Medical Data Privacy Handbook (eBook)

Aris Gkoulalas-Divanis received the BS from the University of Ioannina (2003), the MS from the University of Minnesota (2005) and the PhD from the University of Thessaly (2009), all in Computer Science. His PhD dissertation was awarded the Certificate of Recognition and Honorable Mention in the 2009 ACM SIGKDD Dissertation Award. From 2009 to 2010, he was appointed as a postdoctoral research fellow in the Dept. of Biomedical Informatics, Vanderbilt University, working on medical data privacy. In 2010, he joined IBM Research-Zurich, as a Research Staff Member. Since 2012, he is working in the Smarter Cities Technology Center of IBM Research-Ireland, leading research in the area of data privacy and anonymization. Aris is a regular reviewer for several prestigious journals and serves in the program committee of major conferences. He has co-authored/co-edited 4 Springer books in the areas of data anonymization, knowledge hiding, and large-scale data mining.Grigorios Loukides is an Assistant Professor in the School of Computer Science & Informatics at Cardiff University and a Royal Academy of Engineering Research Fellow. His research interests lie broadly in the field of data management with a focus on privacy. His recent research investigates theoretical and practical aspects of data privacy, including algorithmic design, optimization, and formal modeling, and explores applications in healthcare and business. He has received 4 best paper awards, including an award from the American Medical Informatics Association (AMIA) Annual Symposium, 2009. He obtained a Diploma in Computer Science (2005) from University of Crete, Greece, and a PhD in Computer Science (2009) from Cardiff University, UK.

Preface 8
Acknowledgements 12
Contents 14
List of Figures 30
List of Tables 40
1 Introduction to Medical Data Privacy 45
1.1 Introduction 45
1.1.1 Privacy in Data Sharing 46
1.1.2 Privacy in Distributed and Dynamic Settings 47
1.1.3 Privacy for Emerging Applications 47
1.1.4 Privacy Through Policy, Data De-identification, and Data Governance 48
1.2 Part I: Privacy in Data Sharing 49
1.3 Part II: Privacy in Distributed and Dynamic Settings 52
1.4 Part III: Privacy for Emerging Applications 53
1.5 Part IV: Privacy Through Policy, Data De-identification, and Data Governance 55
1.6 Conclusion 57
References 57
Part I Privacy in Data Sharing 59
2 A Survey of Anonymization Algorithms for Electronic Health Records 60
2.1 Introduction 60
2.2 Privacy Threats and Models 62
2.2.1 Privacy Threats 62
2.2.2 Privacy Models 62
2.2.2.1 Models Against Identity Disclosure 63
2.2.2.2 Models Against Attribute Disclosure 63
2.3 Anonymization Algorithms 64
2.3.1 Algorithms Against Identity Disclosure 64
2.3.1.1 Data Transformation 65
2.3.1.2 Utility Objectives 66
2.3.1.3 Heuristic Strategies 67
2.3.1.4 Classification of Algorithms 68
2.3.1.5 Algorithms Against Attribute Disclosure 70
2.4 Directions for Future Research 72
2.5 Conclusion 74
References 74
3 Differentially Private Histogram and Synthetic Data Publication 78
3.1 Introduction 78
3.2 Differential Privacy 79
3.2.1 Concept of Differential Privacy 79
3.2.2 Mechanisms of Achieving Differential Privacy 80
3.2.3 Composition Theorems 82
3.3 Relational Data 82
3.3.1 Problem Setting 82
