privacy challenges and solutions for health information systems
Post on 25-Feb-2016
63 Views
Preview:
DESCRIPTION
TRANSCRIPT
Privacy Challenges and Solutions for Health Information Systems
John C Mitchell, Stanford University
Themes Privacy
Two approaches Policy-based systems: provide info only if privacy policy allows Anonymization: perturb publicly released data to preserve
privacy Healthcare provides practical example
Some background information on US healthcare trends HIPAA regulation (also HITECH, additional hospital policies) Balance: want good medical care, privacy from insurers
Formalization of privacy policy Add policy-based reasoning to information systems Also enables educational tools, other applications
Many unsolved problems Combine related policies Integrate individual, aggregate privacy
US Healthcare Crisis Ahead Aging population
Not enough care facilities Increasing costs
Cannot afford care if current trends continue What can we do?
Keep patients out of the hospital 5% of population incurs 30% of total cost, ~10% incurs 60%
[NPR] Help people stay in their homes longer
Information systems Better bidirectional communication with patients Better information better diagnosis, fewer errors Telemedicine, home monitoring can serve outpatients
Some terminology Electronic Health Record (EHR)
Hospitals starting to store information electronically
Allow patients to interact with physicians Personal Health Record (PHR)
Health Information Exchange (HIE) Regional networking between hospitals, clinics
Telemedicine (Tel) Remote monitoring, other applications
Privacy in Organizational Processes
Patient medical bills Insurance
CompanyHospital Drug Company
Patient information
Patient
Advertising
GOAL: Respect privacy expectations in the transfer and use of personal information within and across organizational boundaries
What is privacy? Contextual integrity
Normative framework for evaluating the flow of information between agents
Agents act in roles within social contexts Principles of transmission
Confidentiality, reciprocity, dessert, etc
Differential privacy
SanDB= S¢¢¢
SanDB’= S’¢¢¢
Distrib. distance ≤
Adam Smith
Contextual Integrity Philosophical account of privacy
Transfer of personal information Describes what people care about
Flow governed by norms Agents act in roles in social contexts Information categorized by type
E.g., personal health information, psychiatric records, … Rejects public/private dichotomy
Principles of transmission Confidentiality, reciprocity, dessert, etc
[Nissenbaum 2004, BarthDMN ‘06]
Example: accessing patient health info
Patient
Doctor SpecialistElectronic Health RecordPatient Portal
Surrogate
HIPAA Compliance
Nurse
Secretary
Workflow example
Patient
Doctor
Health Answer
Health AnswerHealth Question
Appointment Request
Heal
th Q
uest
ion
Health Question
Privacy: HIPAA compliance+
Humans + Electronic system
Utility: Schedule appointments, obtain health answers
Goals
Express policy precisely Enterprise privacy policies Privacy provisions from legislation
Analyze, enforce privacy policies Does action comply with policy? Does policy enforce the law?
Support audit Privacy breach may occur. Find out how it
happened
Privacy Model: “Contextual Integrity”
Alice BobCharlie’s SSN078-05-1120
Four identifiers of an action:1) Sender2) Receiver3) Person this is about
(subject)4) Type of information
Sender role Subject roleAttribute
Transmission principle
Gramm-Leach-Bliley Example
Recipient role
Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs
CI Norms and Policies Policy consists of norms
(+) inrole(p1, r1) inrole(p2, r2) inrole(q, r) tt’
() inrole(p1, r1) inrole(p2, r2) inrole(q, r) tt’
is an agent constraint is a temporal condition
Norms assembled into policy formula p1,p2,q:P.m:M.t:T.incontext(p1, c) send(p1, p2, m) contains(m, q, t) { + | + norms+(c) } { | norms(c) }
One technical slide for fun
Organizational process and compliance
ContextualIntegrity
Organizational Objectives Information Policy
OrganizationalProcess Design
PrivacyChecker(LTL)
UtilityChecker(ATL*)
UtilityEvaluation
ComplianceEvaluation
NormsPurpose
Auditing
Business ProcessExecution
AuditLogs
Run-time Monitor
Privacy PoliciesUtility Goals
AuditAlgs
Policy Violation+Accountable Agent
