|
Preface |
8 |
|
|
Acknowledgements |
12 |
|
|
Contents |
14 |
|
|
List of Figures |
30 |
|
|
List of Tables |
40 |
|
|
1 Introduction to Medical Data Privacy |
45 |
|
|
1.1 Introduction |
45 |
|
|
1.1.1 Privacy in Data Sharing |
46 |
|
|
1.1.2 Privacy in Distributed and Dynamic Settings |
47 |
|
|
1.1.3 Privacy for Emerging Applications |
47 |
|
|
1.1.4 Privacy Through Policy, Data De-identification, and Data Governance |
48 |
|
|
1.2 Part I: Privacy in Data Sharing |
49 |
|
|
1.3 Part II: Privacy in Distributed and Dynamic Settings |
52 |
|
|
1.4 Part III: Privacy for Emerging Applications |
53 |
|
|
1.5 Part IV: Privacy Through Policy, Data De-identification, and Data Governance |
55 |
|
|
1.6 Conclusion |
57 |
|
|
References |
57 |
|
|
Part I Privacy in Data Sharing |
59 |
|
|
2 A Survey of Anonymization Algorithms for Electronic Health Records |
60 |
|
|
2.1 Introduction |
60 |
|
|
2.2 Privacy Threats and Models |
62 |
|
|
2.2.1 Privacy Threats |
62 |
|
|
2.2.2 Privacy Models |
62 |
|
|
2.2.2.1 Models Against Identity Disclosure |
63 |
|
|
2.2.2.2 Models Against Attribute Disclosure |
63 |
|
|
2.3 Anonymization Algorithms |
64 |
|
|
2.3.1 Algorithms Against Identity Disclosure |
64 |
|
|
2.3.1.1 Data Transformation |
65 |
|
|
2.3.1.2 Utility Objectives |
66 |
|
|
2.3.1.3 Heuristic Strategies |
67 |
|
|
2.3.1.4 Classification of Algorithms |
68 |
|
|
2.3.1.5 Algorithms Against Attribute Disclosure |
70 |
|
|
2.4 Directions for Future Research |
72 |
|
|
2.5 Conclusion |
74 |
|
|
References |
74 |
|
|
3 Differentially Private Histogram and Synthetic Data Publication |
78 |
|
|
3.1 Introduction |
78 |
|
|
3.2 Differential Privacy |
79 |
|
|
3.2.1 Concept of Differential Privacy |
79 |
|
|
3.2.2 Mechanisms of Achieving Differential Privacy |
80 |
|
|
3.2.3 Composition Theorems |
82 |
|
|
3.3 Relational Data |
82 |
|
|
3.3.1 Problem Setting |
82 |
|
|
3.3.2 Parametric Algorithms |
85 |
|
|
3.3.3 Semi-parametric Algorithms |
85 |
|
|
3.3.4 Non-parametric Algorithms |
86 |
|
|
3.4 Transaction Data |
91 |
|
|
3.4.1 Problem Setting |
92 |
|
|
3.4.2 DiffPart |
92 |
|
|
3.4.3 Private FIM Algorithms |
93 |
|
|
3.4.4 PrivBasis |
93 |
|
|
3.5 Stream Data |
94 |
|
|
3.5.1 Problem Setting |
94 |
|
|
3.5.2 Discrete Fourier Transform |
95 |
|
|
3.5.3 FAST |
95 |
|
|
3.5.4 w-Event Privacy |
96 |
|
|
3.6 Challenges and Future Directions |
97 |
|
|
3.6.1 Variety of Data Types |
98 |
|
|
3.6.2 High Dimensionality |
98 |
|
|
3.6.3 Correlated Constraints Among Attributes |
98 |
|
|
3.6.4 Limitations of Differential Privacy |
99 |
|
|
3.7 Conclusion |
100 |
|
|
References |
100 |
|
|
4 Evaluating the Utility of Differential Privacy: A Use Case Study of a Behavioral Science Dataset |
102 |
|
|
4.1 Introduction |
102 |
|
|
4.2 Background |
105 |
|
|
4.2.1 Syntactic Models: k-Anonymity |
105 |
|
|
4.2.2 Differential Privacy: Definition |
107 |
|
|
4.2.3 Applications |
109 |
|
|
4.3 Methodology |
110 |
|
|
4.3.1 Utility Measures |
112 |
|
|
4.4 Results |
113 |
|
|
4.4.1 Variable Distributions |
114 |
|
|
4.4.1.1 Full Set |
114 |
|
|
4.4.1.2 Reduced Sets |
116 |
|
|
4.4.2 Multivariate Logistic Regression |
117 |
|
|
4.4.2.1 Noisy Results |
119 |
|
|
4.5 Discussion |
122 |
|
|
4.6 Conclusion |
123 |
|
|
References |
123 |
|
|
5 SECRETA: A Tool for Anonymizing Relational, Transaction and RT-Datasets |
126 |
|
|
5.1 Introduction |
127 |
|
|
5.2 Related Work |
129 |
|
|
5.3 Overview of SECRETA |
130 |
|
|
5.3.1 Frontend of SECRETA |
130 |
|
|
5.3.2 Backend of SECRETA |
136 |
|
|
5.3.2.1 Key Definitions |
136 |
|
|
5.3.3 Components |
141 |
|
|
5.4 Using SECRETA |
144 |
|
|
5.4.1 Preparing the Dataset |
145 |
|
|
5.4.2 Using the Dataset Editor |
146 |
|
|