3.3.2 Parametric Algorithms 85
3.3.3 Semi-parametric Algorithms 85
3.3.4 Non-parametric Algorithms 86
3.4 Transaction Data 91
3.4.1 Problem Setting 92
3.4.2 DiffPart 92
3.4.3 Private FIM Algorithms 93
3.4.4 PrivBasis 93
3.5 Stream Data 94
3.5.1 Problem Setting 94
3.5.2 Discrete Fourier Transform 95
3.5.3 FAST 95
3.5.4 w-Event Privacy 96
3.6 Challenges and Future Directions 97
3.6.1 Variety of Data Types 98
3.6.2 High Dimensionality 98
3.6.3 Correlated Constraints Among Attributes 98
3.6.4 Limitations of Differential Privacy 99
3.7 Conclusion 100
References 100
4 Evaluating the Utility of Differential Privacy: A Use Case Study of a Behavioral Science Dataset 102
4.1 Introduction 102
4.2 Background 105
4.2.1 Syntactic Models: k-Anonymity 105
4.2.2 Differential Privacy: Definition 107
4.2.3 Applications 109
4.3 Methodology 110
4.3.1 Utility Measures 112
4.4 Results 113
4.4.1 Variable Distributions 114
4.4.1.1 Full Set 114
4.4.1.2 Reduced Sets 116
4.4.2 Multivariate Logistic Regression 117
4.4.2.1 Noisy Results 119
4.5 Discussion 122
4.6 Conclusion 123
References 123
5 SECRETA: A Tool for Anonymizing Relational, Transaction and RT-Datasets 126
5.1 Introduction 127
5.2 Related Work 129
5.3 Overview of SECRETA 130
5.3.1 Frontend of SECRETA 130
5.3.2 Backend of SECRETA 136
5.3.2.1 Key Definitions 136
5.3.3 Components 141
5.4 Using SECRETA 144
5.4.1 Preparing the Dataset 145
5.4.2 Using the Dataset Editor 146
5.4.3 The Hierarchy Editor 147
5.4.4 The Queries Workload Editor 147
5.4.5 Evaluating the Desired Method 148
5.4.6 Comparing Different Methods 149
5.5 Conclusion and Future Work 150
References 151
6 Putting Statistical Disclosure Control into Practice:The ARX Data Anonymization Tool 153
6.1 Introduction 153
6.1.1 Background 154
6.1.2 Objectives and Outline 155
6.2 The ARX Data Anonymization Tool 156
6.2.1 Background 157
6.2.2 Overview 159
6.2.2.1 Privacy Models 159
6.2.2.2 Risk Analysis and Risk-Based Anonymization 160
6.2.2.3 Utility Evaluation 161
6.2.2.4 Additional Features 161
6.2.3 System Architecture 162
6.2.4 Application Programming Interface 165
6.2.5 Graphical User Interface 168
6.2.5.1 Anonymization Process 168
6.2.5.2 Overview 169
6.2.5.3 Configuring the Anonymization Process 170
6.2.5.4 Exploring the Solution Space 172
6.2.5.5 Evaluating Data Utility 173
6.2.5.6 Analyzing Re-identification Risks 174
6.3 Implementation Details 175
6.3.1 Data Management 176
6.3.2 Pruning Strategies 178
6.3.3 Risk Analysis and Risk-Based Anonymization 180
6.4 Experimental Evaluation 181
6.5 Discussion 184
6.5.1 Comparison with Prior Work 184
6.5.2 Limitations and Future Work 186
6.5.3 Concluding Remarks 187
References 187
7 Utility-Constrained Electronic Health Record Data Publishing Through Generalization and Disassociation 191
7.1 Introduction 192
7.1.1 Identity Disclosure 192
7.1.2 Utility-Constrained Approach 194
7.1.3 Chapter Organization 196
7.2 Preliminaries 197
7.3 Generalization and Disassociation 198
7.4 Specification of Utility Constraints 201
7.4.1 Defining and Satisfying Utility Constraints 201
7.4.2 Types of Utility Constraints for ICD Codes 204
7.5 Utility-Constrained Anonymization Algorithms 205
7.5.1 Clustering-Based Anonymizer (CBA) 206
7.5.2 DISassociation Algorithm (DIS) 207
7.5.3 Comparing the CBA and DIS Algorithms 211
7.6 Future Directions 216
