in the transfer and use of personal information within and across organizational boundaries

what is privacy
What is privacy?
  • Contextual integrity
    • Normative framework for evaluating the flow of information between agents
    • Agents act in roles within social contexts
    • Principles of transmission
      • Confidentiality, reciprocity, dessert, etc
  • Differential privacy

S

San

DB=

Distrib.distance ≤ 

¢

¢

¢

S’

San

DB’=

¢

¢

¢

Adam Smith

contextual integrity
Contextual Integrity
  • Philosophical account of privacy
    • Transfer of personal information
    • Describes what people care about
  • Flow governed by norms
    • Agents act in roles in social contexts
    • Information categorized by type
      • E.g., personal health information, psychiatric records, …
      • Rejects public/private dichotomy
  • Principles of transmission
    • Confidentiality, reciprocity, dessert, etc

[Nissenbaum 2004, BarthDMN ‘06]

example accessing patient health info
Example: accessing patient health info

Doctor

Specialist

Electronic Health Record

Patient Portal

HIPAA Compliance

Surrogate

Patient

workflow example
Workflow example

Humans + Electronic system

Health Answer

Appointment Request

Secretary

Health Question

Health Question

Doctor

Patient

Health Question

Health Answer

Utility: Schedule appointments, obtain health answers

Nurse

Privacy: HIPAA compliance+

goals
Goals
  • Express policy precisely
    • Enterprise privacy policies
    • Privacy provisions from legislation
  • Analyze, enforce privacy policies
    • Does action comply with policy?
    • Does policy enforce the law?
  • Support audit
    • Privacy breach may occur. Find out how it happened
privacy model contextual integrity
Privacy Model: “Contextual Integrity”

Charlie’s SSN

078-05-1120

Alice

Bob

Four identifiers of an action:

Sender

Receiver

Person this is about (subject)

Type of information

gramm leach bliley example

Sender role

Attribute

Subject role

Recipient role

Transmission principle

Gramm-Leach-Bliley Example

Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs

ci norms and policies

One technical slide for fun

CI Norms and Policies
  • Policy consists of norms

(+) inrole(p1, r1)  inrole(p2, r2)  inrole(q, r)  tt’    

() inrole(p1, r1)  inrole(p2, r2)  inrole(q, r)  tt’    

    •  is an agent constraint
    •  is a temporal condition
  • Norms assembled into policy formula
    • p1,p2,q:P.m:M.t:T.incontext(p1, c) 

send(p1, p2, m)  contains(m, q, t) 

 { + | +  norms+(c) } 

 {  |   norms(c) }

organizational process and compliance

Contextual

Integrity

Organizational process and compliance

Norms

Purpose

Organizational

Objectives

Information Policy

Utility

Checker

(ATL*)

Privacy

Checker

(LTL)

Organizational

Process Design

Utility

Evaluation

Compliance

Evaluation

auditing
Auditing

Business Process

Execution

Run-time Monitor

Audit

Logs

Audit

Algs

Privacy Policies

Utility Goals

Policy Violation

+

Accountable Agent

hitect act and other extensions
HITECT Act and other extensions
  • Extends HIPAA to business associates
    • Closes HIPAA loophole
  • Tracking of information used in Payment, Treatment Operations (PTO)
    • Regulatory environment evolving
  • Additional provisions, e.g. minimum necessary information
    • a covered entity shall be treated as being in compliance … only if … limits such protected health information … to the minimum necessary to accomplish the intended purpose …
slide22

HITECH Excerpt…

b) Disclosures Required to Be Limited to the Limited Data Set or the Minimum Necessary.—

(1) In general.—

(A) In general.— Subject to subparagraph

(B), a covered entity shall be treated as being in compliance with section 164.502(b)(1) of title 45, Code of Federal Regulations, with respect to the use, disclosure, or request of protected health information described in such section, only if the covered entity limits such protected health information, to the extent practicable, to the limited data set (as defined in section 164.514(e)(2) of such title) or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. (B) Guidance.— Not later than 18 months after the date of the enactment of this section, the Secretary shall issue guidance on what constitutes "minimum necessary" for purposes of subpart E of part 164 of title 45, Code of Federal Regulation. In issuing such guidance the Secretary shall take into consideration the guidance under section 13424(c) and the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease.

