O'Reilly Webcast: Anonymizing Health Data

Anonymizing Health DataWebcast

Case Studies and Methods to Get You Started

Khaled El Emam & Luk Arbuckle

Anonymizing Health Data

Part 1 of Webcast: Intro and Methodology

Part 2 of Webcast: A Look at Our Case Studies

Part 3 of Webcast: Questions and Answers



Part 1 of Webcast: Intro and Methodology



To Anonymize or not to Anonymize



Consent needs to be informed.





Not all health care providers are willing to share their patient’s PHI.






Anonymization allows for the sharing of health information.








Compelling financial case. Breach cost ~$200 per patient.







Privacy protective behaviors by patients.

Compelling financial case. Breach cost ~$200 per patient.



Masking Standards



Masking Standards

First name, last name, SSN.



Masking Standards

Distortion of data—no analytics.




Masking Standards

Creating pseudonyms.





Masking Standards

Removing a whole field.






Masking Standards

Removing a whole field.


Replacing actual values with random ones.





De-identification Standards




Age, sex, race, address, income.



Minimal distortion of data—for analytics.








Safe Harbor in HIPAA Privacy Rule.



What’s “Actual Knowledge”?

Privacy Rule

Safe Harbor




Info, alone or in combo, that could identify an individual.





Has to be specific to the data set—not theoretical.





Has to be specific to the data set—not theoretical.

Occupation Mayor of Gotham.



Heuristics, or rules of thumb.







Heuristics, or rules of thumb.

Statistical method in HIPAA Privacy Rule.






Presenter

Presentation Notes

A risk-based methodology is consistent with contemporary standards from regulators and governments, and is the approach we present in our book.


De-identification Myths




Myth: It’s possible to re-identify most, if not all, data.





Using robust methods, evidence suggests risk can be very small.





Myth: Genomic sequences are not identifiable, or are easy to re-identify.






Myth: Genomic sequences are not identifiable, or are easy to re-identify.

In some cases can re-identify, difficult to de-identify using our methods.




A Risk-based De-identification Methodology


Presenter

Presentation Notes

This is where things get heavy. We’ll start with some basic principles.



The risk of re-identification can be quantified.





The Goldilocks principle: balancing privacy with data utility.




Presenter

Presentation Notes

The Goldilocks Principle: the trade-off between perfect data and perfect privacy.





The re-identification risk needs to be very small.






De-identification involves a mix of technical, contractual, and other measures.

The re-identification risk needs to be very small.



Steps in the De-identification Methodology

Step 1: Select Direct and Indirect Identifiers

Step 2: Setting the Threshold

Step 3: Examining Plausible Attacks

Step 4: De-identifying the Data

Step 5: Documenting the Process





Presenter

Presentation Notes

We use masking for direct identifiers, and de-identification for indirect identifiers.


Direct identifiers: name, telephone number, health insurance card number, medical record number.



Presenter

Presentation Notes

Masking


Direct identifiers: name, telephone number, health insurance card number, medical record number.

Indirect identifiers, or quasi-identifiers: sex, date of birth, ethnicity, locations, event dates, medical codes.



Presenter

Presentation Notes

De-identification


Maximum acceptable risk for sharing data.





Needs to be quantitative and defensible.






Is the data in going to be in the public domain?






Is the data in going to be in the public domain?

Extent of invasion-of-privacy when data was shared?




Recipient deliberately attempts to re-identify the data.





Recipient inadvertently re-identifies the data.“Holly Smokes, I know her!”





Recipient inadvertently re-identifies the data.

Data breach at recipient’s site, “data gone wild”.





Data breach at recipient’s site, “data gone wild”.

Adversary launches a demonstration attack on the data.



Recipient inadvertently re-identifies the data.

Presenter

Presentation Notes

Yahoo!



Generalization: reducing the precision of a field.Dates converted to month/year, or year.




Generalization: reducing the precision of a field.

Suppression: replacing a cell with NULL.Unique 55-year old female in birth registry.




Generalization: reducing the precision of a field.

Suppression: replacing a cell with NULL.

Sub-sampling: releasing a simple random sample.50% of data set instead of all data.





Presenter

Presentation Notes

From a regulatory perspective, it’s important to document the process that was used to de-identify the data set, as well as the results of enacting that process.



