genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... ·...

‐1:KeyChallenges• DataintheCloud,• mobilesolutions,thetrendtowardssoftware‐as‐a‐service,and• themassiveincreaseintheamountofdata……inthemedicalarearequirealotoffutureeffortinPrivacy,DataProtection,SecurityandSafety.Thechallengesofdataintegration,datafusionandtheincreaseduseofdataforsecondaryuseputtheseissuesfroma“nice‐to‐have”intothekeyinterest.Example:InJanuary2013,theUSDepartmentofHealthandHumanServicesreleasedtheOmnibusFinalRule,whichsignificantlymodifiedtheprivacyandsecuritystandardsundertheHealthInsurancePortabilityandAccountabilityAct(HIPAA).Thesenewregulationsweredrivenbyaneedtoensuretheconfidentiality,integrity,andsecurityofpatients’protectedhealthinformation(PHI)inelectronichealthrecords(EHRs)andaddressestheseconcernsbyexpandingthescopeofregulationsandincreasingpenaltiesforPHIviolations(Wang&Huang,2013).

8

According toaclassicsurveybyAmalberti etal.(2005)wecandeterminebetweenveryriskyenterprises,typicallyHimalayamountaineeringandrelativelysaveenterpriseswithlowrisk,typicallycommerciallarge‐jetaviation.Themedicalareaisinbetween,withatendencytotheHimalayadependingonthehealtharea.

9

These arethestudyresultspresentedbyAmalberti (2005),rangingfromveryunsave toultrasave.Inmanyclinicaldomains,suchastraumasurgery,therateofseriouscomplicationsisrelativelyhigh,butnotallcomplicationsarerelatedtomedicalerrors.Incontrast,somehealthcaresectors,e.g.gastroenterologic endoscopy,areverysafe.

Thesizeoftheboxrepresentstherangeofriskinwhichagivenbarrierisactive.Reductionofriskbeyondthemaximumrangeofabarrierpresupposescrossingthisbarrier.Shadedboxesrepresentthe5systembarriers.ASAAmericanSocietyofAnesthesiologists.

10

‐4Definitions:Privacy,Security‐ SafetyPrivacy=includetheindividualrightsofpeopletoprotecttheirpersonallifeandmattersfromtheoutsideworld;Safety=anyprotectionfromharm,injury,ordamage;aweightingprocessreflectshowcomfortableanorganizationdealswithitsriskexposure.Accidentratesinhealthcarecurrentlyrangefrom10‐1to10‐7eventsperexposure(Amalberti,Auroy,Berwick&Barach,2005).Security=(intermsofcomputer,data,informationsecurity)meansprotectingfromunauthorizedaccess,use,modification,disruptionordestructionetc.;Agoodexamplefortheseissuesistheelectronichealthrecordin→Slide11‐26:Thepatientdatamustbeconfidential,secureandsafe,whilstatthesametimeitmustbeusable,useful,accurate,up‐to‐dateandaccessible.

11

12

Aswehavealreadyheardinlecture7,theInstituteofMedicine(IOM)releasedareportin1999entitled‘‘ToErrisHuman:BuildingaSaferHealthSystem’’.TheIOMreportcalledfora50%reductioninmedicalerrorsover5years.Itsgoalwastobreakthecycleofinactionregardingmedicalerrorsbyadvocatingacomprehensiveapproachtoimprovepatientsafety.Thehealthcareindustryrespondedwithawiderangeofpatientsafetyeffortsandsafetywasatopicforresearchers(Figure11‐3).Hospitalinformationsystemsvendorsadoptedsaferpracticesandemphasizedthatsafetywasalsonowapriorityforthem(Stelfox etal.,2006).However,sofarnocomprehensivenationwidemonitoringsystemexistsforpatientsafety,andarecenteffortbytheAgencyforHealthcareResearchandQuality(AHRQ)togetanationalestimatebyusingexistingmeasuresshowedlittleimprovement(Leape &Berwick,2005).KohnL.T.,Corrigan,J.M.,Donaldson,M.S.(1999):ToErrisHuman:BuildingaSaferHealthSystem,NationalAcademyPress,Washington(DC)

FiveyearsaftertheIOMreport

ChangesinpatientsafetypublicationsAlargeshiftinthenumberofpatientsafetypublicationsfollowedthereleaseoftheIOMreport(fig1).Anaverageof59patientsafetyarticleswerepublishedper100000MEDLINEpublicationsinthe5yearsbeforetheIOMreport;thisincreasedto164articlesper100000MEDLINEpublicationsinthe5yearsafterpublicationofthereport(p,0.001).Evenaftercontrollingforanexisting3%perquarterupwardtrend(p,0.001),therateofpatientsafetypublicationsincreasedimmediatelyafterthereleaseoftheIOMreportby64%(p,0.001).Significantlyincreasedratesofpublicationwereobservedforalltypesofpatientsafetyarticles(table1).RatesofpatientsafetypublicationsinthetopgeneralmedicaljournalsmirroredthoseinMEDLINEindexedjournals,averagingfourarticlesper100000MEDLINEpublicationsbeforetheIOMreportand13articlesper100000MEDLINEpublicationsaftertheIOMreport(p,0.001).

13

Herewesethat thereportstimulatedresearchtoacertainextent.

14

http://www.scientificamerican.com/blog/post.cfm?id=deaths‐from‐avoidable‐medical‐error‐2009‐08‐10

15

Ötzi theIceman(Similaun Man)istheoldestpreservednaturalmummyofamanwholivedaround3300BC

16

Asyoucanstillreadinthenewspaperswrong‐sitesurgeryisstillabigissue,oras{Manjunath,2010#4665}putitforwarditisaclearandconstantfear.

17

TheECMmedicalversionconsistsof20codes,dividedintofourcategories(Fig.1),frequentlyusedinamedicalenvironmenttoclassifytheunderlyingcausesoftheadverseevents[11].