5.4.3 The Hierarchy Editor |
147 |
|
|
5.4.4 The Queries Workload Editor |
147 |
|
|
5.4.5 Evaluating the Desired Method |
148 |
|
|
5.4.6 Comparing Different Methods |
149 |
|
|
5.5 Conclusion and Future Work |
150 |
|
|
References |
151 |
|
|
6 Putting Statistical Disclosure Control into Practice:The ARX Data Anonymization Tool |
153 |
|
|
6.1 Introduction |
153 |
|
|
6.1.1 Background |
154 |
|
|
6.1.2 Objectives and Outline |
155 |
|
|
6.2 The ARX Data Anonymization Tool |
156 |
|
|
6.2.1 Background |
157 |
|
|
6.2.2 Overview |
159 |
|
|
6.2.2.1 Privacy Models |
159 |
|
|
6.2.2.2 Risk Analysis and Risk-Based Anonymization |
160 |
|
|
6.2.2.3 Utility Evaluation |
161 |
|
|
6.2.2.4 Additional Features |
161 |
|
|
6.2.3 System Architecture |
162 |
|
|
6.2.4 Application Programming Interface |
165 |
|
|
6.2.5 Graphical User Interface |
168 |
|
|
6.2.5.1 Anonymization Process |
168 |
|
|
6.2.5.2 Overview |
169 |
|
|
6.2.5.3 Configuring the Anonymization Process |
170 |
|
|
6.2.5.4 Exploring the Solution Space |
172 |
|
|
6.2.5.5 Evaluating Data Utility |
173 |
|
|
6.2.5.6 Analyzing Re-identification Risks |
174 |
|
|
6.3 Implementation Details |
175 |
|
|
6.3.1 Data Management |
176 |
|
|
6.3.2 Pruning Strategies |
178 |
|
|
6.3.3 Risk Analysis and Risk-Based Anonymization |
180 |
|
|
6.4 Experimental Evaluation |
181 |
|
|
6.5 Discussion |
184 |
|
|
6.5.1 Comparison with Prior Work |
184 |
|
|
6.5.2 Limitations and Future Work |
186 |
|
|
6.5.3 Concluding Remarks |
187 |
|
|
References |
187 |
|
|
7 Utility-Constrained Electronic Health Record Data Publishing Through Generalization and Disassociation |
191 |
|
|
7.1 Introduction |
192 |
|
|
7.1.1 Identity Disclosure |
192 |
|
|
7.1.2 Utility-Constrained Approach |
194 |
|
|
7.1.3 Chapter Organization |
196 |
|
|
7.2 Preliminaries |
197 |
|
|
7.3 Generalization and Disassociation |
198 |
|
|
7.4 Specification of Utility Constraints |
201 |
|
|
7.4.1 Defining and Satisfying Utility Constraints |
201 |
|
|
7.4.2 Types of Utility Constraints for ICD Codes |
204 |
|
|
7.5 Utility-Constrained Anonymization Algorithms |
205 |
|
|
7.5.1 Clustering-Based Anonymizer (CBA) |
206 |
|
|
7.5.2 DISassociation Algorithm (DIS) |
207 |
|
|
7.5.3 Comparing the CBA and DIS Algorithms |
211 |
|
|
7.6 Future Directions |
216 |
|
|
7.6.1 Different Forms of Utility Constraints |
216 |
|
|
7.6.2 Different Approaches to Guaranteeing Data Utility |
217 |
|
|
7.7 Conclusion |
218 |
|
|
References |
218 |
|
|
8 Methods to Mitigate Risk of Composition Attack in Independent Data Publications |
220 |
|
|
8.1 Introduction |
221 |
|
|
8.2 Composition Attack and Multiple Data Publications |
222 |
|
|
8.2.1 Composition Attack |
222 |
|
|
8.2.2 Multiple Coordinated Data Publications |
224 |
|
|
8.2.3 Multiple Independent Data Publications |
224 |
|
|
8.3 Risk Mitigation Through Randomization |
226 |
|
|
8.4 Risk Mitigation Through Generalization |
228 |
|
|
8.5 An Experimental Comparison |
230 |
|
|
8.5.1 Data and Setting |
231 |
|
|
8.5.2 Reduction of Risk of Composition Attacks |
231 |
|
|
8.5.3 Comparison of Utility of the Two Methods |
233 |
|
|
8.6 Risk Mitigation Through Mixed Publications |
234 |
|
|
8.7 Conclusion |
237 |
|
|
Appendix |
237 |
|
|
A. Metrics |
237 |
|
|
B. Differential Privacy |
238 |
|
|
References |
239 |
|
|
9 Statistical Disclosure Limitation for Health Data:A Statistical Agency Perspective |
242 |
|
|
9.1 Introduction |
242 |
|
|
9.2 Statistical Disclosure Limitation for Microdata from Social Surveys |
244 |
|
|
9.2.1 Disclosure Risk Assessment |
245 |
|
|
9.2.2 Statistical Disclosure Limitation Methods |
248 |
|
|
9.2.2.1 PRAM for Categorical Key Variables |
249 |
|
|
9.2.2.2 Additive Noise for Continuous Variables |
