Institute of Software Technology and Interactive Systems, Vienna University of Technology, Favoritenstrasse 9-11, 1040 Vienna, Austria.
Int J Med Inform. 2011 Mar;80(3):190-204. doi: 10.1016/j.ijmedinf.2010.10.016. Epub 2010 Nov 13.
E-health enables the sharing of patient-related data whenever and wherever necessary. Electronic health records (EHRs) promise to improve communication between health care providers, thus leading to better quality of patients' treatment and reduced costs. However, as highly sensitive patient information provides a promising goal for attackers and is also frequently demanded by insurance companies and employers, there is increasing social and political pressure regarding the prevention of health data misuse. This work addresses this problem and introduces a methodology that protects health records from unauthorized access and lets the patient as data owner decide who the authorized persons are, i.e., who the patient discloses her health information to. Therefore, the methodology prevents data disclosure that negatively influences the patient's life (e.g., by being denied health insurance or employment).
This research uses a combination of conceptual-analytical, artifact-building and artifact-evaluating research approaches. The article starts with a detailed exploration of existing privacy protection mechanisms, such as encryption, anonymization and pseudonymization, by comparing and analyzing related work (conceptual-analytical approach). Based on these results and the identified shortcomings, a pseudonymization methodology is defined and evaluated by means of a threat analysis. Finally, the research results are validated with the design and implementation of a prototype (artifact building and artifact evaluation).
This paper presents a new methodology for the pseudonymization of medical data that stores health data decoupled from the corresponding patient-identifying information, allowing privacy-preserving secondary use of the health records in clinical studies without additional anonymization steps. In contrast to clinical studies, where it is not necessary to identify the individual participants, insurance companies and employers are interested in the health status of individuals such as potential insurance or job applicants. In this case, pseudonymized records are practically useless for these parties as the patient controls who is able to reestablish the link between health records and patient for primary use - usually only trusted health care providers.
The framework provides health care providers with a unique solution that guarantees data privacy (e.g., according to HIPAA) and allows primary and secondary use of the data at the same time. The security analysis showed that the methodology is secure and protected against common intruder scenarios.
电子健康使患者相关数据能够在任何时间、任何地点共享。电子健康记录(EHR)有望改善医疗服务提供者之间的沟通,从而提高患者治疗质量并降低成本。然而,由于高度敏感的患者信息为攻击者提供了一个有吸引力的目标,并且经常被保险公司和雇主所要求,因此关于防止健康数据滥用的社会和政治压力越来越大。这项工作解决了这个问题,并提出了一种方法,该方法可以保护健康记录免受未经授权的访问,并让患者作为数据所有者决定谁是授权人员,即患者向谁披露她的健康信息。因此,该方法可以防止对患者生活产生负面影响的数据泄露(例如,因拒绝健康保险或就业而导致的泄露)。
本研究采用概念分析、构建人工制品和评估人工制品的研究方法相结合。本文首先通过比较和分析相关工作(概念分析方法),详细探讨了现有的隐私保护机制,如加密、匿名化和假名化。基于这些结果和确定的缺点,定义并通过威胁分析评估了假名化方法。最后,通过设计和实现原型(构建人工制品和评估人工制品)来验证研究结果。
本文提出了一种新的医疗数据假名化方法,该方法将健康数据与相应的患者识别信息分离存储,允许在临床研究中对健康记录进行隐私保护的二次使用,而无需额外的匿名化步骤。与临床研究不同,在临床研究中不需要识别个体参与者,保险公司和雇主对个人的健康状况感兴趣,例如潜在的保险或求职者。在这种情况下,对于这些方来说,假名化的记录实际上是无用的,因为患者控制着谁能够重新建立健康记录和患者之间的联系,以便进行主要使用——通常只有值得信赖的医疗服务提供者。
该框架为医疗服务提供者提供了一种独特的解决方案,该方案保证了数据隐私(例如,符合 HIPAA),并允许同时进行主要和次要使用。安全分析表明,该方法是安全的,并能抵御常见的入侵场景。