II.EXTENDEDEINDHOVENCLASSIFICATIONMODELAlargenumberofdifferentsystemshavebeenusedtoclassifyeventsregardingtopatientsafety[10].Manyofthemethodsusedtoanalyzepatientsafetywereadaptedfromrisk‐managementtechniquesinindustries,especiallyinhigh‐riskindustriessuchasthechemical,nuclearpowerandaviationindustry[5].TheEindhovenClassificationModel(ECM)wasoriginallydevelopedtomanagehumanerrorinthechemicalprocessindustryandwasthenappliedtovariousotherindustries,suchassteelindustry,energyproductionandinhealthcare.TheECMmedicalversionconsistsof20codes,dividedintofourcategories(Fig.1),frequentlyusedinamedicalenvironmenttoclassifytheunderlyingcausesoftheadverseevents[11].

18

‐11AdverseeventreportingandlearningsystemHereweseetheAEMI(AdverseEventsinMedicalImaging)systemdevelopedby(Rodriguesetal.,2010),whichintendstoreducetheamountoftimeandmanuallaborrequiredforanalyis.TheAEMIarchitectureincludestreemodules:1)AdverseEventsReportingFormsinMedicalImaging(AERFMI),2)AdverseEventsManagerReportsinMedicalImaging(AERMMI)and3)KnowledgeManagerAdverseEventsinMedicalImaging(AEKMMI).AERFMIprovidestheWebinterfaceforadverseeventsregistration.Theeffortonthisinterfacewasfocusedinitsusability.AERMMIisalsoWebbasedandaimstoenabletheindividualanalysisofeachadverseeventrecordedbyAERFMIandprovidessomerelevantstatisticsrelatedtothevariouseventsregistered.AEKMMIisaJavaapplication.ThismoduleusesthedatafromthesystemdatabasetocreateaKnowledgeBase(KB)basedontheEECMusingthelogicprogramminglanguageProlog(Rodriguesetal.,2010).

19

‐12Review:FrameworkforunderstandinghumanerrorInlecture7wediscussedaframeworkfordemonstratinghowhumanerror–resultinginadverseevents– arise.Remember,theframeworkconsistsofthreecomponents:1)Humanfallibilityaddressesthefundamentalsensory,cognitive,andmotorlimitationsofhumansthatpredisposethemtoerror;2)Contextreferstosituationalvariablesthatcanaffectthewayinwhichhumanfallibilitybecomesmanifest;and3)BarriersconcerningthevariouswaysInwhichhumanerrorscanbecontained;Wewillnowfocusononeparticularissueinthethirdcomponent:Thenextslideshowsthefamous“Swisscheese”modelofaccidentcausation.

20

‐13Reason(1997)SwissCheeseModelThe“Swisscheese”modelofaccidentcausationemphasizesthatadverseeventsoccurwhenactivefailuresalignwithgapsorweaknessesinthesystemspermittinganerrortogountrapped anduncompensated(Sundt,Brown&Uhlig,2005).Themodelwasoriginallydevelopedby(Reason,1997),andagoodreadingis(Reason,2000).

21

‐14Riskmanagement‐ FAASystemSafetyWewilltalkaboutriskmanagementalsointhelastlecture,butweneedthedefinitionsnowforacommonunderstanding,andlookattheimagetoprightintheslide:Totalrisk=identified+unidentifiedrisks.Identifiedrisk=determinedthroughvariousanalysistechniques.Thefirsttaskofsystemsafetyistoidentify,withinpracticallimitations,allpossiblerisks.Thisstepprecedesdeterminethesignificanceoftherisk(severity)andthelikelihoodofitsoccurrence(hazardprobability).Thetimeandcostsofanalysisefforts,thequalityofthesafetyprogram,andthestateoftechnologyimpactthenumberofrisksidentified.Unidentifiedriskistherisknotyetidentified.Someunidentifiedrisksaresubsequentlyidentifiedwhenamishapoccurs.Someriskisneverknown.Unacceptableriskisthatriskwhichcannotbetoleratedbythemanagingactivity.Itisasubsetofidentifiedriskthatmustbeeliminatedorcontrolled.Acceptableriskisthepartofidentifiedriskthatisallowedtopersistwithoutfurtherengineeringormanagementaction.Makingthisdecisionisadifficultyetnecessaryresponsibilityofthemanagingactivity.Thisdecisionismadewithfullknowledgethatitistheuserwhoisexposedtothisrisk.Residualriskistheriskleftoveraftersystemsafetyeffortshavebeenfullyemployed.Itisnotnecessarilythesameasacceptablerisk.Residualriskisthesumofacceptableriskandunidentifiedrisk.Thisisthetotalriskpassedontotheuser.

22

‐15ImprovingSafetywithIT– ExampleMobilePatientsafetyinhealthcareistheequivalentofsystemssafetyinindustry,whichisusuallybuiltinfoursteps:(1)measuringriskandplanningtheidealdefensemodel,(2)assessingthemodelagainsttherealbehaviorofprofessionals,andmodifyingthemodelorinducingachangeinbehaviorwhentherearegaps,(3)adoptingabettermicro‐ andmacro‐organization,(4)graduallyre‐introducingwithintheratherrigid,prescriptivesystembuiltinsteps1–3somelevelofresilienceenablingittoadapttocrisesandexceptionalsituations.Inthisslideweseeanexampleofamobilesystemscreeningforlaboratoryabnormalities,forexample,hypokalemiaandadecreasinghaematocrit,wouldrequireurgentactionbutoccurrelativelyinfrequently,oftenwhenaclinicianisnotathand,andsuchresultscanbeburiedamidlesscriticaldata.Suchmobilesystemscanidentifyandrapidlycommunicatetheseproblemstocliniciansautomatically(Bates&Gawande,2003).