Process documentation—a methodology text.


Presenter

Presentation Notes




Results documentation—data set, risk thresholds, assumptions, evidence of low risk.


Process documentation—a methodology text.

Presenter

Presentation Notes



Measuring Risk Under Plausible Attacks



T1:Deliberate Attempt


Pr(re-id, attempt) = Pr(attempt) × Pr(re-id | attempt)


Presenter

Presentation Notes

The probability of an attack will depend on the controls in place to manage the data (mitigating controls).





T2: Inadvertent Attempt (“Holly Smokes, I know her!”)Pr(re-id, acquaintance) = Pr(acquaintance) × Pr(re-id | acquaintance)

Presenter

Presentation Notes

On average people tend to have 150 friends. This is called the Dunbar number.





T2: Inadvertent Attempt (“Holly Smokes, I know her!”)

T3: Data Breach (“data gone wild”)Pr(re-id, breach) = Pr(breach) × Pr(re-id | breach)

Presenter

Presentation Notes

Based on recent credible evidence, we know that approximately 27% of providers that are supposed to follow the HIPAA Security Rule have a reportable breach every year.






T3: Data Breach (“data gone wild”)

T4: Public Data (demonstration attack)Pr(re-id), based on data set only

Presenter

Presentation Notes

We assume that there is an adversary who has background information that can be used to launch an attack.


Choosing Thresholds


Presenter

Presentation Notes

So we can measure risk under plausible attacks, but how to we set an overall risk threshold?


Choosing Thresholds


Many precedents going back multiple decades.


Choosing Thresholds


Many precedents going back multiple decades.Recommended by regulators.


Choosing Thresholds


Many precedents going back multiple decades.Recommended by regulators.All based on max risk though.

Presenter

Presentation Notes

Max risk is based on the record that has the highest probability of re-identification; average risk when the adversary is trying to re-identify someone they know or all everyone in data set.


Choosing Thresholds


Many precedents going back multiple decades.Recommended by regulators.All based on max risk though.

Presenter

Presentation Notes

To set the threshold, we can look at the sensitivity of the data and the consent mechanism that was in place (invasion of privacy).


Part 2 of Webcast: A Look at Our Case Studies



Cross Sectional Data: Research Registries





Better Outcomes Registry & Network (BORN)of Ontario





140,000 births per year.






Cross-sectional—mothers not traced over time.






Cross-sectional—mothers not traced over time.

Process of getting de-identified data from a research registry.


Researcher Ronnie wants data!



Researcher Ronnie wants data!


919,710 recordsfrom 2005-2011

Presenter

Presentation Notes

The data he wants...


Choosing Thresholds



Choosing Thresholds


Average risk of 0.1 for Researcher Ronnie(and the data he specifically requested).

Presenter

Presentation Notes

Based on detailed risk assessment.


Choosing Thresholds


0.05 if there were highly sensitive variables(congenital anomalies, mental health problems).

Average risk of 0.1 for Researcher Ronnie





Low motives and capacity





Low motives and capacity; low mitigating controls.





Pr(attempt) = 0.4





T2: Inadvertent Attempt (“Holly Smokes, I know her!”)119,785 births out of a 4,478,500 women ( = 0.027)

Presenter

Presentation Notes

Worse case is 2008, prevalence of 0.027.





T2: Inadvertent Attempt (“Holly Smokes, I know her!”)Pr(aquaintance) = 1- (1-0.027)150/2 = 0.87

Presenter

Presentation Notes

150/2 friends because only women considered.






T3: Data Breach (“data gone wild”)Based on historical data.






T3: Data Breach (“data gone wild”)Pr(breach)=0.27







T4: Public Data (demonstration attack)







Overall riskPr(re-id, T) = Pr(T) x Pr(re-id | T) ≤ 0.1




T2: Inadvertent Attempt (“Holly Smokes, I know her!”)Pr(aquaintance) = 1- (1-0.027)150/2 = 0.87

Overall riskPr(re-id, acquaintance) = 0.87 × Pr(re-id | acquaintance) ≤ 0.1


De-identifying the Data Set



Meeting Thresholds: k-anonymity


k


Meeting Thresholds: k-anonymity





MDOB in 1-yy; BDOB in wk/yy; MPC of 1 char.