HITECT Act and other extensions Extends HIPAA to business associates
Closes HIPAA loophole Tracking of information used in Payment,
Treatment Operations (PTO) Regulatory environment evolving
Additional provisions, e.g. minimum necessary information a covered entity shall be treated as being in
compliance … only if … limits such protected health information … to the minimum necessary to accomplish the intended purpose …
HITECH Excerpt…b) Disclosures Required to Be Limited to the Limited Data Set or the Minimum Necessary.— (1) In general.— (A) In general.— Subject to subparagraph (B), a covered entity shall be treated as being in compliance with section 164.502(b)(1) of title 45, Code of Federal Regulations, with respect to the use, disclosure, or request of protected health information described in such section, only if the covered entity limits such protected health information, to the extent practicable, to the limited data set (as defined in section 164.514(e)(2) of such title) or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. (B) Guidance.— Not later than 18 months after the date of the enactment of this section, the Secretary shall issue guidance on what constitutes "minimum necessary" for purposes of subpart E of part 164 of title 45, Code of Federal Regulation. In issuing such guidance the Secretary shall take into consideration the guidance under section 13424(c) and the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease. (C) Sunset.— Subparagraph (A) shall not apply on and after the effective date on which the Secretary issues the guidance under subparagraph (B). (2) Determination of minimum necessary.— For purposes of paragraph (1), in the case of the disclosure of protected health information, the covered entity or business associate disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure. (3) Application of exceptions.— The exceptions described in section 164.502(b)(2) of title 45, Code of Federal Regulations, shall apply to the requirement under paragraph (1) as of the effective date described in section 13423 in the same manner that such exceptions apply to section 164.502(b)(1) of such title before such date. (4) Rule of construction.— The in this subsection shall be construed as affecting the use, disclosure, or request of protected health information that has been de-identified.
Our Translation…(b) Disclosures Required to be Limited to the Limited Data Set or the Minimum Necessary.— (1) In General.— (A) In General.— a covered entity shall be treated as being in compliance with HIPAA’s use, disclosure, or request of protected health information only if the covered entity limits such protected health information to the limited data set (164.514(e)(2)) or is the minimum necessary (note1) to accomplish the intended purpose. (B) Guidance.—Within 18 months, the Secretary should decide what is ‘‘minimum necessary’’, taking into guidance under section 13424(c) and the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease. (C) Sunset.—Listen to (A) until (B) takes effect.
Prolog CodeFile hitech_13405_b.pl:permitted_by_13405_b(A) :- %is_minimum_necessary(A). is_belief_from_minimum(A), writeln('HITECH rule 13405.b;').
File basic_message_wrapper.pl:is_belief_from_minimum(A):-
msg_from(A, X),has_msg_belief(A, _, minimum_necessary_to_purpose, X).
What is the logical structure of HIPAA? Allow action if
There is a clause that explicitly permits it, and No clause explicitly forbids it
In more detail ... Action: to, from, about, type, purpose,
consents, beliefs e.g. Dr., lab, patient, PHI, treatment,
-, -
Example164.502 (a) Standard: (1) Permitted uses and disclosures. (ii) For treatment, payment, or health care operations, as permitted by and in compliance with 164.506;
HIPAA TranslationHIPAA Law §164.508.a.2 Covered entity must obtain an authorization for any use or disclosure of
psychotherapy note, except if it is to be used by the originator of the psychotherapy notes for treatment;
Category (cat): When the rule applies From: covered entity, Type: psychotherapy note
Exception (exc): When the rule does not apply For: treatment, From: originator
Requirement(req): The necessary condition for the rule to permit Consented_by: originator