23

24

Slide11‐16:EnhancingPatientSafetywithubiquitousdevicesThisisanotherexampleonhow,forexamplewrongsitesurgerycanbeavoided:PatientscheckinattheHospital– inadditiontoanordinarywristbandanRFIDtransponderissupplied.Patientdataisenteredviaourapplicationatthecheck‐in‐point,anypreviouspatientdatacanberetrievedfromtheHIS.Fromthisinformation,uncriticalbutimportantdata(suchasname,bloodtype,allergies,vitalmedicationetc.)istransferredtothewristband’sRFIDtransponder.TheElectronicPatientRecord(EPR)iscreatedandstoredatthecentralserver.Fromthistimethepatientiseasilyandunmistakablyidentifiable.Allinformationcanbereadfromthewristband’stransponderorcanbeeasilyretrievedfromtheEPRbyidentifyingthepatientwithareader.Incontrasttomanualidentification,automaticprocessesarelesserror‐prone.Unlikebarcodes,RFIDtransponderscanbereadwithoutlineofsight,throughthehumanbodyandmostothermaterials.Thisenablesphysiciansandnursestoretrieve,verifyandmodifyinformationintheHospitalaccuratelyandinstantly.Inaddition,thissystemprovidespatientidentificationandpatientdata– evenwhenthenetworkiscrashed(Holzinger,Schwaberger &Weitlaner,2005)

‐17:SecurityProblemsofubiquitouscomputingSecurityrequiresconfidentiality(akasecrecy),integrityandavailability.Allotherrequirementssuchasnon‐repudiationcanbetracedbacktooneofthesethreerequirements.Non‐repudiation,forinstance,canbeseenasaspecialcaseofintegrity,i.e.theintegrityoflogdatarecording.Themostwell‐knownsecurityrequirementisconfidentiality.Itmeansthatusersmayobtainaccessonlytothoseobjectsforwhichtheyhavereceivedauthorization,andwillnotgetaccesstoinformationtheymustnotsee.Theintegrityofthedataandprogramsisjustasimportantasconfidentialitybutindailylifeitisfrequentlyneglected.Integritymeansthatonlyauthorizedpeoplearepermittedtomodifydata(orprograms).Secrecyofdataiscloselyconnectedtotheintegrityofprogramsofoperatingsystems.Iftheintegrityoftheoperatingsystemiscompromised,thentheintegrityofthedatacannolongerbeguaranteed.Thereasonisthatapartoftheoperatingsystem(i.e.thereferencemonitor)checksforeachaccesstoaresourcewhetherthesubjectisauthorizedtoperformtherequestedoperation.Sincetheoperatingsystemiscompromisedthereferencemonitorisnolongertrustworthy.Itisthenobviousthatsecrecyofinformationcannotbeguaranteedanylongerifthismechanismisnotworking.Forthisreasonitisimportanttoprotecttheintegrityofoperatingsystemsjustasproperlyasthesecrecyofinformation.ItisthroughtheInternetthatmanyusershavebecomeawarethatavailabilityisoneofthemajorsecurityrequirementsforcomputersystems.Availabilityisdefinedasthereadinessofasystemforcorrectservice.Withgrowingubiquitouscomputinginhealthcaresecurityproblemsareincreasing(Weippl,Holzinger&Tjoa,2006):1)Protectionprecautions:vulnerabilitytoeavesdropping,trafficanalysis,spoofinganddenialofservice.Securityobjectives,suchasconfidentiality,integrity,availability,authentication,authorization,nonrepudiationandanonymityarenotachievedunlessspecialsecuritymechanismsareintegratedintothesystem.2)Confidentiality:thecommunicationbetweenreaderandtagisunprotected,exceptofhigh‐endsystems(ISO14443).Consequently,eavesdropperscanlisteniniftheyareinimmediatevicinity.3)Integrity:Withtheexceptionofhigh‐endsystemswhichusemessageauthenticationcodes(MACs),theintegrityoftransmittedinformationcannotbeassured.Checksums(cyclicredundancychecks,CRCs)areused,butprotectonlyagainstrandomfailures.Thewritabletagmemorycanbemanipulatedifaccesscontrolisnotimplemented.

25

‐18ClinicalExample:Context‐awarepatientsafety1/2(Bardram &Norskov,2008)developedacontextawarepatientsafetyandinformationsystem(CAPSIS)designedforuseduringsurgery,designedtomonitorwhatisgoingonintheoperatingroom(OR).Thisinformationisusedtodisplaymedicaldatatothecliniciansattheappropriatetime,andtoissuewarningsifanysafetyissuesaredetected.CAPSISwasimplementedusingtheJavaContext‐AwarenessFramework(JCAF)andmonitorssuchinformationasthestatusoftheoperation;thestatusandlocationofthepatient;thelocationofthecliniciansintheoperatingteam;andequipment,medication,andbloodbagsusedintheoperatingroom.ThisinformationisacquiredandhandledbytheJCAFcontextawarenessinfrastructure,andaspecialsafetyservice,implementedbymeansoftheJavaExpertSystemShell(Jess),isusedforoverallreasoningonwhatactionsshouldbetakenorwhatwarningsshouldbeissued.CAPSISdiffersfromotherpatientsafetysystemsinbeingdesignedtomonitoreverything(orasmanythingsaspossible)intheOR,andthereforetobecapableofreasoningacrosstheentiregamutoffactspertainingtothesituationintheOR.Itthussupplementshumanvigilanceonsafetybyprovidingamachinecounterpartthatiscapableofdrawinginferences(Bardram &Norskov,2008).

26

‐19ClinicalExample:Contextawarepatientsafety2/2ThisslideshowstheuserinterfaceoftheCAPSISsystem,whichconsistsof4windows:(A)isthemainpatientsafetywindow,whichprovidesanoverviewofthepatient’ssafetystatusfortheoperationinquestion;(B)showsthepatient’smedicalrecord;(C)showsthepatient’smedicalimages;and(D)showstherelevantchecklistforthegivensurgicalprocedure.Thepatientsafetywindow(A)iscomposedofthreepanels:thepatientpanel,thestaffpanelandthepatientsafetypanel.Thepatientpanelaggregatesimportantinformationaboutthecurrentpatientandsurgery,includingthepatient’sname,socialsecuritynumber(SSN),allergies(CAVE),picture,scheduledsurgery,andcurrentstatusandlocation.Themainpurposeofthisframeistohelpthesurgicalstaffavoidthethreebigwrongs:wrongpatient,wrongprocedureandwrongsurgicalsite,aswellaspresentingvitalinformationonthesafetyofthepatientsuchastheCAVElistandpatientstatus(Bardram &Norskov,2008).