7.6.1 Different Forms of Utility Constraints 216
7.6.2 Different Approaches to Guaranteeing Data Utility 217
7.7 Conclusion 218
References 218
8 Methods to Mitigate Risk of Composition Attack in Independent Data Publications 220
8.1 Introduction 221
8.2 Composition Attack and Multiple Data Publications 222
8.2.1 Composition Attack 222
8.2.2 Multiple Coordinated Data Publications 224
8.2.3 Multiple Independent Data Publications 224
8.3 Risk Mitigation Through Randomization 226
8.4 Risk Mitigation Through Generalization 228
8.5 An Experimental Comparison 230
8.5.1 Data and Setting 231
8.5.2 Reduction of Risk of Composition Attacks 231
8.5.3 Comparison of Utility of the Two Methods 233
8.6 Risk Mitigation Through Mixed Publications 234
8.7 Conclusion 237
Appendix 237
A. Metrics 237
B. Differential Privacy 238
References 239
9 Statistical Disclosure Limitation for Health Data:A Statistical Agency Perspective 242
9.1 Introduction 242
9.2 Statistical Disclosure Limitation for Microdata from Social Surveys 244
9.2.1 Disclosure Risk Assessment 245
9.2.2 Statistical Disclosure Limitation Methods 248
9.2.2.1 PRAM for Categorical Key Variables 249
9.2.2.2 Additive Noise for Continuous Variables 251
9.2.3 Information Loss Measures 252
9.2.3.1 Distance Metrics 252
9.2.3.2 Impact on Measures of Association 253
9.2.3.3 Impact on Regression Analysis 253
9.3 Statistical Disclosure Limitation for Frequency Tables 254
9.3.1 Disclosure Risk in Whole Population Tabular Outputs 254
9.3.2 Disclosure Risk and Information Loss Measures Based on Information Theory 255
9.3.3 Statistical Disclosure Limitation Methods 258
9.3.3.1 Record Swapping 258
9.3.3.2 Semi-Controlled Random Rounding 259
9.3.3.3 Stochastic Perturbation 259
9.4 Differential Privacy in Survey Sampling and Perturbation 260
9.5 Future Outlook for Releasing Statistical Data 263
9.5.1 Safe Data Enclaves and Remote Access 264
9.5.2 Web-Based Applications 265
9.5.2.1 Flexible Table Generating Servers 265
9.5.2.2 Remote Analysis Servers 266
9.5.3 Synthetic Data 267
9.6 Conclusion 269
References 269
Part II Privacy in Distributed and Dynamic Settings 272
10 A Review of Privacy Preserving Mechanisms for Record Linkage 273
10.1 Introduction 273
10.2 Overview of Privacy Preserving Record Linkage 276
10.2.1 The PPRL Model 276
10.2.2 Taxonomy of Presented Techniques 278
10.2.2.1 Privacy Guarantee 279
10.2.2.2 Scalability 283
10.2.2.3 Linkage Quality 284
10.3 Secure Transformations 284
10.3.1 Attribute Suppression and Generalization Methods 285
10.3.2 N-Grams Methods 286
10.3.3 Embedding Methods 288
10.3.4 Phonetic Encoding Methods 290
10.4 Secure Multi-Party Computation 291
10.4.1 Commutative Encryption Based Protocols 291
10.4.2 Homomorphic Encryption Based Protocols 292
10.4.3 Secure Scalar Product Protocols 294
10.5 Hybrid Approaches 296
10.5.1 Standard Blocking 297
10.5.2 Sorted Neighborhood Approach 298
10.5.3 Mapping 299
10.5.4 Clustering 299
10.6 Challenges and Future Research Directions 301
10.7 Conclusion 302
References 302
11 Application of Privacy-Preserving Techniques in Operational Record Linkage Centres 306
11.1 Introduction 306
11.1.1 Record Linkage Research Infrastructure 307
11.1.2 Privacy Challenges in Health Record Linkage 309
11.2 Data Governance 310
11.2.1 Legal Obligations 311
11.2.2 Information Governance 311