251 |
|
|
9.2.3 Information Loss Measures |
252 |
|
|
9.2.3.1 Distance Metrics |
252 |
|
|
9.2.3.2 Impact on Measures of Association |
253 |
|
|
9.2.3.3 Impact on Regression Analysis |
253 |
|
|
9.3 Statistical Disclosure Limitation for Frequency Tables |
254 |
|
|
9.3.1 Disclosure Risk in Whole Population Tabular Outputs |
254 |
|
|
9.3.2 Disclosure Risk and Information Loss Measures Based on Information Theory |
255 |
|
|
9.3.3 Statistical Disclosure Limitation Methods |
258 |
|
|
9.3.3.1 Record Swapping |
258 |
|
|
9.3.3.2 Semi-Controlled Random Rounding |
259 |
|
|
9.3.3.3 Stochastic Perturbation |
259 |
|
|
9.4 Differential Privacy in Survey Sampling and Perturbation |
260 |
|
|
9.5 Future Outlook for Releasing Statistical Data |
263 |
|
|
9.5.1 Safe Data Enclaves and Remote Access |
264 |
|
|
9.5.2 Web-Based Applications |
265 |
|
|
9.5.2.1 Flexible Table Generating Servers |
265 |
|
|
9.5.2.2 Remote Analysis Servers |
266 |
|
|
9.5.3 Synthetic Data |
267 |
|
|
9.6 Conclusion |
269 |
|
|
References |
269 |
|
|
Part II Privacy in Distributed and Dynamic Settings |
272 |
|
|
10 A Review of Privacy Preserving Mechanisms for Record Linkage |
273 |
|
|
10.1 Introduction |
273 |
|
|
10.2 Overview of Privacy Preserving Record Linkage |
276 |
|
|
10.2.1 The PPRL Model |
276 |
|
|
10.2.2 Taxonomy of Presented Techniques |
278 |
|
|
10.2.2.1 Privacy Guarantee |
279 |
|
|
10.2.2.2 Scalability |
283 |
|
|
10.2.2.3 Linkage Quality |
284 |
|
|
10.3 Secure Transformations |
284 |
|
|
10.3.1 Attribute Suppression and Generalization Methods |
285 |
|
|
10.3.2 N-Grams Methods |
286 |
|
|
10.3.3 Embedding Methods |
288 |
|
|
10.3.4 Phonetic Encoding Methods |
290 |
|
|
10.4 Secure Multi-Party Computation |
291 |
|
|
10.4.1 Commutative Encryption Based Protocols |
291 |
|
|
10.4.2 Homomorphic Encryption Based Protocols |
292 |
|
|
10.4.3 Secure Scalar Product Protocols |
294 |
|
|
10.5 Hybrid Approaches |
296 |
|
|
10.5.1 Standard Blocking |
297 |
|
|
10.5.2 Sorted Neighborhood Approach |
298 |
|
|
10.5.3 Mapping |
299 |
|
|
10.5.4 Clustering |
299 |
|
|
10.6 Challenges and Future Research Directions |
301 |
|
|
10.7 Conclusion |
302 |
|
|
References |
302 |
|
|
11 Application of Privacy-Preserving Techniques in Operational Record Linkage Centres |
306 |
|
|
11.1 Introduction |
306 |
|
|
11.1.1 Record Linkage Research Infrastructure |
307 |
|
|
11.1.2 Privacy Challenges in Health Record Linkage |
309 |
|
|
11.2 Data Governance |
310 |
|
|
11.2.1 Legal Obligations |
311 |
|
|
11.2.2 Information Governance |
311 |
|
|
11.2.3 Separation of Data and Functions |
312 |
|
|
11.2.4 Application and Approval Process |
312 |
|
|
11.2.5 Information Security |
313 |
|
|
11.3 Operational Models and Data Flows |
313 |
|
|
11.3.1 Centralized Model |
314 |
|
|
11.3.2 Separated Models |
315 |
|
|
11.3.2.1 Separated Model, with Centralized Clinical Data Repository |
315 |
|
|
11.3.2.2 Separated Model, with No Centralized Data Repository |
316 |
|
|
11.3.3 A Technique to Avoid Data Collusion |
317 |
|
|
11.4 Privacy Preserving Methods |
317 |
|
|
11.4.1 Privacy Preserving Models |
318 |
|
|
11.4.2 Techniques for Privacy Preserving Linkage |
318 |
|
|
11.4.2.1 Minimum Linkage Information (MLI) |
318 |
|
|
11.4.3 Requirements of a Privacy Preserving Linkage Technique for Operational Linkage Centres |
321 |
|
|
11.4.3.1 Measuring and Maintaining Linkage Quality |
321 |
|
|
11.4.3.2 Efficiency |
322 |
|
|
11.4.3.3 Simplicity for Data Providers |
323 |
|
|
11.4.3.4 Security |
323 |
|
|
11.5 Conclusion |
324 |
|
|
References |
324 |
|
|
12 Privacy Considerations for Health Information Exchanges |
327 |
|
|
12.1 Introduction |
327 |
|
|
12.2 Health Information Exchanges |