(C) Sunset.— Subparagraph (A) shall not apply on and after the effective date on which the Secretary issues the guidance under subparagraph (B).

(2) Determination of minimum necessary.— For purposes of paragraph (1), in the case of the disclosure of protected health information, the covered entity or business associate disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure.

(3) Application of exceptions.— The exceptions described in section 164.502(b)(2) of title 45, Code of Federal Regulations, shall apply to the requirement under paragraph (1) as of the effective date described in section 13423 in the same manner that such exceptions apply to section 164.502(b)(1) of such title before such date.

(4) Rule of construction.— The in this subsection shall be construed as affecting the use, disclosure, or request of protected health information that has been de-identified.

Prolog Code

File hitech_13405_b.pl:

permitted_by_13405_b(A) :-   %is_minimum_necessary(A).is_belief_from_minimum(A),writeln('HITECH rule 13405.b;').

File basic_message_wrapper.pl:

is_belief_from_minimum(A):-

msg_from(A, X),

has_msg_belief(A, _,

minimum_necessary_

to_purpose, X).

Our Translation…

(b) Disclosures Required to be Limited to the Limited Data Set or the Minimum Necessary.—

(1) In General.—

(A) In General.— a covered entity shall be treated as being in compliance with HIPAA’s use, disclosure, or request of protected health information only if the covered entity limits such protected health information to the limited data set (164.514(e)(2)) or is the minimum necessary (note1) to accomplish the intended purpose.

(B) Guidance.—Within 18 months, the Secretary should decide what is ‘‘minimum necessary’’, taking into guidance under section 13424(c) and the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease.

(C) Sunset.—Listen to (A) until (B) takes effect.

what is the logical structure of hipaa
What is the logical structure of HIPAA?
  • Allow action if
    • There is a clause that explicitly permits it, and
    • No clause explicitly forbids it
  • In more detail ...
      • Action: to, from, about, type, purpose, consents, beliefs
      • e.g. Dr., lab, patient, PHI, treatment, -, -
  • Example

164.502 (a) Standard:

(1) Permitted uses and disclosures.

(ii) For treatment, payment, or health care operations,

as permitted by and in compliance with 164.506;

hipaa translation
HIPAA Translation

HIPAA Law §164.508.a.2

Covered entity must obtain an authorization for any use or disclosure of psychotherapy note, except if it is to be used by the originator of the psychotherapy notes for treatment;

  • Category (cat): When the rule applies
    • From: covered entity, Type: psychotherapy note
  • Exception (exc): When the rule does not apply
    • For: treatment, From: originator
  • Requirement(req): The necessary condition for the rule to permit
    • Consented_by: originator
  • Permitted_by_R :- cat ∧ ¬ exc ∧ req
  • Forbidden_by_R :- cat ∧ ¬ exc ∧ ¬ req
  • R_not_applicable :- ¬ cat ∨ exc
hipaa translation1
HIPAA Translation

HIPAA Law §164.508.a.2

Covered entity must obtain an authorization for any use or disclosure of psychotherapy note, except if it is to be used by the originator of the psychotherapy notes for treatment;

  • Permitted_by_R :- cat ∧ ¬ exc ∧ req
  • Forbidden_by_R :- cat ∧ ¬ exc ∧ ¬ req
  • R_not_applicable :- ¬ cat ∨ exc
combining different clauses
Combining Different Clauses