11.2.3 Separation of Data and Functions 312
11.2.4 Application and Approval Process 312
11.2.5 Information Security 313
11.3 Operational Models and Data Flows 313
11.3.1 Centralized Model 314
11.3.2 Separated Models 315
11.3.2.1 Separated Model, with Centralized Clinical Data Repository 315
11.3.2.2 Separated Model, with No Centralized Data Repository 316
11.3.3 A Technique to Avoid Data Collusion 317
11.4 Privacy Preserving Methods 317
11.4.1 Privacy Preserving Models 318
11.4.2 Techniques for Privacy Preserving Linkage 318
11.4.2.1 Minimum Linkage Information (MLI) 318
11.4.3 Requirements of a Privacy Preserving Linkage Technique for Operational Linkage Centres 321
11.4.3.1 Measuring and Maintaining Linkage Quality 321
11.4.3.2 Efficiency 322
11.4.3.3 Simplicity for Data Providers 323
11.4.3.4 Security 323
11.5 Conclusion 324
References 324
12 Privacy Considerations for Health Information Exchanges 327
12.1 Introduction 327
12.2 Health Information Exchanges 328
12.2.1 HIE Actors and Systems 328
12.2.2 HIE Models 331
12.2.3 HIPAA, HITECH and HIE Privacy Governance 332
12.3 Privacy Issues with HIEs 333
12.3.1 Patient Expectations and Concerns 334
12.3.2 Tension Between Functionality, Security and Privacy 335
12.3.3 Data Stewardship and Ownership 335
12.4 Principles and Practice of Privacy for HIEs 336
12.4.1 Guiding Principles 336
12.4.2 HIE Privacy in Practice 338
12.5 Emerging Issues 343
12.5.1 Big Data 343
12.5.2 m-Health and Telemedicine 344
12.5.3 Medical Devices 345
12.6 Conclusion 346
References 346
13 Managing Access Control in Collaborative Processes for Healthcare Applications 350
13.1 Introduction 351
13.2 Related Works 351
13.3 An Illustrative Example: New York State HIV Clinical Education Initiative 353
13.4 Development of the Enhanced RBAC Model 355
13.4.1 Overview of the Enhanced RBAC Model 356
13.4.2 Support Team Collaboration: Bridging Entities and Contributing Attributes 357
13.4.3 Extending Access Permissions to Include Workflow Contexts 359
13.4.4 Role-Based Access Delegation Targeting on Specific Objects: Providing Flexibility for Access Control in Collaborative Processes 359
13.4.5 Integration of Multiple Representation Elements for Definition of Universal Constraints 361
13.4.6 Case Studies to Encode Access Policies for CEI 363
13.4.6.1 User, Roles, Objects, and Access Permissions 363
13.4.6.2 Collaboration Among CEI Centers 364
13.4.6.3 Management of Training Workflow 365
13.4.6.4 Inviting other CEI Centers for Collaboration 365
13.5 System Framework for Implementation of Enhanced RBAC 366
13.5.1 System Architecture 367
13.5.2 Encoding of Access Policies 368
13.5.3 Interpretation of Access Control Policies 370
13.5.4 Application Layer 371
13.5.5 Demonstration Tool 371
13.6 Evaluation of the Enhanced RBAC Model 372
13.6.1 Selection of Study Cases 373
13.6.2 Access Permissions Computed with the Enhanced RBAC Model and the CEIAdmin System 376
13.6.3 Comparison Between the Enhanced RBAC Model and the CEIAdmin System 377
13.6.4 Development of the Gold-Standard 377
13.6.5 Measuring Effectiveness Based on Gold-Standard 379
13.6.6 Results 381
13.7 Discussion 382
13.7.1 Features of the Enhanced RBAC Model 382
13.7.2 System Framework for Implementation 386
13.7.3 Evaluation 387
13.7.3.1 Overall Approach 387
13.7.3.2 Error Analyses 388