27

‐20PatientSafetyPatientsafetyinhealthcareistheequivalentofsystemssafetyinindustry,whichisusuallybuiltinfoursteps:(1)measuringriskandplanningtheidealdefensemodel,(2)assessingthemodelagainsttherealbehaviorofprofessionals,andmodifyingthemodelorinducingachangeinbehaviorwhentherearegaps,(3)adoptingabettermicro‐ andmacro‐organization,(4)graduallyre‐introducingwithintheratherrigid,prescriptivesystembuiltinsteps1–3somelevelofresilienceenablingittoadapttocrisesandexceptionalsituations.Thedevelopmentofpatientsafetyhasnowherenearreachedstep4exceptinspecificareassuchasbloodtransfusionorlaboratorytesting.Evenstep1hasnotbeencompleted(Amalberti etal.,2011).

28

‐21TypesofadverseeventsinmedicineandcareAnerrormayormaynotcauseanadverseevent.Adverseeventsareinjuriesthatresultfromamedicalinterventionandareresponsibleforharmtothepatient(death,life‐threateningillness,disabilityatthetimeofdischarge,prolongationofthehospitalstay,etc.).Forexample,anearmiss(Number6inthisslide)isanadverseeventthateitherresolvesspontaneouslyorisneutralizedbyvoluntaryactionbeforetheconsequenceshavetimetodevelop.Adverseeventsmaybeduetomedicalerrors,inwhichcasetheyarepreventable,ortofactorsthatarenotpreventable;so,theoccurrenceisalwaysacombinationofhumanfactorsandsystemfactors(Garrouste‐Orgeas etal.,2012).

29

‐22Safety,Security‐>TechnicalDependabilityDependabilityconsistsofthreeparts:thethreatsto,theattributesof,andthemeansbywhichdependabilityisattained,asshowninthisslide.Computingsystemsarecharacterizedbyfivefundamentalproperties:functionality,usability,performance,cost,anddependability.Dependabilityofacomputingsystemistheabilitytodeliverservicethatcanjustifiablybetrusted.Thetrust‐factorisperceivedbytheusers(rememberthePreviousExposuretoTechnology,PET‐Factor(Holzinger,Searle&Wernbacher,2011)),andauserisanothersystem(human)thatinteractswiththeformerattheserviceinterface.Thefunctionofasystemiswhatthesystemisintendedtodo,andisdescribedbythefunctionalspecification.Correctserviceisdeliveredwhentheserviceimplementsthesystemfunction.Asystemfailureisaneventthatoccurswhenthedeliveredservicedeviatesfromcorrectservice.Afailureisthusatransitionfromcorrectservicetoincorrectservice,i.e.,tonotimplementingthesystemfunction.Thedeliveryofincorrectserviceisasystemoutage.Atransitionfromincorrectservicetocorrectserviceisservicerestoration.Basedonthedefinitionoffailure,an3alternatedefinitionofdependability,whichcomplementstheinitialdefinitioninprovidingacriterionforadjudicatingwhetherthedeliveredservicecanbetrustedornot:theabilityofasystemtoavoidfailuresthataremorefrequentormoresevere,andoutagedurationsthatarelonger,thanisacceptabletotheuser(s).Intheoppositecase,thesystemisnolongerdependable:itsuffersfromadependabilityfailure,thatisameta‐failure(Avizienis,Laprie &Randell,2001).

30

‐23Typesoffaults:Design– Physical– InteractionCombiningtheelementaryfaultclassesleadstothetreeinthisslide:Theleavesofthetreeleadintothreemajorfaultclassesforwhichdefensesneedtobedevised:designfaults,physicalfaults,interactionfaults.Theboxesinthisslidepointatgenericillustrativefaultclasses.Non‐maliciousdeliberatefaultscanariseduringeitherdevelopmentoroperation.Duringdevelopment,theyresultgenerallyfromtradeoffs,eithera)aimedatpreservingacceptableperformanceandfacilitatingsystemutilization,orb)inducedbyeconomicconsiderations;suchfaultscanbesourcesofsecuritybreaches,intheformofcovertchannels.Non‐maliciousdeliberateinteractionfaultsmayresultfromtheactionofanoperatoreitheraimedatovercominganunforeseensituation,ordeliberatelyviolatinganoperatingprocedurewithouthavingrealizedthepossiblydamagingconsequencesofhisorheraction.Non‐maliciousdeliberatefaultssharethepropertythatoftenitisrecognizedthattheywerefaultsonlyafteranunacceptablesystembehavior,thusafailure,hasensued;thespecifier(s),designer(s),implementer(s)oroperator(s)didnotrealizethattheconsequenceofsomedecisionoftheirswasafault(Avizienis,Laprie &Randell,2001).

31

‐24ATwo‐TieredSystemofMedicineThistableby(Amalberti,Auroy,Berwick&Barach,2005)showadetailedcomparisonofthese2possibletiersofhealthcare.Physiciantrainingwouldhavetoaccommodatethis2‐tieredapproach,andpatientswouldhavetounderstandthataggressivetreatmentofhigh‐riskdiseasemayrequireacceptanceofgreaterriskandnumberofmedicalerrorsduringclinicaltreatment.

32

‐25TowardastrategicviewonsafetyinhealthcareAnimprovedvisionbyleadershipofthesafetyanddangersofhealthcareisneededtooptimizetherisk–benefitratio.Stratificationcouldleadto2tiersor“speeds”ofmedicalcare,eachwithitsowntypeandlevelofsafetygoals.This2‐tiersystemcoulddistinguishbetweenmedicaldomainsthatarestableenoughtoreachcriteriaforultrasafety andthosethatwillalwaysdealwithunstableconditionsandarethereforeinevitablylesssafe.Formedicine,high‐reliabilityorganizationsmayofferasoundsafetymodelandHigh‐reliabilityorganizationsarethosethathaveconsistentlyreducedthenumberofexpectedor“normal”accidents(accordingtothenormalaccidenttheory)throughsuchmeansaschangetocultureandtechnologicadvances,despiteaninherentlyhigh‐stress,fast‐pacedenvironment(Amalberti,Auroy,Berwick&Barach,2005).

33

34

Slide11‐26RequirementsofanelectronicpatientrecordRemembertherequirementstoapatientrecordfromtheviewpointofensuringprivacy:Thepatientdatamustbeconfidential,secureandsafe,whileatthesametimemustbeusable,useful,accurate,up‐to‐dateandaccessible.

