EUropean Best Information through Regional Outcomes in Diabetes

Privacy and Disease RegistriesTechnical Aspects

Peter BeckJOANNEUM RESEARCH, Austria

2° EUBIROD MeetingBrussels 22-23 January 2011

www.eubirod.eu

Factors = Key Elements of Data Protection

The key elements of data protection (FACTORS) identified in the management of diabetes registries are as follows:

A1. Accountability of personal information

A2. Collection of Personal Information

A3. Consent

A4. Use of Personal Information

A5. Disclosure and Disposition of Personal Information

A6. Accuracy of Personal Information

A7. Safeguarding Personal Information

A8. Openness

A9. Individual Access to Personal Information

A10. Challenging Compliance

A11. Anonymization Process for Secondary Uses of Health Data

www.eubirod.eu

Introduction to CryptographyConventional Cryptography

www.eubirod.eu

Introduction to CryptographyPublic Key Cryptography

www.eubirod.eu

Introduction to CryptographyDigital Signatures

www.eubirod.eu

Introduction to CryptographyHash Functions and Digital Signatures

www.eubirod.eu

= facilitate establishing whether a public key truly belongs to the purported owner

= a public key + owner identity information signed together

Introduction to CryptographyDigital Certificates

www.eubirod.eu

Public Key Infrastructure

• Certification Authority– Issue certificates

• Verify identity

– Keep a list of (valid)certificates

– Certificate revocation

• Web of Trust (PGP)

www.eubirod.eu

Security Key Concepts

Communication Security Services

• Authenticity• Authorization / Access Control• Integrity• Confidentiality• Non-Repudiation

www.eubirod.eu

Security Key Concepts

Authenticity

= verifying a claim of identity

e.g. Airport: I am John Doe, I want to fly to Brussels Passport

• something you know, • something you have,

• or something you are

username

password

(cryptographic) key

challenge-response

biometrics

Protection mechanisms

TAN

www.eubirod.eu

Security Key Concepts

Authorization / Access Control

= Apply and configure mechanisms to enforce administrative policies

Protection Mechanisms

Access Control List +

Role based access control (e.g. file system, DBs, Web-Apps)

Capabilities

Data input

Physician

Local Administrator

Global Administrator

AdministerCenters

Import Data

AdministerStaff

CreateReports

ExecuteAnalyses

Enter Data Sheets

Administer Patients

Login

www. .at

www.eubirod.eu

Security Key Concepts

Integrity

= Avoid undetected modification of data

Protection mechanism – message integrity

Message Digests (Hashing)

Protection mechanism – communication stream integrity

Sequence Numbers

Time Stamps

www.eubirod.eu

Security Key Concepts

Confidentiality

= Prevent the disclosure of information to unauthorized individuals or systems

Protection mechanism

symmetric or asymmetric encryption

www.eubirod.eu

Security Key Concepts

Non-Repudiation

= implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction

Protection mechanism

digital signatures

time stamp, notarization

www.eubirod.eu

Safeguarding Data

How can you protect your data and software?• Use and maintain anti-virus software and a firewall• Regularly scan your computer (viruses, spyware…)• Keep software up to date• Evaluate your software's settings• Avoid unused software programs• Create separate user accounts• Establish guidelines for computer use• Use passwords and encrypt sensitive files• Set up and follow corporate policies for handling and

storing data• Dispose of sensitive information properly• Follow good security habits

www.eubirod.eu

Anonymisation I

= Make it impossible to establish or indicate who or what (someone or something) is

• remove any direct identifiers (SSN, name, DOB…)

• replace direct identifiers by indirect patient IDs (Pseudonymisation)– requires a trusted third party

reversible pseudonymisation (encryption with a key)

irreversible pseudonymisation (hash, …)

www.eubirod.eu

Anonymisation II

• ensure that any combination of data cannot identify an individual– not easy, especially for sparse data

k-anonymity

• use aggregated data only (no individual data sets)– all analyses have to be done in line with data source

– further calculatons not possible

www.eubirod.eu

Data flow throgh Trusted Third Party(the case of the Disease Management Program in Austria)

Physician office Health Information

Network

Social Insurance

Internet

DMP MedicalData Repository

Physician Software

Browser

Terminal

Stand-aloneClient

Data Centre

GINA e-cardCentral System

Social Insuranceonline Portal

Pseudonymi-sation centre

DMP Administration

Software

DocumentationPrepare Data: Check, Split• Administrative and Risk Data• Clinical Data: Sign+Encrypt

Data Transmission

Administrative +Risk Data

SSN

Risk Data

SSN

Risk Data

Clinical Data

SSN

Clinical Data

Pseudo-nym

SSN

Clinical Data

Pseudo-nym

Sign+Submit

Risk Data

Clinical Data

www.eubirod.eu

Local Aggregation of Data(the case of the BIRO Reporting Architecture)

BIROCentral

Reporting

Partner Work

Conversion

SourceDataset

Local BIRO Database Engine

StatisticalAnalysis

AggregatedData

„Statistical Objects“

|A|12|1|5||B|18|2|6||C|16|1|4|

Sender

Central BIRO System

Authenticated,Signed &

EncryptedCommunication

RegionalData

ProcessingRegionalRegister

BIRODatabase

Receiver

ReportBIRO

CentralEngine

www.eubirod.eu

Tanks for your attention!