13.7.3.3 Qualitative Measures 389
13.7.4 Limitations 390
13.8 Conclusion 391
References 392
14 Automating Consent Management Lifecycle for Electronic Healthcare Systems 397
14.1 Introduction 397
14.2 Legal Background 399
14.2.1 Legal Framework for Consent 399
14.2.2 Consent in Healthcare Systems 401
14.2.3 Consent Limitations 402
14.3 A Case Study 404
14.4 Overview of Teleo-Reactive Policies 405
14.4.1 TR Policy Representation 405
14.4.2 TR Policy Evaluation 406
14.5 The ACTORS Approach 407
14.5.1 Authorisation Policies 409
14.5.2 Policy Templates 410
14.5.3 TR Policies 411
14.6 Managing Consent in Healthcare Scenarios 412
14.7 Related Work 418
14.8 Conclusion and Future Work 420
References 421
15 e-Health Cloud: Privacy Concerns and Mitigation Strategies 424
15.1 Introduction 424
15.2 An Overview of the e-Health Cloud 426
15.2.1 e-Health Cloud Benefits and Opportunities 426
15.2.1.1 Cost Reduction 426
15.2.1.2 Easy Infrastructure Management 427
15.2.1.3 Availability 427
15.2.1.4 Scalable Healthcare Services 427
15.2.2 Deployment Models for Cloud Based e-Health Systems 428
15.2.2.1 Private Cloud 428
15.2.2.2 Public Cloud 428
15.2.2.3 Hybrid Cloud 429
15.2.3 Threats to Health Data Privacy in the Cloud 429
15.2.3.1 Spoofing Identity 431
15.2.3.2 Data Tampering 431
15.2.3.3 Repudiation 431
15.2.3.4 Denial of Service (DoS) 431
15.2.3.5 Unlawful Privilege Escalation 431
15.2.4 Essential Requirements for Privacy Protection 432
15.2.4.1 Confidentiality 432
15.2.4.2 Integrity 433
15.2.4.3 Collusion Resistance 433
15.2.4.4 Anonymity 433
15.2.4.5 Authenticity 433
15.2.4.6 Unlinkability 433
15.2.5 User/Patient Driven Privacy Protection Requirements 434
15.2.5.1 Patient-Centric Access Control 434
15.2.5.2 Access Revocation 434
15.2.5.3 Auditing 434
15.2.6 Adversarial Models in the e-Health Cloud 434
15.3 Privacy Protection Strategies Employed in e-Health Cloud 435
15.3.1 Approaches to Protect Confidentiality in the e-Health Cloud 435
15.3.2 Approaches to Maintain Data Integrity in the e-Health Cloud 437
15.3.3 Approaches to Offer Collusion Resistance in the e-Health Cloud 441
15.3.4 Approaches to Maintain Anonymity in the e-Health Cloud 442
15.3.5 Approaches to Offer Authenticity in the e-Health Cloud 445
15.3.6 Approaches to Maintain Unlinkability in the e-Health Cloud 447
15.4 Discussion and Open Research Issues 451
15.5 Conclusion 452
References 453
Part III Privacy for Emerging Applications 457
16 Preserving Genome Privacy in Research Studies 458
16.1 Introduction 459
16.2 Policies, Legal Regulation and Ethical Principles of Genome Privacy 460
16.2.1 NIH Policies for Genomic Data Sharing 460
16.2.1.1 GWAS Data Sharing Policy 460
16.2.1.2 Genomic Data Sharing Policy 461
16.2.2 U.S. Legal Regulations for Genomic Data 463
16.2.3 Ethical Principles for Genome Privacy 465
16.2.4 Summary 466
16.3 Information Technology for Genome Privacy 466
16.3.1 Genome Privacy Risks 467
16.3.2 Genome Privacy Protection Technologies 467
16.3.3 Community Efforts on Genome Privacy Protection 469
16.4 Conclusion 470
References 471
17 Private Genome Data Dissemination 475
17.1 Introduction 475
17.2 Literature Review 477
17.2.1 Privacy Attacks and Current Practices 477
17.2.2 Privacy Preserving Techniques 478
17.3 Problem Statement 479
17.3.1 Privacy Protection Model 480