‐27Pseudonymization ofInformationforPrivacy1/8Anexcellentpaperby(Neubauer &Heurix,2011)shallprovideagoodteachingexample,inthefollowingconsistingof8slides.Protectionofthepatients’dataprivacycanbeachievedwithtwodifferenttechniques,anonymization andencryption,whichunfortunatelybothsufferfrommajordrawbacks:Whileanonymization – theremovaloftheidentifierfromthemedicaldata– cannotbereversedandthereforepreventsprimaryuseoftherecordsbyhealthcareproviderswhoobviouslyneedtoknowthecorrespondingpatient(asaminorpoint,patientscannotbenefitfromtheresultsgainedinclinicalstudiesbecausetheycannotbeinformedaboutnewfindingsetc.),encryptionofthemedicalrecordspreventsthemfrombeingusedforclinicalresearch(secondaryuseofclinicaldata).Atleastwithouttheexplicitpermissionofthepatient,whohastodecryptthedataand,indoingso,revealsheridentity.Consideringthatsomemedicalrecordscanbeverylarge,encryptioncanalsobeseenasatime‐consumingoperation.Amethodthatresolvestheseissuesispseudonymization,whereidentificationdataistransformedandthenreplacedbyaspecifier thatcannotbeassociatedwiththeidentificationdatawithoutknowingacertainsecret.Pseudonymization allowsthedatatobeassociatedwithapatientonlyunderspecifiedandcontrolledcircumstances(Neubauer &Heurix,2011).Aimedtoprovideapseudonymization service,PIPE(Pseudonymization ofInformationforPrivacyine‐Health)canbeappliedtodifferentscenarios:Inthelocalscenario,thePIPEserverpseudonymizes onlyrecordsstoredinthelocal(health)datarepositoryandmakesthemavailabletoalocal(healthcareprovider’s)workstationwherebothpatientandhealthcareproviderinteractwiththepseudonymization serveraspartofahealthcareproviderenvironment(e.g.,withahospitalinformationsystem).Inanalternativecentralscenario,thePIPEpseudonymization serverisresponsibleforprovidinglinkinginformationtodifferenthealthrecordsstoredatdistributedlocations.Intheslidetwoseparatehealthcareproviderenvironmentsexistwheretheindividualworkstationshavedirectaccesstotheirlocaldatarepositories.Viathepseudonymization service,thehealthcareprovidersareabletoaccessrecordsofotherdomainsiftheyareexplicitlyauthorizedtodoso.Inthisscenario,thepatientalsohastheopportunitytoretrievetherecordsathome(Neubauer &Heurix,2011).

35

‐28Pseudonymization ofInformationforPrivacy2/8ThePIPEprotocolusesacombinationofsymmetricandasymmetriccryptographickeystorealizealogicalmulti‐tierhullmodelwiththreedifferentlayers,whereeachlayerisresponsibleforonestepinthedataaccessprocess.Theuserhastopassalllayersinordertoretrievetheactualhealthdatarecords.Theouterpublicandouterprivatekeysformtheouterlayer,theauthenticationlayer,whichisresponsibleforunambiguouslyidentifyingthecorrespondinguser.Togetherwiththeuser’sidentifier,theouterprivatekeyrepresentstheauthenticationcredentials,whicharestoredalongwiththeserver’spublickeyontheuser’ssmartcard.IncombinationwiththecorrectPIN,thesmartcardprovidestwo‐factorauthentication,wheretheauthenticationprocedureinvolvesboththeuser’sandthePIPEserver’souterkeypair,theuser’sidentifier,andtworandomlyselectedchallenges.Themiddlelayer,theauthorizationlayer,consistsoftheuser’sinnerasymmetrickeypair andtheinnersymmetrickey.Whiletheuser’souterprivatekeyiscreatedonthesmartcardwhenthecardisissuedtotheuserandneveractuallyleavesthecard,theotherkeysarestoredinthepseudonymizationdatabasewherethesecretkeysarestoredencrypted:theinnersymmetrickeyisencryptedwiththeinnerpublickey,whiletheinnerprivatekeyisencryptedwiththeouterpublickey(Neubauer &Heurix,2011).

36

‐29Pseudonymization ofInformationforPrivacy3/8accessrights.Incontrasttoauthorizedusers,anaffiliateduser,e.g.,acloserelative,isentrustedwiththedataowner’sinnerprivatekeyandisthereforeabletodecryptthedataowner’sinnersymmetrickey,grantingtheaffiliateduserfullaccesstoall1Pseudonymsarestoredincleartext whenmappedtoaparticularrecordwhilethelinkbetweenthemishiddenbystoringthepseudonymsencryptedinasinglerelation.2Byaffiliationsviakey‐sharing,theaffiliateduserisgrantedaccesstotherootpseudonymsaswell.datacorrespondingtothedataowner.Therefore,theaffiliateduserisabletodecryptthelinksbetweenallrootandsharedpseudonymsrelatedtothedataowner.Theconceptualdatamodelisdepictedininthisslide:Theidentificationandhealthpseudonymsalwaysforma1:1relationshipandarereferencedwiththeircorrespondingdocumenttypewherethisreferenceisstoredincleartext (record/pseudonymmapping).Thelinkbetweentheidentificationandhealthpseudonymsisstoredencryptedwiththeuser’sinnersymmetrickey(pseudonym/pseudonymmapping):whiletherootpseudonymsareencryptedwiththedataowner’s(patient’s)innersymmetrickeyonly,thesharedpseudonymsareencryptedwithboththedataowner’sandtheauthorizeduser’s(healthprofessional’s)innersymmetrickeysothatbothusersareabletodecryptthemusingtheircorrespondingciphertexts.Thelinkbetweentheidentificationandhealthrecordishiddenandrepresentedbythelinkbetweenidentificationandhealthpseudonyms.Eachhealthrecordisassignedexactlyoneroothealthpseudonymwhileeachidentificationrecordhasmultiplerootpseudonyms,dependingonthenumberofhealthrecords,duetothe1:1relationship.Thehealthrecordisassignedanumberofsharedhealthpseudonymsaccordingtothenumberofindividualauthorizationsforthatparticularhealthrecord(Neubauer &Heurix,2011).