MDOB in 10-yy; BDOB in qtr/yy; MPC of 3 chars.





MDOB in 10-yy; BDOB in qtr/yy; MPC of 3 chars.

MDOB in 10-yy; BDOB in mm/yy; MPC of 3 chars.


Year on Year: Re-using Risk Analyses





In 2006 Researcher Ronnie asks for 2005.




In 2006 Researcher Ronnie asks for 2005—deleted.In 2007 Researcher Ronnie asks for 2006.




In 2006 Researcher Ronnie asks for 2005.In 2007 Researcher Ronnie asks for 2006—deleted.In 2008 Researcher Ronnie asks for 2007.




In 2006 Researcher Ronnie asks for 2005.In 2007 Researcher Ronnie asks for 2006.In 2008 Researcher Ronnie asks for 2007—deleted.In 2009 Researcher Ronnie asks for 2008.




In 2006 Researcher Ronnie asks for 2005.In 2007 Researcher Ronnie asks for 2006.In 2008 Researcher Ronnie asks for 2007.In 2009 Researcher Ronnie asks for 2008—deleted.In 2010 Researcher Ronnie asks for 2009.




In 2006 Researcher Ronnie asks for 2005.In 2007 Researcher Ronnie asks for 2006.In 2008 Researcher Ronnie asks for 2007.In 2009 Researcher Ronnie asks for 2008—deleted.In 2010 Researcher Ronnie asks for 2009.

Can we use the same de-identification scheme every year?




BORN data pertains to very stable populations.





No dramatic changes in the number or characteristics ofbirths from 2005-2010.






Revisit de-identification scheme every 18 to 24 months.






Revisit de-identification scheme every 18 to 24 months.

Revisit if any new quasi-identifiers are added or changed.


Longitudinal Discharge Abstract Data:State Inpatient Databases





Linking a patient’s records over time.




Linking a patient’s records over time.

Need to be de-identified differently.


Meeting Thresholds: k-anonymity?


k?


Meeting Thresholds: k-anonymity?



De-identifying Under Complete Knowledge



State Inpatient Database (SID) of California





Researcher Ronnie wants public data!







T4: Public Data (demonstration attack)Pr(re-id) ≤ 0.09 (maximum risk)

Presenter

Presentation Notes

K=11




BirthYear in 5-yy (cut at 1910-);AdmissionYear unchanged;DaysSinceLastService in 28-dd (cut at 7-, 182+);LengthOfStay same as DaysSinceLastService.




BirthYear in 5-yy (cut at 1910-);AdmissionYear unchanged;DaysSinceLastService in 28-dd (cut at 7-, 182+);LengthOfStay same as DaysSinceLastService.

Presenter

Presentation Notes

Approximate complete knowledge


Connected Variables



Connected Variables


QI to QI


Connected Variables


QI to QISimilar QI? Same generalization and suppression.


Connected Variables



QI to non-QI


Connected Variables



QI to non-QINon-QI is revealing?Same suppression so both are removed.


Other Issues Regarding Longitudinal Data


Presenter

Presentation Notes





Date shifting—maintaining order of records.

Presenter

Presentation Notes






Long tails—truncation of records.

Presenter

Presentation Notes






Long tails—truncation of records.

Adversary power—assumption of knowledge.

Presenter

Presentation Notes



Other Concerns to Think About


Presenter

Presentation Notes





Free-form text—anonymization.

Presenter

Presentation Notes






Geospatial information—aggregation and geoproxy risk.

Presenter

Presentation Notes







Medical codes—generalization, suppression, shuffling (yes, as in cards).

Presenter

Presentation Notes







Medical codes—generalization, suppression, shuffling (yes, as in cards).

Secure linking—linking data through encryption before anonymization.

Presenter

Presentation Notes



Part 3 of Webcast: Questions and Answers




More Comments or Questions: Contact us!



Khaled El Emam: [email protected]

Luk Arbuckle: [email protected]

More Comments or Questions: Contact us!

O'Reilly Webcast: Anonymizing Health Data

Education

Transcript of O'Reilly Webcast: Anonymizing Health Data