328 |
|
|
12.2.1 HIE Actors and Systems |
328 |
|
|
12.2.2 HIE Models |
331 |
|
|
12.2.3 HIPAA, HITECH and HIE Privacy Governance |
332 |
|
|
12.3 Privacy Issues with HIEs |
333 |
|
|
12.3.1 Patient Expectations and Concerns |
334 |
|
|
12.3.2 Tension Between Functionality, Security and Privacy |
335 |
|
|
12.3.3 Data Stewardship and Ownership |
335 |
|
|
12.4 Principles and Practice of Privacy for HIEs |
336 |
|
|
12.4.1 Guiding Principles |
336 |
|
|
12.4.2 HIE Privacy in Practice |
338 |
|
|
12.5 Emerging Issues |
343 |
|
|
12.5.1 Big Data |
343 |
|
|
12.5.2 m-Health and Telemedicine |
344 |
|
|
12.5.3 Medical Devices |
345 |
|
|
12.6 Conclusion |
346 |
|
|
References |
346 |
|
|
13 Managing Access Control in Collaborative Processes for Healthcare Applications |
350 |
|
|
13.1 Introduction |
351 |
|
|
13.2 Related Works |
351 |
|
|
13.3 An Illustrative Example: New York State HIV Clinical Education Initiative |
353 |
|
|
13.4 Development of the Enhanced RBAC Model |
355 |
|
|
13.4.1 Overview of the Enhanced RBAC Model |
356 |
|
|
13.4.2 Support Team Collaboration: Bridging Entities and Contributing Attributes |
357 |
|
|
13.4.3 Extending Access Permissions to Include Workflow Contexts |
359 |
|
|
13.4.4 Role-Based Access Delegation Targeting on Specific Objects: Providing Flexibility for Access Control in Collaborative Processes |
359 |
|
|
13.4.5 Integration of Multiple Representation Elements for Definition of Universal Constraints |
361 |
|
|
13.4.6 Case Studies to Encode Access Policies for CEI |
363 |
|
|
13.4.6.1 User, Roles, Objects, and Access Permissions |
363 |
|
|
13.4.6.2 Collaboration Among CEI Centers |
364 |
|
|
13.4.6.3 Management of Training Workflow |
365 |
|
|
13.4.6.4 Inviting other CEI Centers for Collaboration |
365 |
|
|
13.5 System Framework for Implementation of Enhanced RBAC |
366 |
|
|
13.5.1 System Architecture |
367 |
|
|
13.5.2 Encoding of Access Policies |
368 |
|
|
13.5.3 Interpretation of Access Control Policies |
370 |
|
|
13.5.4 Application Layer |
371 |
|
|
13.5.5 Demonstration Tool |
371 |
|
|
13.6 Evaluation of the Enhanced RBAC Model |
372 |
|
|
13.6.1 Selection of Study Cases |
373 |
|
|
13.6.2 Access Permissions Computed with the Enhanced RBAC Model and the CEIAdmin System |
376 |
|
|
13.6.3 Comparison Between the Enhanced RBAC Model and the CEIAdmin System |
377 |
|
|
13.6.4 Development of the Gold-Standard |
377 |
|
|
13.6.5 Measuring Effectiveness Based on Gold-Standard |
379 |
|
|
13.6.6 Results |
381 |
|
|
13.7 Discussion |
382 |
|
|
13.7.1 Features of the Enhanced RBAC Model |
382 |
|
|
13.7.2 System Framework for Implementation |
386 |
|
|
13.7.3 Evaluation |
387 |
|
|
13.7.3.1 Overall Approach |
387 |
|
|
13.7.3.2 Error Analyses |
388 |
|
|
13.7.3.3 Qualitative Measures |
389 |
|
|
13.7.4 Limitations |
390 |
|
|
13.8 Conclusion |
391 |
|
|
References |
392 |
|
|
14 Automating Consent Management Lifecycle for Electronic Healthcare Systems |
397 |
|
|
14.1 Introduction |
397 |
|
|
14.2 Legal Background |
399 |
|
|
14.2.1 Legal Framework for Consent |
399 |
|
|
14.2.2 Consent in Healthcare Systems |
401 |
|
|
14.2.3 Consent Limitations |
402 |
|
|
14.3 A Case Study |
404 |
|
|
14.4 Overview of Teleo-Reactive Policies |
405 |
|
|
14.4.1 TR Policy Representation |
405 |
|
|
14.4.2 TR Policy Evaluation |
406 |
|
|
14.5 The ACTORS Approach |
407 |
|
|
14.5.1 Authorisation Policies |
409 |
|
|
14.5.2 Policy Templates |
410 |
|
|
14.5.3 TR Policies |
411 |
|
|
14.6 Managing Consent in Healthcare Scenarios |
412 |
|
|
14.7 Related Work |
418 |
|
|
14.8 Conclusion and Future Work |
420 |
|
|
References |
421 |
|
|
15 e-Health Cloud: Privacy Concerns and Mitigation Strategies |
424 |
|
|
15.1 Introduction |