37

‐30Pseudonymization ofInformationforPrivacy4/8ThisslideshowstheUserauthentication,whichinvolvesthemutualauthenticationoftheuserusingthesmartcardandtheserver,involvingtheirouterkeypair andtwononces (randomlyselectednumbersusedonce)asuser/serverchallenges.Oncebothidentitiesareconfirmed,theuser’sinnerprivatekeyisretrievedfromthepseudonymization databaseandtransferredtotheuser’ssmartcardtobedecryptedwiththeuser’souterprivate3TransportLayerSecurity.key.Withthedecryptedinnerprivatekey,theuser’sinnersymmetrickeycanbedecryptedwithintheHSMatthepseudonymization serverandbecachedforfurtheroperationsalongwiththeuser’sinnerprivatekey.Inaddition,asessionkeyisgeneratedattheHSMandsecurely(viaencryption)transportedtotheuser’ssmartcardsothatthekeyappearsincleartext onlyonthesmartcardandHSM(Neubauer &Heurix,2011).

38

‐31Pseudonymization ofInformationforPrivacy5/8Toretrieveaparticularhealthrecord,theuserfirstneedstoqueryfortheparticularencryptedpseudonymsbycreatingakeywordusingthekeywordtemplates,retrievingthecorrespondingkeywordidentifier,andqueryingfortheencryptedidentifiertofindmatchingencryptedpseudonyms,i.e.,theencryptedpseudonymmappingsassociatedwiththeencryptedkeywordidentifier.Thepseudonympairsarethendecryptedwiththeuser’sinnersymmetrickeyandtheplaintextpseudonymsthenusedtoretrievethecorrespondingidentificationandhealthrecords,whicharetransferredtotheusertobedisplayed(possiblymerged).Optionally,thepseudonymsandkeywordidentifierarealsotransferredtotheuser(rootpseudonymsforauthorizations).Therecordretrievalprocedureisthesameforthepatientasdataowner,healthcareproviderasauthorizeduser,andrelativeasaffiliateduser,withthedifferencethatthepatientandrelativebothqueryforthepatient’srootpseudonyms,whilethehealthcareproviderreliesonthesharedpseudonyms(Neubauer &Heurix,2011).

39

‐32Pseudonymization ofInformationforPrivacy6/8Toprovideatrustedhealthcareproviderwiththeknowledgeofthelinkbetweenthepatient’sidentificationrecordandaparticularhealthrecord,anewsharedpseudonympairiscreatedasauthorizationrelation.Thepatientfirsthastoretrievetherootpseudonympairandkeywordidentifiercorrespondingtothehealthrecordheorsheintendstosharewiththehealthcareprovider.Furthermore,boththepatientasdataownerandthehealthcareproviderasauthorizeduserhavetobeauthenticatedatthesameworkstationsothatbothuseridentifiersareavailableattheclientside,whilebothinnersymmetrickeysarecachedattheHSMofthepseudonymization server.Therootpseudonympairisthentransferredtothepseudonymization serveralongwithbothuseridentifiersandthekeywordidentifier,andthecorrespondingrecordidentifiersretrievedusingthecleartext record/pseudonymmappings.Theserverthenrandomlyselectsanewshared pseudonympair,whichisfirstencryptedwithbothusers’innersymmetrickeys(alongwithbothidentifiersandthekeywordidentifier)andthenstorestheminthedatabaseasauthorizationrelation.Finally,thecleartextpseudonymsarethenreferencedwiththeretrievedrecordidentifierstocreatetwonewrecord/pseudonymmappings(Neubauer &Heurix,2011).

40

‐33Pseudonymization ofInformationforPrivacy7/8Aswithauthorizations,auseraffiliationrequiresthatboththepatientasdataownerandthetrustedrelativeasaffiliateduserareauthenticatedatthesameworkstation.Thenbothuseridentifiersaretransferredtothepseudonymizationserverwheretheyareencryptedwithbothusers’innersymmetrickeys.Inaddition,thepatient’sinnerprivatekeyisalsoencryptedwiththerelative’sinnersymmetrickey,andallelementsarestoredinthepseudonymization metadatastorageasaffiliationrelation(Neubauer &Heurix,2011).

41

‐34Pseudonymization ofInformationforPrivacy8/8Finally,fromtheviewpointofthepatientasdataowner,healthdatastoragefirstrequiresthatan‘old’rootidentificationpseudonymisretrievedasreferencetotheidentificationrecord.Furthermore,thepatientcreatesanewkeywordandentersthenewhealthrecordintotheworkstation.Thenthepseudonym,newkeyword,newhealthrecord,anduseridentifieraretransferredtothepseudonymizationserver,wherethekeywordisstored(anditsidentifierdeterminedbythedatabaseengine)andtheidentificationrecordidentifierretrieved.Thenewrecordisstoredinthehealthrecordsdatabaseanditsrecordidentifierreturnedtotheserver.Then,theservercreatesanewrootpseudonympairandstoresitencryptedwiththekeywordidentifieranduseridentifierasrootaccess,aswellasthecleartextrecord/pseudonymmappings(Neubauer &Heurix,2011).

42

‐35Example:privatepersonalhealthrecordAstheawarenessofpatientsfortheirmedicaldataincreases,thereisatrendofprivatepersonalhealthrecords,sometimescalledhealthvaults.Anexamplecanbeseeninhttp://healthbutler.comInthefollowingfourslideswelookatthetechnologicalconceptofsuchapersonalhealthrecordsystem.Inthisconceptwewillgettoknowaveryinterestingconcept:Mashups.