17.3.2 Privacy Attack Model 480
17.3.3 Utility Criteria 481
17.4 Genomic Data Anonymization 481
17.4.1 Anonymization Algorithm 481
17.4.2 Privacy Analysis 485
17.4.3 Computational Complexity 485
17.5 Experimental Results 486
17.6 Conclusion 490
References 491
18 Threats and Solutions for Genomic Data Privacy 494
18.1 Threats for Genomic Privacy 494
18.1.1 Kin Genomic Privacy 496
18.2 Solutions for Genomic Privacy 501
18.2.1 Privacy-Preserving Management of Raw Genomic Data 501
18.2.2 Private Use of Genomic Data in PersonalizedMedicine 503
18.2.3 Private Use of Genomic Data in Research 508
18.2.4 Coping with Weak Passwords for the Protection of Genomic Data 512
18.2.5 Protecting Kin Genomic Privacy 515
18.3 Future Research Directions 518
18.4 Conclusion 521
References 521
19 Encryption and Watermarking for medical Image Protection 524
19.1 Introduction 524
19.2 Security Needs for Medical Data 526
19.2.1 General Framework 526
19.2.2 Refining Security Needs in an Applicative Context: Telemedicine Applications as Illustrative Example 528
19.3 Encryption Mechanisms: An A Priori Protection 529
19.3.1 Symmetric/Asymmetric Cryptosystems & DICOM
19.3.2 Block Cipher/Stream Cipher Algorithms 530
19.3.2.1 The AES Block Cipher Algorithm 531
19.3.2.2 The RC4 Stream Cipher Algorithm 532
19.4 Watermarking: An A Posteriori Protection Mechanism 534
19.4.1 Principles, Properties and Applications 534
19.4.1.1 A General Chain of Watermarking 535
19.4.1.2 Basic Properties of a Watermarking Algorithm 536
19.4.2 Watermarking Medical Images 537
19.4.2.1 Basic Lossy Watermarking Modulations 538
19.4.2.2 Lossless Watermarking 540
19.5 Combining Encryption with Watermarking 543
19.5.1 Continuous Protection with Various Security Objectives: A State of the Art 543
19.5.1.1 Watermarking Followed by Encryption 544
19.5.1.2 Encryption Followed by Watermarking 544
19.5.1.3 Commutative Encryption and Watermarking 545
19.5.1.4 Joint Watermarking-Decryption 546
19.5.2 A Joint Watermarking-Encryption (JWE) Approach 547
19.5.2.1 General Principles of the JWE System 548
19.5.2.2 JWE System for Verifying Image Reliability 548
19.5.2.3 JWE Implementation Based on QIM 549
19.5.2.4 JWE Approach Performance and DICOM Interoperability 550
19.6 Conclusion 552
References 552
20 Privacy Considerations and Techniques for Neuroimages 558
20.1 Introduction 558
20.2 Neuroimage Data 560
20.3 Privacy Risks with Medical Images 561
20.3.1 Neuroimage Privacy Threat Scenarios 561
20.3.2 Volume Rendering and Facial Recognition 563
20.3.3 Re-identification Using Structural MRI 565
20.4 Privacy Preservation Techniques for Medical Images 566
20.4.1 De-Identification Techniques 566
20.4.2 Privacy in Neuroimage Archives and Collaboration Initiatives 574
20.5 Conclusion 575
References 575
21 Data Privacy Issues with RFID in Healthcare 579
21.1 Introduction 579
21.1.1 RFID as a Technology 580
21.2 Dimensions of Privacy in Medicine 583
21.3 RFID in Medicine 586
21.3.1 Inventory Tracking 586
21.3.2 Tracking People 586
21.3.3 Device Management 587
21.4 Issues and Risks 588
21.5 Solutions 592
21.6 Conclusion 593
References 594
22 Privacy Preserving Classification of ECG Signals in Mobile e-Health Applications 598
22.1 Introduction 598
22.2 Plain Protocol 601
22.2.1 Classification Results 604
22.3 Cryptographic Primitives 604