424 |
|
|
15.2 An Overview of the e-Health Cloud |
426 |
|
|
15.2.1 e-Health Cloud Benefits and Opportunities |
426 |
|
|
15.2.1.1 Cost Reduction |
426 |
|
|
15.2.1.2 Easy Infrastructure Management |
427 |
|
|
15.2.1.3 Availability |
427 |
|
|
15.2.1.4 Scalable Healthcare Services |
427 |
|
|
15.2.2 Deployment Models for Cloud Based e-Health Systems |
428 |
|
|
15.2.2.1 Private Cloud |
428 |
|
|
15.2.2.2 Public Cloud |
428 |
|
|
15.2.2.3 Hybrid Cloud |
429 |
|
|
15.2.3 Threats to Health Data Privacy in the Cloud |
429 |
|
|
15.2.3.1 Spoofing Identity |
431 |
|
|
15.2.3.2 Data Tampering |
431 |
|
|
15.2.3.3 Repudiation |
431 |
|
|
15.2.3.4 Denial of Service (DoS) |
431 |
|
|
15.2.3.5 Unlawful Privilege Escalation |
431 |
|
|
15.2.4 Essential Requirements for Privacy Protection |
432 |
|
|
15.2.4.1 Confidentiality |
432 |
|
|
15.2.4.2 Integrity |
433 |
|
|
15.2.4.3 Collusion Resistance |
433 |
|
|
15.2.4.4 Anonymity |
433 |
|
|
15.2.4.5 Authenticity |
433 |
|
|
15.2.4.6 Unlinkability |
433 |
|
|
15.2.5 User/Patient Driven Privacy Protection Requirements |
434 |
|
|
15.2.5.1 Patient-Centric Access Control |
434 |
|
|
15.2.5.2 Access Revocation |
434 |
|
|
15.2.5.3 Auditing |
434 |
|
|
15.2.6 Adversarial Models in the e-Health Cloud |
434 |
|
|
15.3 Privacy Protection Strategies Employed in e-Health Cloud |
435 |
|
|
15.3.1 Approaches to Protect Confidentiality in the e-Health Cloud |
435 |
|
|
15.3.2 Approaches to Maintain Data Integrity in the e-Health Cloud |
437 |
|
|
15.3.3 Approaches to Offer Collusion Resistance in the e-Health Cloud |
441 |
|
|
15.3.4 Approaches to Maintain Anonymity in the e-Health Cloud |
442 |
|
|
15.3.5 Approaches to Offer Authenticity in the e-Health Cloud |
445 |
|
|
15.3.6 Approaches to Maintain Unlinkability in the e-Health Cloud |
447 |
|
|
15.4 Discussion and Open Research Issues |
451 |
|
|
15.5 Conclusion |
452 |
|
|
References |
453 |
|
|
Part III Privacy for Emerging Applications |
457 |
|
|
16 Preserving Genome Privacy in Research Studies |
458 |
|
|
16.1 Introduction |
459 |
|
|
16.2 Policies, Legal Regulation and Ethical Principles of Genome Privacy |
460 |
|
|
16.2.1 NIH Policies for Genomic Data Sharing |
460 |
|
|
16.2.1.1 GWAS Data Sharing Policy |
460 |
|
|
16.2.1.2 Genomic Data Sharing Policy |
461 |
|
|
16.2.2 U.S. Legal Regulations for Genomic Data |
463 |
|
|
16.2.3 Ethical Principles for Genome Privacy |
465 |
|
|
16.2.4 Summary |
466 |
|
|
16.3 Information Technology for Genome Privacy |
466 |
|
|
16.3.1 Genome Privacy Risks |
467 |
|
|
16.3.2 Genome Privacy Protection Technologies |
467 |
|
|
16.3.3 Community Efforts on Genome Privacy Protection |
469 |
|
|
16.4 Conclusion |
470 |
|
|
References |
471 |
|
|
17 Private Genome Data Dissemination |
475 |
|
|
17.1 Introduction |
475 |
|
|
17.2 Literature Review |
477 |
|
|
17.2.1 Privacy Attacks and Current Practices |
477 |
|
|
17.2.2 Privacy Preserving Techniques |
478 |
|
|
17.3 Problem Statement |
479 |
|
|
17.3.1 Privacy Protection Model |
480 |
|
|
17.3.2 Privacy Attack Model |
480 |
|
|
17.3.3 Utility Criteria |
481 |
|
|
17.4 Genomic Data Anonymization |
481 |
|
|
17.4.1 Anonymization Algorithm |
481 |
|
|
17.4.2 Privacy Analysis |
485 |
|
|
17.4.3 Computational Complexity |
485 |
|
|
17.5 Experimental Results |
486 |
|
|
17.6 Conclusion |
490 |
|
|
References |
491 |
|
|
18 Threats and Solutions for Genomic Data Privacy |
494 |
|
|
18.1 Threats for Genomic Privacy |
494 |
|
|
18.1.1 Kin Genomic Privacy |
496 |
|
|
18.2 Solutions for Genomic Privacy |
501 |
|
|
18.2.1 Privacy-Preserving Management of Raw Genomic Data |
501 |
|
|
18.2.2 Private Use of Genomic Data in PersonalizedMedicine |
503 |
|
|
18.2.3 Private Use of Genomic Data in Research |
