Chiang Yu-Cheng, Hsu Tsan-sheng, Kuo Sun, Liau Churn-Jung, Wang Da-Wei
Department of Information Management, National Taiwan University, Taiwan, ROC.
Int J Med Inform. 2003 Aug;71(1):17-23. doi: 10.1016/s1386-5056(03)00030-3.
We propose a computer system called Cellsecu that maintains the anonymity and the confidentiality of each cell containing sensitive information in medical database. Cellsecu attains this by automatically removing, generalizing, and expanding information. It is designed to enhance data privacy protection so a data warehouse can automatically handle queries. In most cases, health organizations collect medical data with explicit identifiers, such as name, address and phone number. Simply removing all explicit identifiers prior to release of the data is not enough to preserve the data confidentiality. Remaining data can be used to re-identify individuals by linking or matching the data to other database, or by looking at unique characteristics found in the database. A formal model based on Modal logic is the theoretical foundation of Cellsecu. As well, a new confidentiality criteria called "non-uniqueness" is defined and implemented. We believe modeling this problem formally can clarify the issue as well as clearly identify the boundary of current technology. Base on our preliminary performance evaluation, the confidentiality check module and the confidentiality enhancing module only slightly degrade system performance.
我们提出了一种名为Cellsecu的计算机系统,该系统可维护医学数据库中每个包含敏感信息的单元格的匿名性和保密性。Cellsecu通过自动删除、概括和扩展信息来实现这一点。它旨在增强数据隐私保护,以便数据仓库能够自动处理查询。在大多数情况下,卫生组织收集带有明确标识符(如姓名、地址和电话号码)的医疗数据。在发布数据之前简单地删除所有明确标识符不足以保护数据机密性。剩余的数据可通过将数据与其他数据库进行链接或匹配,或者通过查看数据库中发现的独特特征来重新识别个人。基于模态逻辑的形式模型是Cellsecu的理论基础。此外,还定义并实施了一种名为“非唯一性”的新保密标准。我们认为,对这个问题进行形式化建模可以澄清问题,并清楚地确定当前技术的边界。基于我们的初步性能评估,保密检查模块和保密增强模块只会略微降低系统性能。