43

‐36Example:ConceptofaPersonalHealthRecordSystem1/4PHRsthatusecentralizeddatastoresdonotofferstakeholdersachoiceinservices,datastorage,oruserrequirements.However,variousstakeholdershavevaryingskills,requirements,andresponsibilities,whichasingleapplicationcannotsatisfy.Consequently,personalizationisrequiredwheresuchaheterogeneousmixofstakeholdersexists.TheconceptofMashups (Auinger etal.,2009)letuserscreateapplicationstosuittheirindividualrequirements.Enduserscanusemashupmakerstointegratevariousresources.Mashupmakersletuserscreatepersonalizedapplicationswithlowercoststhantraditionalintegrationprojects,inwhichasingleapplicationmustincorporatemanyusers’needs.AstheexplosionofWebmashups availableontheProgrammableWeb(www.programmableweb.com)show,manyusersarefindingnewanddiversewaystosatisfyindividualrequirements.ThisslideshowstheconceptualarchitectureofasystemcalledSqwelch (Fox,Cooley&Hauswirth,2011):Withinthearchitecture,therearethreecomponents:1)Compositionservicesprovidemechanismsformodelingwidgetsandengagingwiththestakeholdercommunityindevelopingmashups.2)Hostingservicesprovidemechanismsformanagingtheenvironment,customizingmashupcontainers,anddeployingmashups.3)Infrastructureservicesformthebasisofthemashupmaker,includingdiscoveryservices,socialnetworkingcapabilities,securityandtrust,widgetinteraction,andmanagement.

44

‐37Exampleforcomponentrelationships2/4HereweseetheSqwelch componentrelationships:Thecomponentsworkincooperationandfulfillspecificrolestoenableheterogeneouswidgetsanduserstocollaborateinatrustedway:Whenregisteringwidgets,developerscreatemodelreferencesthatarestoredforfutureuseinthediscoveryandmediationcomponents.Duringamashup’s execution,thesocialnetworkingcomponentdeterminesthedestinationsfordataifusersarecollaborating,whichinturnusestrustandimportanceasameansofcontrollingdataaccess.Modelreferencesareusedtotransformdata,andcomponentinteractionisprovidedaspublish–subscribetolooselycoupletheremoteresources(Webwidgets)(Fox,Cooley&Hauswirth,2011).

45

‐38Widgetcollaborationsequence3/4HereweseetheWidgetcollaborationsequence.WidgetscommunicatewiththeSqwelch serverusingHTML5standards.Sqwelch alertsusersifwidgetsaren’ttrusted.Thediagramshowsthecallstobemadebywidgets,theexecutionhost(Sqwelchdefault.html),andtheserver(Sqwelch.com)inenablingtrustedpublish–subscribebetweenheterogeneouswidgets.Inourexample,thepublishingwidgetcouldbethesensorviewerwidgetandthesubscribingwidgetcouldbethesensorfilterwidget.Wemustconsidersomeimportantpoints(Fox,Cooley&Hauswirth,2011):1)TheHTML5postMessage syntaxisusedtopublishdatapayloadsfromwidgetsandfromtheSqwelch mainpage.HTML5eventlistenerfunctionsarerequiredinsubscribingwidgetstolistenforincomingpayloads.2)Thepayloadssempublishpost returnsarethoseexpectedbythesubscribingwidgets(payload),basedontheoriginalpublishedpayload.3)Payloadasreceivedbythesubscribingwidgetwillbeacombinationofdefaultvaluestheuserspecifiesandrealvalues,dependingontheimportanceassociatedwiththerealdataandthetrustspecifiedforthesubscribingwidget.4)Ifthewidgetisn’ttrusted,Sqwelch alertstheuserandprovidesaviewofthedataelementsthesubscribingwidgethasrequested.Thiswillhappenonlyonceforeachwidgetinthecurrentsession.

46

‐39Usercollaborationsequence4/4Finally,heretheUsercollaborationsequenceisdepicted:Pollingisusedbysubscribingmashups deployedbycaregiverstoretrievedatapublishedbythepatient.Sqwelch alertsthecaregiverifthepatientdoesn’ttrusthimorher.Thesequencesinclude(Fox,Cooley&Hauswirth,2011):1)Thepollingcodeisrunonthehostingmashupwebpage,retrievingdataforallsocialwidgetsinthecurrentpageusinggetsocialsubscriptions.2)ThehostingmashupwebpagereturnswiththelatestheartratereadingsforMary.3)IfMarydoesn’ttrusteitherthewidgetorJohn,thepayloadwillcontainstatic,user‐definedinformation,andMarywillbealerted.

47

‐40SecurityandPrivacyofsomePHR’sThisworkby(Carrión,Fernández‐Alemán &Toval,2011)isinterestingfortworeasons:1)itprovidesagoodoverviewofsomepersonalhealthrecordsand2)itshowstowhatextenttheyaddressedsecurityandprivacyissues.Thefigureshowsscoresastwooverlappinghistograms:Ingeneral,quiteagoodlevelcanbeobservedinthecharacteristicsanalyzed.Nevertheless,someimprovementscouldbemadetocurrentPHRprivacypoliciestoenhancespecificcapabilitiessuchas:themanagementofotherusers’data,thenotificationofchangesintheprivacypolicytousersandtheauditofaccessestousers'PHRs.Thecharacteristicsonhowtheyreachedthesescorescanbeinferredfromthefollowingslides.

48

‐419SecurityCharacteristicstoanalyzePHR’s1/2Carrión,Fernández‐Alemán &Toval (2011)definedninecharacteristicstoanalyzethePersonalHealthRecords:Privacypolicy,location,Datasource,Datamanaged,Accessmanagement,Accessaudit,Dataaccessedwithouttheuser'spermission,Securitymeasures,ChangesinprivacypolicyandStandards:PrivacyPolicyLocation.ThischaracteristicisrelatedtothequestionWhereisthePrivacyPolicyonthePHRwebsite?PHRsshouldprovideaPrivacyPolicywhichdescribeshowusers'dataareusedinorderforuserstobeinformed.ThePrivacyPolicyshouldbeeasilyaccessiblebyusers.ThedifficultyofPrivacyPolicyaccessisassessedbycountingthenumberoflinksclicked.Thevaluesthatthischaracteristicmaytakeare:0.ThePrivacyPolicyisnotvisibleornotaccessible.1.ThePrivacyPolicyisaccessedbyclickingonelink.2.ThePrivacyPolicyisaccessedbyclickingtwoormorelinks.DataSource.ThischaracteristicisrelatedtothequestionWheredousers’PHRdataproceedfrom?Generally,theuserishis/herdatasource,buttherearePHRswhichdonotonlyusethissource.Somecontacttheusers'healthcareproviders,othersallowotherusersanddifferentprogramstoenterusers'dataandothersuseself‐monitoringdevicestoobtainusers'data.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.User.2.Userhealthcareprovider.3.Userandhis/herhealthcareproviders.4.User,otherauthorizedusersandotherservices/programs.5.Self‐monitoringdevicesconnectedwiththeuser.DataManaged.ThischaracteristicisrelatedtothequestionWhodothedatamanagedbytheusersbelongto?Theuserscanmanagetheirowndata,buttheycansometimesmanageotherusers'data,suchasthatoftheirfamily.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Datauser.2.Datauserandhis/herfamilydata.Accessmanagement.ThischaracteristicisrelatedtothequestionWhocanobtainaccessgrantedbytheusers?TheusersdecidewhocanaccesstheirPHRdata.ThePHRsystemsanalyzedallowaccesstobegiventodifferentroles.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Otherusersandservices/programs.2.Healthcareprofessionals.3.Otherusers.4.Otherusers,healthcareprofessionalsandservices/programs.Tobecontinuedonthenextslide.