22.3.1 Homomorphic Encryption 605
22.3.2 Oblivious Transfer 606
22.3.3 Garbled Circuits 607
22.3.4 Hybrid Protocols 608
22.4 Privacy Preserving Linear Branching Program 609
22.4.1 Linear Branching Programs (LBP) 609
22.4.1.1 Full-GC Implementation 610
22.4.1.2 Hybrid Implementation 611
22.4.2 ECG Classification Through LBP and Quadratic Discriminant Functions 613
22.4.2.1 Quantization Error Analysis 614
22.4.3 ECG Classification Through LBP and Linear Discriminant Functions 615
22.4.4 Complexity Analysis 616
22.4.4.1 More Efficient LBP Implementations 619
22.5 Privacy Preserving Classification by Using Neural Network 619
22.5.1 Neural Network Design 619
22.5.2 Quantized Neural Network Classifier 622
22.5.2.1 Representation vs. Classification Accuracy 623
22.5.3 Privacy-Preserving GC-Based NN Classifier 624
22.5.4 Privacy-Preserving Hybrid NN Classifier 626
22.5.5 Comparison with the LBP Solution 627
22.6 Privacy Preserving Quality Evaluation 628
22.6.1 SNR Evaluation in the Encrypted Domain 628
22.6.1.1 Protocol Complexity 631
22.6.2 SNR-Based Quality Evaluation 632
22.6.2.1 Complexity Analysis 635
22.6.2.2 Classification Performance 635
22.7 Conclusion 637
References 638
23 Strengthening Privacy in Healthcare Social Networks 641
23.1 Introduction 641
23.2 Social Networks 643
23.2.1 On-line Social Networks 643
23.2.2 Healthcare Social Networks 644
23.3 Privacy 646
23.3.1 Background 646
23.3.2 Personal and Sensitive Data 647
23.3.3 Privacy Principles 649
23.3.4 Privacy Threats 650
23.3.4.1 Digital Dossier Aggregation 651
23.3.4.2 Difficulty of Complete Account Deletion 652
23.3.4.3 Secondary Data Collection 652
23.3.4.4 De-Anonymization Attacks 653
23.3.4.5 Inference Attacks 653
23.3.4.6 Identity Theft 654
23.3.4.7 Phishing 654
23.3.4.8 Communication Tracking 654
23.3.4.9 Information Leakage 655
23.4 Privacy Requirements for HSNs 655
23.4.1 Privacy as System Requirement 655
23.5 Enhancing Privacy in OSNs and HSNs 656
23.6 On-line Social Networks in the Healthcare Domain 659
23.6.1 Advice Seeking Networks 660
23.6.2 Patient Communities 660
23.6.3 Professional Networks 661
23.7 Conclusion 661
References 662
Part IV Privacy Through Policy, Data De-identification, and Data Governance 664
24 Privacy Law, Data Sharing Policies, and Medical Data:A Comparative Perspective 665
24.1 Introduction 665
24.2 Overview of Data Privacy Legal Frameworks 668
24.3 Data Privacy Laws and Guidelines 674
24.3.1 The OECD Privacy Guidelines 674
24.3.2 The Council of Europe Convention 108 676
24.3.3 The European Union Data Protection Directive 95/46 678
24.3.4 UK Data Protection Act 1998 682
24.3.5 Canadian Privacy Legislation 684
24.3.6 The HIPAA Privacy Rule 685
24.4 Data Sharing Policies 690
24.4.1 US National Institutes of Health 691
24.4.2 Canadian Data Sharing Policies 692
24.4.3 Wellcome Trust (UK) 695
24.5 Towards Better Calibration of Biomedical Research, Health Service Delivery, and Privacy Protection 697
24.6 Conclusion 700
References 700
25 HIPAA and Human Error: The Role of Enhanced Situation Awareness in Protecting Health Information 705
25.1 Introduction 705
25.2 HIPAA, Privacy Breaches, and Related Costs 708
25.3 Situation Awareness and Privacy Protection 711
25.3.1 Definition of Situation Awareness 711
25.3.2 Linking Situation Awareness to Privacy Breaches 712