Category Exception Requirementusrc mtyp mpur usrc c
covered entity
psychotherapy note
treatment originator <originator, - >
Permitted_by_R :- cat ∧ ¬ exc ∧ reqForbidden_by_R :- cat ∧ ¬ exc ∧ ¬ reqR_not_applicable :- ¬ cat ∨ exc
HIPAA TranslationHIPAA Law §164.508.a.2 Covered entity must obtain an authorization for any use or disclosure of
psychotherapy note, except if it is to be used by the originator of the psychotherapy notes for treatment;
Permitted_by_R :- cat ∧ ¬ exc ∧ reqForbidden_by_R :- cat ∧ ¬ exc ∧ ¬ reqR_not_applicable :- ¬ cat ∨ exc
Category Exception Requirementusrc mtyp mpur usrc c
+ covered entity psychotherapy note
treatment originator <originator, S>
- covered entity psychotherapy note
treatment originator <originator, S>
X covered entity psychotherapy note
treatment originator
Combining Different Clauses
Permitted_by_R1 :- cat1 ∧ ¬ exc1 ∧ req1
Forbidden_by_R1 :- cat1 ∧ ¬ exc1 ∧ ¬ req1
R1_not_applicable :- ¬ cat1 ∨ exc1
Permitted_by_R2 :- cat2 ∧ ¬ exc2 ∧ req2
Forbidden_by_R2 :- cat2 ∧ ¬ exc2 ∧ ¬ req2
R2_not_applicable :- ¬ cat2 ∨ exc2
Compliant_with_R :- Permitted_by_R1 ∧ Permitted_by_R2 ∧ … ∧ Permitted_by_Rn ∧ ¬ Forbidden_by_R1 ∧ ¬ Forbidden_by_R2 ∧ … ∧ ¬ Forbidden_by_RnRule 1 Rule 2
Conflict Resolution (at translation time) Conflict
One rule R1 allows an action while the other rule R2 forbids it Disjoint Rules
There exist no action such that R1 and R2 both are applicable. (cat1 ∧ ¬ exc1) (cat2 ∧ ¬ exc2) =
Overlapping Rules There exist some action such that R1 and R2 both are
applicable. (cat1 ∧ ¬ exc1) (cat2 ∧ ¬ exc2)
Subset Rules There exist action such that whenever R2 is applicable so is R1.
(cat1 ∧ ¬ exc1) (cat2 ∧ ¬ exc2) = cat2 ∧ ¬ exc2
Resolution R1 is applicable when (cat1 ∧ ¬ exc1) ∧ ¬ (cat2 ∧ ¬ exc2)
Logic Structure Declarative
Allows automatic logical combination of the policies Non recursive first order logic
HIPAA policy is a set of logic rules with acyclic dependency graph
Structured negation Uses a subset of stratified negation
No function parameters decidable in polynomial time Complete. Terminates with bounded search.
Refinement and Combination Policy refinement
Basic policy relation Does hospital policy enforce HIPAA?
P1 refines P2 if P1 P2 Requires careful handling of attribute inheritance
Combination becomes logical conjunction Defined in terms of refinement
Medical data in the cloud?
Database
Policy EngineQuery
Attribute-based
Encryption
Attribute-based
Decryption
Encrypted Medical
Data
Credentials Data
Applications:• Affiliated clinics• Medical research
Attribute-Based Encryption
PK
“Doctor”“Neurology”
“Nurse”“Phys Therapy”
OR
Doctor AND
Nurse ICU
OR
DoctorAND
Nurse ICU
SKSK
=
Extracting ABE data policy HIPAA, Hospital policy
Mapping : Action {allow, deny} Action: to, from, about, type, purpose, consents,
beliefs Action characterized by
Attributes of data: from, about, type, consents Attributes of recipient: to, purpose, beliefs
Data policy Data with attributes: from, about, type, consents Has associated access policy {to, purpose, beliefs | Policy(to, from, about, type, purpose, consents, beliefs) = Allow}
Remote user
HospitalEncrypted medical data in the cloud
Database
Policy EngineQuery
Attribute-based
Encryption
Attribute-based
Decryption
Encrypted Medical
Data
Credentials Data
Applications:• Affiliated clinics• Medical research
Ongoing efforts Hospital policy
Surrogate Delegate
Education tools Allow medical staff to pose questions, learn regulations Theory: is there a canonical example hospital?
Combine with attribute-based encryption Deductive access control within the enterprise Cryptographic enforcement when data is exported
Model workflow and evaluate “least disclosure”, etc. Audit
Medical environment: “break the glass”
Sponsoring Research Projects
Looking for students, postdoc
Conclusion Privacy
Policy-based systems: provide info only if privacy policy allows
Anonymization: perturb publicly released data Healthcare provides practical test case Formalization of HIPAA privacy policy
Add policy-based reasoning to information systems Future work
Extend to hospital policies, other examples Educational tools, other applications Theory: is there a canonical example hospital? Integrate individual, aggregate privacy
top related