beyond privacy policies assessing inherent privacy risks of consumer health services
Download
Skip this Video
Download Presentation
Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services

Loading in 2 Seconds...

play fullscreen
1 / 27

Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services - PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on

Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services. Jens Weber, PhD, PEng James Williams, JD, Msc, Phd (cand). Work performed for the Privacy Commissioner of Canada. Examining consumer health informatics applications. Contributions: Taxonomy of offerings

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Beyond Privacy Policies: Assessing Inherent Privacy Risks of Consumer Health Services' - nicole-david


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
beyond privacy policies assessing inherent privacy risks of consumer health services
Beyond Privacy Policies:Assessing Inherent Privacy Risks of Consumer Health Services

Jens Weber, PhD, PEng

James Williams, JD, Msc, Phd (cand)

context
Work performed for the Privacy Commissioner of Canada.

Examining consumer health informatics applications.

Contributions:

Taxonomy of offerings

Ratings tools from a consumer perspective

Evaluation of certification regimes.

Context
overview
Overview
  • What are consumer health applications?
  • What schemes exist to rate privacy/security concerns?
  • A new rating methodology.
consumer health applications
Consumer Health Applications
  • prime objective of CHI: “to empower consumers by putting health information into their hands..... such as diagnoses, lab results, personal risk factors, and prescribed drugs.”
  • Not necessarily electronic.
consumer health applications1
Consumer Health Applications
  • Taxonomy:
  • (1) information aids
  • (2) decision aids
  • (3) education aids
  • (4) management aids
  • (5) health sales services
  • (6) meta/ratings services
cha information aids
CHA – Information Aids
  • Information aids provide consumers with services to:
  • (a) access
  • (b) store
  • (c) control
  • (d) distribute their PHI.
cha decision aids
CHA – Decision Aids
  • computer-supported services that take into account PHI in order to aid consumers in making health-related decisions.
  • Eg: telemediated or automated clinics, questionnaires.
cha education aids
CHA – Education Aids
  • Services that promote health literacy.
  • Eg, medical blogs, serious games, story collections, static websites.
cha management aids
CHA- Management Aids
  • Applications that support consumers in the ongoing longterm management of aspects of their health
  • Support group services: forums, chat rooms, etc.
  • Telemonitoring.
cha rating services
CHA- Rating Services
  • Provider rating services: allow consumers to rate care providers.
  • Application rating services.
  • Special case: application certification. ie. HONcode.
rating schemes
Rating Schemes
  • What about rating privacy risks?
  • Most privacy risk assessment methods are designed for organizations that manage PHI. (i.e., IPC Ontario, David Flaherty).
rating schemes1
Rating Schemes
  • Buffet and Kosa:
  • assess consumer privacy risk using assignment of probability and utility values to statements in privacy policies.
  • the probability represents the degree that users agree with a particular policy statement
  • Utility represents the degree that the users endorse a particular policy statement.
rating schemes2
Rating Schemes
  • Patient Privacy Rights (PPR) foundation.
  • Uses 'report card' metaphor to assess how well privacy policies cover criteria from sources like common law, statutory law, etc.
rating schemes3
Rating Schemes
  • Policy-based risk assessment methods are effective tools for assisting consumers to assess the privacy risks that are apparent from privacy policies.
  • Do not address the inherent risks of an entire spectrum of different service types.
  • Do not catch more subtle privacy threats, such as indirect information disclosure due to targeted advertisements and social computing
rating schemes4
Rating Schemes
  • Ourapproach: a complementary tool to aid consumers in gauging the inherent privacy risks associated with consumer health services.
  • The tool was developed based on a systematic review of the types of services and their associated privacy risks.
our approach
Our Approach
  • How did we come up with this?
  • Risk identification based on CSA model code.
  • Systematic literature review.
  • Legal research (case law, admin law)
our approach1
Our Approach
  • Example: Identifying Purposes and OPPs
  • OPPs are often not prominently presented to users of CHI applications.
  • OPPs are often presented as lengthy “fine print”, written in a language and structure that may obscure important aspects.
  • OPPs are often ‘hidden’ as part of even longer legal documents on the general terms of agreement for use of the online service.
our approach2
Our Approach
  • four main risk criteria are determined by:
  • (1) the businessmodel of the CHI application
  • (2) the CHI servicetypes provided within the application
  • (3) the service deliverymodel
  • (4) the company ownership
risks business model
Risks – Business Model
  • Marketingfunded: (high) revenue depends on exploiting PHI. Poss. for leaks, misuse.
  • Researchfunded: (high) possibility for secondary use. (PatientsLikeMe)
  • Employer/insurer: (med) secondary uses, data portability.
  • Consumerfunded: (low) vendor profits from subscription fees.
risks service type
Risks – Service Type
  • App ratings services, education aids: low
  • Provider ratings: moderate
  • Decision/management aids: high, since they use PHI. Telemonitoring, etc.
  • Support service (social networks): highest.
  • Information aids: high. PHRs include comprehensive information.
risks delivery model
Risks – Delivery Model
  • Locally installed: (user's pc) lowest
  • Mobile device: elevated risk due to possibility for theft or loss.
  • Hosted services: high risk. Breaches affect multiple consumers.
  • Cloud-based: highest. Third party service providers in other jurisdictions.
risks company ownership
Risks – Company Ownership
  • Canadian companies: subject to legislation, relatively easy to challenge.
  • Foreign controlled Canadian companies: elevated risk.
  • Entirely foreign: highest risk.
future work
Future Work
  • Implications of CHA: privacy law, law of evidence. Much to be done.
  • Empirical studies: use our model. Focus groups, case studies, or in practice.
  • Risk levels: much more to be done in refining our risk assessment.
ad