25.3.2.1 Level 1 SA: Failure to Correctly Perceive a Situation 712
25.3.2.2 Level 2 SA: Failure to Comprehend a Situation 713
25.3.2.3 Level 3 SA: Failure to Project a Situation into the Future 713
25.3.3 SA and HIPAA Privacy Breaches 714
25.3.3.1 Level 1 SA: Failure to Correctly Perceive a Situation 717
25.3.3.2 Level 2 SA: Failure to Comprehend a Situation 718
25.3.3.3 Level 3 SA: Failure to Project a Situation into the Future 718
25.4 Discussion and Conclusion 719
References 721
26 De-identification of Unstructured Clinical Data for Patient Privacy Protection 723
26.1 Introduction 723
26.2 Origins and Definition of Text De-identification 724
26.3 Methods Applied for Text De-identification 727
26.4 Clinical Text De-identification Application Examples 730
26.4.1 Physionet Deid 730
26.4.2 MIST (MITRE Identification Scrubber Toolkit) 731
26.4.3 VHA Best-of-Breed Clinical Text De-identification System 732
26.5 Why Not Anonymize Clinical Text? 734
26.6 U.S. Veterans Health Administration Clinical Text De-identification Efforts 735
26.7 Conclusion 739
References 740
27 Challenges in Synthesizing Surrogate PHI in Narrative EMRs 743
27.1 Introduction 743
27.2 Related Work 745
27.3 PHI Categories 748
27.4 Data 750
27.5 Strategies and Difficulties in Surrogate PHI Generation 751
27.5.1 HIPAA Category 1: Names 752
27.5.2 HIPAA Category 2: Locations 754
27.5.3 HIPAA Category 3: Dates and Ages 755
27.5.4 HIPAA Category 18: Other Potential Identifiers 757
27.5.4.1 Professions 757
27.6 Errors Introduced by Surrogate PHI 758
27.7 Relationship Between De-identification and SurrogateGeneration 758
27.8 Conclusion 759
References 760
28 Building on Principles: The Case for Comprehensive, Proportionate Governance of Data Access 762
28.1 Introduction 762
28.2 Current Approaches to Data Access Governance 764
28.2.1 Existing Norms for Data Access Governance 764
28.2.2 The Preeminence of ``Consent or Anonymize'' as Approaches to Data Access Governance 765
28.2.3 Existing Data Access Governance in Practice 768
28.3 The Evolution of Data and Implications for Data Access Governance 769
28.3.1 Big Data 769
28.3.2 Open Data 770
28.3.3 The Ubiquity of Collection of Personal Information 770
28.3.4 The Limits of Existing Approaches to Data Access Governance 771
28.4 A Comprehensive Model for Governance: Proportionate and Principled 772
28.4.1 Proportionality 772
28.4.2 Principle-Based Regulation 773
28.4.3 Case Studies Using Proportionate and Principled Access 774
28.5 Building on the Present: A Flexible, Governance Framework 777
28.5.1 Science 779
28.5.2 Approach 779
28.5.3 Data 780
28.5.4 People 780
28.5.5 Environment 780
28.5.6 Interest 781
28.5.7 Translating Risk Assessment to Review Requirements 781
28.5.8 Adjudication Scenarios 782
28.5.8.1 Scenario 1 783
28.5.8.2 Scenario 2 783
28.6 Conclusion 784
References 785
29 Epilogue 790
29.1 Introduction 790
29.2 Topics and Directions in Privacy Preserving Data Sharing 791
29.3 Topics and Directions in Privacy Preservation for Distributed and Dynamic Settings 793
29.4 Topics and Directions in Privacy Preservation for Emerging Applications 794
29.5 Topics and Directions in Privacy Preservation Through Policy, Data De-identification, and Data Governance 796
29.6 Conclusion 797
References 797
About the Authors 799
Glossary 838
Index 849