508 |
|
|
18.2.4 Coping with Weak Passwords for the Protection of Genomic Data |
512 |
|
|
18.2.5 Protecting Kin Genomic Privacy |
515 |
|
|
18.3 Future Research Directions |
518 |
|
|
18.4 Conclusion |
521 |
|
|
References |
521 |
|
|
19 Encryption and Watermarking for medical Image Protection |
524 |
|
|
19.1 Introduction |
524 |
|
|
19.2 Security Needs for Medical Data |
526 |
|
|
19.2.1 General Framework |
526 |
|
|
19.2.2 Refining Security Needs in an Applicative Context: Telemedicine Applications as Illustrative Example |
528 |
|
|
19.3 Encryption Mechanisms: An A Priori Protection |
529 |
|
|
19.3.1 Symmetric/Asymmetric Cryptosystems & DICOM |
529 |
|
|
19.3.2 Block Cipher/Stream Cipher Algorithms |
530 |
|
|
19.3.2.1 The AES Block Cipher Algorithm |
531 |
|
|
19.3.2.2 The RC4 Stream Cipher Algorithm |
532 |
|
|
19.4 Watermarking: An A Posteriori Protection Mechanism |
534 |
|
|
19.4.1 Principles, Properties and Applications |
534 |
|
|
19.4.1.1 A General Chain of Watermarking |
535 |
|
|
19.4.1.2 Basic Properties of a Watermarking Algorithm |
536 |
|
|
19.4.2 Watermarking Medical Images |
537 |
|
|
19.4.2.1 Basic Lossy Watermarking Modulations |
538 |
|
|
19.4.2.2 Lossless Watermarking |
540 |
|
|
19.5 Combining Encryption with Watermarking |
543 |
|
|
19.5.1 Continuous Protection with Various Security Objectives: A State of the Art |
543 |
|
|
19.5.1.1 Watermarking Followed by Encryption |
544 |
|
|
19.5.1.2 Encryption Followed by Watermarking |
544 |
|
|
19.5.1.3 Commutative Encryption and Watermarking |
545 |
|
|
19.5.1.4 Joint Watermarking-Decryption |
546 |
|
|
19.5.2 A Joint Watermarking-Encryption (JWE) Approach |
547 |
|
|
19.5.2.1 General Principles of the JWE System |
548 |
|
|
19.5.2.2 JWE System for Verifying Image Reliability |
548 |
|
|
19.5.2.3 JWE Implementation Based on QIM |
549 |
|
|
19.5.2.4 JWE Approach Performance and DICOM Interoperability |
550 |
|
|
19.6 Conclusion |
552 |
|
|
References |
552 |
|
|
20 Privacy Considerations and Techniques for Neuroimages |
558 |
|
|
20.1 Introduction |
558 |
|
|
20.2 Neuroimage Data |
560 |
|
|
20.3 Privacy Risks with Medical Images |
561 |
|
|
20.3.1 Neuroimage Privacy Threat Scenarios |
561 |
|
|
20.3.2 Volume Rendering and Facial Recognition |
563 |
|
|
20.3.3 Re-identification Using Structural MRI |
565 |
|
|
20.4 Privacy Preservation Techniques for Medical Images |
566 |
|
|
20.4.1 De-Identification Techniques |
566 |
|
|
20.4.2 Privacy in Neuroimage Archives and Collaboration Initiatives |
574 |
|
|
20.5 Conclusion |
575 |
|
|
References |
575 |
|
|
21 Data Privacy Issues with RFID in Healthcare |
579 |
|
|
21.1 Introduction |
579 |
|
|
21.1.1 RFID as a Technology |
580 |
|
|
21.2 Dimensions of Privacy in Medicine |
583 |
|
|
21.3 RFID in Medicine |
586 |
|
|
21.3.1 Inventory Tracking |
586 |
|
|
21.3.2 Tracking People |
586 |
|
|
21.3.3 Device Management |
587 |
|
|
21.4 Issues and Risks |
588 |
|
|
21.5 Solutions |
592 |
|
|
21.6 Conclusion |
593 |
|
|
References |
594 |
|
|
22 Privacy Preserving Classification of ECG Signals in Mobile e-Health Applications |
598 |
|
|
22.1 Introduction |
598 |
|
|
22.2 Plain Protocol |
601 |
|
|
22.2.1 Classification Results |
604 |
|
|
22.3 Cryptographic Primitives |
604 |
|
|
22.3.1 Homomorphic Encryption |
605 |
|
|
22.3.2 Oblivious Transfer |
606 |
|
|
22.3.3 Garbled Circuits |
607 |
|
|
22.3.4 Hybrid Protocols |
608 |
|
|
22.4 Privacy Preserving Linear Branching Program |
609 |
|
|
22.4.1 Linear Branching Programs (LBP) |
609 |
|
|
22.4.1.1 Full-GC Implementation |
610 |
|
|
22.4.1.2 Hybrid Implementation |
611 |
|
|
22.4.2 ECG Classification Through LBP and Quadratic Discriminant Functions |
613 |
|
|