Rule 1

Rule 2

  • Permitted_by_R1 :- cat1 ∧ ¬ exc1 ∧ req1
  • Forbidden_by_R1 :- cat1 ∧ ¬ exc1 ∧ ¬ req1
  • R1_not_applicable :- ¬ cat1 ∨ exc1
  • Permitted_by_R2 :- cat2 ∧ ¬ exc2 ∧ req2
  • Forbidden_by_R2 :- cat2 ∧ ¬ exc2 ∧ ¬ req2
  • R2_not_applicable :- ¬ cat2 ∨ exc2
conflict resolution at translation time
Conflict Resolution (at translation time)
  • Conflict
    • One rule R1 allows an action while the other rule R2 forbids it
  • Disjoint Rules
    • There exist no action such that R1 and R2 both are applicable. (cat1 ∧ ¬ exc1)  (cat2 ∧ ¬ exc2) =
  • Overlapping Rules
    • There exist some action such that R1 and R2 both are applicable.

(cat1 ∧ ¬ exc1)  (cat2 ∧ ¬ exc2) 

  • Subset Rules
    • There exist action such that whenever R2 is applicable so is R1. (cat1 ∧ ¬ exc1)  (cat2 ∧ ¬ exc2) = cat2 ∧ ¬ exc2
  • Resolution
    • R1 is applicable when (cat1 ∧ ¬ exc1) ∧ ¬ (cat2 ∧ ¬ exc2)
logic structure
Logic Structure
  • Declarative
    • Allows automatic logical combination of the policies
  • Non recursive first order logic
    • HIPAA policy is a set of logic rules with acyclic dependency graph
  • Structured negation
    • Uses a subset of stratified negation
  • No function parameters  decidable in polynomial time
    • Complete. Terminates with bounded search.
refinement and combination
Refinement and Combination
  • Policy refinement
    • Basic policy relation
    • Does hospital policy enforce HIPAA?
  • P1 refines P2 if P1 P2
    • Requires careful handling of attribute inheritance
  • Combination becomes logical conjunction
    • Defined in terms of refinement
medical data in the cloud
Medical data in the cloud?

Policy Engine

  • Applications:
  • Affiliated clinics
  • Medical research

Query

Encrypted Medical Data

Attribute-based Encryption

Database

Attribute-based Decryption

Data

Credentials

attribute based encryption

OR

OR

SK

SK

AND

AND

Doctor

Doctor

Nurse

ICU

Nurse

ICU

Attribute-Based Encryption

=

PK

“Doctor”

“Neurology”

“Nurse”

“Phys Therapy”

extracting abe data policy
Extracting ABE data policy
  • HIPAA, Hospital policy
    • Mapping : Action  {allow, deny}
    • Action: to, from, about, type, purpose, consents, beliefs
  • Action characterized by
    • Attributes of data: from, about, type, consents
    • Attributes of recipient: to, purpose, beliefs
  • Data policy
      • Data with attributes: from, about, type, consents
      • Has associated access policy

{to, purpose, beliefs |

Policy(to, from, about, type, purpose, consents, beliefs) = Allow}

encrypted medical data in the cloud
Encrypted medical data in the cloud

Hospital

Policy Engine

  • Applications:
  • Affiliated clinics
  • Medical research

Query

Encrypted Medical Data

Attribute-based Encryption

Database

Remote user

Attribute-based Decryption

Data

Credentials

ongoing efforts
Ongoing efforts
  • Hospital policy
    • Surrogate
    • Delegate
  • Education tools
    • Allow medical staff to pose questions, learn regulations
    • Theory: is there a canonical example hospital?
  • Combine with attribute-based encryption
    • Deductive access control within the enterprise
    • Cryptographic enforcement when data is exported
  • Model workflow and evaluate “least disclosure”, etc.
  • Audit
    • Medical environment: “break the glass”
sponsoring research projects
Sponsoring Research Projects

Looking for students, postdoc

conclusion
Conclusion
  • Privacy
    • Policy-based systems: provide info only if privacy policy allows
    • Anonymization: perturb publicly released data
  • Healthcare provides practical test case
  • Formalization of HIPAA privacy policy
    • Add policy-based reasoning to information systems
  • Future work
    • Extend to hospital policies, other examples
    • Educational tools, other applications
    • Theory: is there a canonical example hospital?
    • Integrate individual, aggregate privacy