49

‐429SecurityCharacteristicstoanalyzePHR’s2/2Accessaudit.ThischaracteristicisrelatedtothequestionCanusersseeanauditofaccessestotheirPHRs?Thevaluesthatthischaracteristicmaytakeare:0.No.1.Yes.Dataaccessedwithouttheuser'spermission.ThischaracteristicisrelatedtothequestionWhatdataareaccessedwithouttheuser'sexplicitconsent?ThePHRsystemstypicallyaccesscertaindatarelatedtotheusersinordertoverifythateverythingiscorrect.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Informationrelatedtotheaccesses.2.De‐identifieduserinformation.3.Informationrelatedtotheaccessesandde‐identifieduserinformation.4.Informationrelatedtotheaccessesandidentifieduserinformation.Securitymeasures.ThischaracteristicisrelatedtothequestionWhatsecuritymeasuresareusedinPHRsystems?Therearetwotypesofsecuritymeasures:physicalmeasuresandelectronicmeasures.Thephysicalsecuritymeasuresarerelatedtotheprotectionoftheserversinwhichthedataarestored.Theelectronicsecuritymeasuresarerelatedtohowstoredandtransmitteddataareprotected,forexample,byusingaSecureSocketsLayer(SSL)scheme.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Physicalsecuritymeasures.2.Electronicsecuritymeasures.3.Physicalsecuritymeasuresandelectronicsecuritymeasures.ChangesinPrivacyPolicy.ThischaracteristicisrelatedtothequestionArechangesinprivacypolicynotifiedtousers?ChangesinPrivacyPolicyshouldbenotifiedtousersinordertomakethemawareofhowtheirdataaremanagedbythePHRsystem.Thevaluesthatthischaracteristicmaytakeare:0.Notindicated.1.Changesarenotifiedtousers.2.Changesareannouncedonhomepage.3.Changesarenotifiedtousersandchangesareannouncedonhomepage.4.Changesmaynotbenotified.Standards.ThischaracteristicisrelatedtothequestionArePHRsystemsbasedonprivacyandsecuritystandards?ThePHRsystemsanalyzeduseorarebasedontwostandards:theHealthInsurancePortabilityandAccountabilityAct(HIPAA)andtheHealthOntheNetCodeofConduct(HONcode).Thevaluesthatthischaracteristicmaytakeare:UsablePrivacyandSecurityinPersonalHealthRecords410.Notindicated.1.HIPAAismentioned.2.SystemiscoveredbyHONcode.3.HIPAAismentionedandsystemiscoveredbyHONcode (Carrión,Fernández‐Alemán&Toval,2011).

50

‐43OverviewPersonalHealthRecords(PHR)Thelastslideshowsthesummaryoftheresearchedpersonalhealthrecords(Carrión,Fernández‐Alemán &Toval,2011).Note:By2013theGoogleHealthrecordisnotlongerinoperation:GoogleHealthhasbeenpermanentlydiscontinued.AlldataremaininginGoogleHealthuseraccountsasofJanuary2,2013hasbeensystematicallydestroyed,andGoogleisnolongerabletorecoveranyGoogleHealthdataforanyuser,see:http://www.google.com/intl/en_us/health/aboutSeealsothisblog:http://googleblog.blogspot.co.at/2011/06/update‐on‐google‐health‐and‐google.html

51

‐44EthicalIssues‐ duringQualityImprovementHereasummaryofethicalissuesbyaworkof(Tapp etal.,2009):TheyidentifiedtheexperiencesofprofessionalsinvolvedinplanningandperformingQIprogrammes inEuropeanfamilymedicineontheethicalimplicationsinvolvedinthoseprocesses.Forthispurposetheusedfourfocusgroupswith29generalpractitioners(GPs)andadministratorsofgeneralpracticequalityworkinEurope.TwofocusgroupscomprisedEQuiP membersandtwofocusgroupscomprisedattendeestoaninvitationalconferenceonQIinfamilymedicineheldbyEQuiP inBarcelona.Fouroverarchingthemeswereidentified,includingimplicationsofusingpatientdata,prioritizingQIprojects,issuessurroundingtheethicalapprovaldilemmaandtheimpactofQI.Eachthemewasaccompaniedbyanidentifiedsolution.Practicalimplications– Prioritising isnecessaryandindoingthatGPsshouldensurethatavarietyofworkisconductedsothatsomepatientgroupsarenotneglected.TransparencyandflexibilityonvariouslevelsisnecessarytoavoidharmfulconsequencesofQIintermsofbureaucratisation,increasedworkloadandburnoutonpartoftheGPandharmfuleffectsonthedoctor‐patientrelationship.ThereisaneedtoaddressthesystemofapprovalfornationalQIprogrammes andQIprojectsutilising moresophisticatedmethodologies(Tapp etal.,2009).

52

54

My DEDICATION is to make data valuable … Thank you!

test

63

64

MyDEDICATIONistomakedatavaluable …Thankyou!

genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... ·...

Documents

Transcript of genome.tugraz.atgenome.tugraz.at/MedicalInformatics/WinterSemester2013Holzinger/11_LV... ·...