22.4.2.1 Quantization Error Analysis |
614 |
|
|
22.4.3 ECG Classification Through LBP and Linear Discriminant Functions |
615 |
|
|
22.4.4 Complexity Analysis |
616 |
|
|
22.4.4.1 More Efficient LBP Implementations |
619 |
|
|
22.5 Privacy Preserving Classification by Using Neural Network |
619 |
|
|
22.5.1 Neural Network Design |
619 |
|
|
22.5.2 Quantized Neural Network Classifier |
622 |
|
|
22.5.2.1 Representation vs. Classification Accuracy |
623 |
|
|
22.5.3 Privacy-Preserving GC-Based NN Classifier |
624 |
|
|
22.5.4 Privacy-Preserving Hybrid NN Classifier |
626 |
|
|
22.5.5 Comparison with the LBP Solution |
627 |
|
|
22.6 Privacy Preserving Quality Evaluation |
628 |
|
|
22.6.1 SNR Evaluation in the Encrypted Domain |
628 |
|
|
22.6.1.1 Protocol Complexity |
631 |
|
|
22.6.2 SNR-Based Quality Evaluation |
632 |
|
|
22.6.2.1 Complexity Analysis |
635 |
|
|
22.6.2.2 Classification Performance |
635 |
|
|
22.7 Conclusion |
637 |
|
|
References |
638 |
|
|
23 Strengthening Privacy in Healthcare Social Networks |
641 |
|
|
23.1 Introduction |
641 |
|
|
23.2 Social Networks |
643 |
|
|
23.2.1 On-line Social Networks |
643 |
|
|
23.2.2 Healthcare Social Networks |
644 |
|
|
23.3 Privacy |
646 |
|
|
23.3.1 Background |
646 |
|
|
23.3.2 Personal and Sensitive Data |
647 |
|
|
23.3.3 Privacy Principles |
649 |
|
|
23.3.4 Privacy Threats |
650 |
|
|
23.3.4.1 Digital Dossier Aggregation |
651 |
|
|
23.3.4.2 Difficulty of Complete Account Deletion |
652 |
|
|
23.3.4.3 Secondary Data Collection |
652 |
|
|
23.3.4.4 De-Anonymization Attacks |
653 |
|
|
23.3.4.5 Inference Attacks |
653 |
|
|
23.3.4.6 Identity Theft |
654 |
|
|
23.3.4.7 Phishing |
654 |
|
|
23.3.4.8 Communication Tracking |
654 |
|
|
23.3.4.9 Information Leakage |
655 |
|
|
23.4 Privacy Requirements for HSNs |
655 |
|
|
23.4.1 Privacy as System Requirement |
655 |
|
|
23.5 Enhancing Privacy in OSNs and HSNs |
656 |
|
|
23.6 On-line Social Networks in the Healthcare Domain |
659 |
|
|
23.6.1 Advice Seeking Networks |
660 |
|
|
23.6.2 Patient Communities |
660 |
|
|
23.6.3 Professional Networks |
661 |
|
|
23.7 Conclusion |
661 |
|
|
References |
662 |
|
|
Part IV Privacy Through Policy, Data De-identification, and Data Governance |
664 |
|
|
24 Privacy Law, Data Sharing Policies, and Medical Data:A Comparative Perspective |
665 |
|
|
24.1 Introduction |
665 |
|
|
24.2 Overview of Data Privacy Legal Frameworks |
668 |
|
|
24.3 Data Privacy Laws and Guidelines |
674 |
|
|
24.3.1 The OECD Privacy Guidelines |
674 |
|
|
24.3.2 The Council of Europe Convention 108 |
676 |
|
|
24.3.3 The European Union Data Protection Directive 95/46 |
678 |
|
|
24.3.4 UK Data Protection Act 1998 |
682 |
|
|
24.3.5 Canadian Privacy Legislation |
684 |
|
|
24.3.6 The HIPAA Privacy Rule |
685 |
|
|
24.4 Data Sharing Policies |
690 |
|
|
24.4.1 US National Institutes of Health |
691 |
|
|
24.4.2 Canadian Data Sharing Policies |
692 |
|
|
24.4.3 Wellcome Trust (UK) |
695 |
|
|
24.5 Towards Better Calibration of Biomedical Research, Health Service Delivery, and Privacy Protection |
697 |
|
|
24.6 Conclusion |
700 |
|
|
References |
700 |
|
|
25 HIPAA and Human Error: The Role of Enhanced Situation Awareness in Protecting Health Information |
705 |
|
|
25.1 Introduction |
705 |
|
|
25.2 HIPAA, Privacy Breaches, and Related Costs |
708 |
|
|
25.3 Situation Awareness and Privacy Protection |
711 |
|
|
25.3.1 Definition of Situation Awareness |
711 |
|
|
25.3.2 Linking Situation Awareness to Privacy Breaches |
712 |
|
|
25.3.2.1 Level 1 SA: Failure to Correctly Perceive a Situation |
712 |
|
|
25.3.2.2 Level 2 SA: Failure to Comprehend a Situation |
713 |
|
|
25.3.2.3 Level 3 SA: Failure to Project a Situation into the Future |
713 |
|
|
25.3.3 SA and HIPAA Privacy Breaches |
714 |
|
|
25.3.3.1 Level 1 SA: Failure to Correctly Perceive a Situation |
717 |
|
|
25.3.3.2 Level 2 SA: Failure to Comprehend a Situation |
718 |
|
|
25.3.3.3 Level 3 SA: Failure to Project a Situation into the Future |
718 |
|
|
25.4 Discussion and Conclusion |
719 |
|
|
References |
721 |
|
|
26 De-identification of Unstructured Clinical Data for Patient Privacy Protection |
723 |
|
|
26.1 Introduction |
723 |
|
|
26.2 Origins and Definition of Text De-identification |
724 |
|
|
26.3 Methods Applied for Text De-identification |
727 |
|
|
26.4 Clinical Text De-identification Application Examples |
730 |
|
|
26.4.1 Physionet Deid |
730 |
|
|
26.4.2 MIST (MITRE Identification Scrubber Toolkit) |
731 |
|
|
26.4.3 VHA Best-of-Breed Clinical Text De-identification System |
732 |
|
|
26.5 Why Not Anonymize Clinical Text? |
734 |
|
|
26.6 U.S. Veterans Health Administration Clinical Text De-identification Efforts |
735 |
|
|
26.7 Conclusion |
739 |
|
|
References |
740 |
|
|
27 Challenges in Synthesizing Surrogate PHI in Narrative EMRs |
743 |
|
|
27.1 Introduction |
743 |
|
|
27.2 Related Work |
745 |
|
|
27.3 PHI Categories |
748 |
|
|
27.4 Data |
750 |
|
|
27.5 Strategies and Difficulties in Surrogate PHI Generation |
751 |
|
|
27.5.1 HIPAA Category 1: Names |
752 |
|
|
27.5.2 HIPAA Category 2: Locations |
754 |
|
|
27.5.3 HIPAA Category 3: Dates and Ages |
755 |
|
|
27.5.4 HIPAA Category 18: Other Potential Identifiers |
757 |
|
|
27.5.4.1 Professions |
757 |
|
|
27.6 Errors Introduced by Surrogate PHI |
758 |
|
|
27.7 Relationship Between De-identification and SurrogateGeneration |
758 |
|
|
27.8 Conclusion |
759 |
|
|
References |
760 |
|
|
28 Building on Principles: The Case for Comprehensive, Proportionate Governance of Data Access |
762 |
|
|
28.1 Introduction |
762 |
|
|
28.2 Current Approaches to Data Access Governance |
764 |
|
|
28.2.1 Existing Norms for Data Access Governance |
764 |
|
|
28.2.2 The Preeminence of ``Consent or Anonymize'' as Approaches to Data Access Governance |
765 |
|
|
28.2.3 Existing Data Access Governance in Practice |
768 |
|
|
28.3 The Evolution of Data and Implications for Data Access Governance |
769 |
|
|
28.3.1 Big Data |
769 |
|
|
28.3.2 Open Data |
770 |
|
|
28.3.3 The Ubiquity of Collection of Personal Information |
770 |
|
|
28.3.4 The Limits of Existing Approaches to Data Access Governance |
771 |
|
|
28.4 A Comprehensive Model for Governance: Proportionate and Principled |
772 |
|
|
28.4.1 Proportionality |
772 |
|
|
28.4.2 Principle-Based Regulation |
773 |
|
|
28.4.3 Case Studies Using Proportionate and Principled Access |
774 |
|
|
28.5 Building on the Present: A Flexible, Governance Framework |
777 |
|
|
28.5.1 Science |
779 |
|
|
28.5.2 Approach |
779 |
|
|
28.5.3 Data |
780 |
|
|
28.5.4 People |
780 |
|
|
28.5.5 Environment |
780 |
|
|
28.5.6 Interest |
781 |
|
|
28.5.7 Translating Risk Assessment to Review Requirements |
781 |
|
|
28.5.8 Adjudication Scenarios |
782 |
|
|
28.5.8.1 Scenario 1 |
783 |
|
|
28.5.8.2 Scenario 2 |
783 |
|
|
28.6 Conclusion |
784 |
|
|
References |
785 |
|
|
29 Epilogue |
790 |
|
|
29.1 Introduction |
790 |
|
|
29.2 Topics and Directions in Privacy Preserving Data Sharing |
791 |
|
|
29.3 Topics and Directions in Privacy Preservation for Distributed and Dynamic Settings |
793 |
|
|
29.4 Topics and Directions in Privacy Preservation for Emerging Applications |
794 |
|
|
29.5 Topics and Directions in Privacy Preservation Through Policy, Data De-identification, and Data Governance |
796 |
|
|
29.6 Conclusion |
797 |
|
|
References |
797 |
|
|
About the Authors |
799 |
|
|
Glossary |
838 |
|
|
Index |
849 |
|