Big Data Meets Privacy: De-identification Maturity Model for Benchmarking and Improving De-identification Practices Nathalie Holmes Khaled El Emam
May 22, 2015
Big Data Meets Privacy:De-identification Maturity Model for Benchmarking and Improving De-identification Practices
Nathalie HolmesKhaled El Emam
Workshop Outline
Big Data: Opportunities and Risks in Healthcare De-identification Myths: Fact or Fiction Overview of Terms Used in Anonymization De-identification Maturity Model (DMM) Case
Studies DMM Uses and Benefits
OPPORTUNITIES AND RISKS WITH BIG DATA
How to Successfully Leverage Data While Protecting Individual Privacy
Big Data Tidal Wave is Creating UnforeseenOpportunities and Risks
Organizations with the Right Tools And a Skilled Team will
Come Out on Top
Big Data Opportunities and Risks
A lot of useful data contains personal information about patients, study participants, or consumers The challenge is getting access to the data – addressing the privacy
requirements:- Do you have authority ?
- Is it mandatory or discretionary ?- Do you patient / participant consent ?- Can you anonymize the data
These are the only ways that you get access to the data
Healthcare Breaches
Best evidence suggests at least 27% of healthcare practices have a breach every year The costs for healthcare are $200 per individual for breach notification
(Ponemon) This applies whether you have obtained consent or authority
De-identification is one piece of an enterprise privacy program that can make privacy work
“Privacy by Design” provides helpful best practices
Proactive, Preventative, Embedded and Continuous
De-Identification Facts or Fiction #1
True or False: - It’s possible to re-identify most, if not all, data.
False:- Using robust methods, evidence suggests risk
can be very small.
De-Identification Facts or Fiction #2
True or False: - Privacy regulations say that there must be zero
chance of re-identification in order for a data set to be used for secondary purposes.
False:- HIPAA states that the risk of re-identification
must be “very small”. The FTC and other regulations use a “reasonableness” standard. All of these standards take context into account
De-Identification Facts or Fiction #3
True or False: - Only covered entities should consider HIPAA as
a standard for de-identification.
False:- HIPAA is a good standard to use regardless of
the applicable regulations.
OVERVIEW OF ANONYMIZATION
How to Successfully Leverage Data While Protecting Individual Privacy
PRIVACYANALYTICS.CA
© 2012-2013, Privacy Analytics. All Rights Reserved13 of 76
Balancing Data Privacy Requires Evaluation of Privacy Protection and Data Utility
Balancing Data Privacy
Direct and In-Direct/Quasi-Identifiers
Examples of direct identifiers: Name, address, telephone number, fax number, MRN, health card number, health plan beneficiary number, license plate number, email address, photograph, biometrics, SSN, SIN, implanted device number
Examples of quasi identifiers: sex, date of birth or age, geographic locations (such as postal codes, census geography, information about proximity to known or unique landmarks), language spoken at home, ethnic origin, total years of schooling, marital status, criminal history, total income, visible minority status, profession, event dates
Terminology
A process that removes the association between the identifying data and the data
subject. (Source ISO/TS 25237:2008)
Reducing the risk of identifying a data subject to a very small level through the
application of a set of data transformation techniques without any concern for the
analytics utility of the data.
Removal of fields from a data set
A particular type of anonymization that both removes the association with a data
subject and adds an association between a particular set of characteristics to the data
subject and one or more pseudonyms (Source: ISO/TS 25237:2008)
Replacing a value in the data with a random
value from a large database of possible
values
Data Masking
Data Masking = No analytics on those fields
Reducing the risk of identifying a data subject to a very small level through the application of a set of data transformation techniques such that the
resulting data retains a very high analytics value.
Reducing the precision of a value
to a more general one
The removal of records or values (cells) in the data
Randomly selecting a subset of records or patients from a data set
The motives and capacity of thedata recipient to
re-identify the data
The security and privacy practices
that the data recipient has in place to manage
the data received.
Statistical De-identification
De-identification =High analytical value
RE-IDENTIFICATION RISKS
Risks from Basic Demographics
DE-IDENTIFICATION MATURITY MODEL
How to Successfully Leverage Data While Protecting Individual Privacy
De-identification Maturity Model (DMM)
Formal framework to evaluate maturity of de-identification services within an organization Gauges level of an organization’s readiness and experience in
relation to people, processes, technologies and consistent measurement practices “DMM” used as a measurement tool; enables the enterprise to
implement a grounded strategy based on facts Improves compliance, facilitates access, and scales support services
Three Dimensions of the DMMA
CB
Practice Dimension
DMM has five maturity levels for the de-identification practicesthat an organization has in place Level 1 is lowest level of maturity and level 5 is the highest
level of maturity
Adhoc Masking HeuristicRisk
BasedGovernance
1 2 3 4 5
A
Case Study 1 – Safe Harbor
Organization A is a disease registry They have lots of databases that they connect to and they do a lot of
data releases to internal and external data analysts Practice Dimension (what you do):
- Their primary way of anonymizing data is through following the Safe Harbor de-identification standard (L3)
Implementation Dimension (how well you do it):- There is a clear process and well defined roles for following SH,
which is well documented- Because its documented, it’s repeatable (L3)
Safe HarborSafe Harbor Direct Identifiers and Quasi-identifiers
1. Names2. ZIP Codes (except first
three)3. All elements of dates
(except year)4. Telephone numbers5. Fax numbers6. Electronic mail
addresses7. Social security
numbers8. Medical record
numbers9. Health plan beneficiary
numbers10.Account numbers11.Certificate/license
numbers
12.Vehicle identifiers and serial numbers, including license plate numbers
13.Device identifiers and serial numbers
14.Web Universal Resource Locators (URLs)
15.Internet Protocol (IP) address numbers
16.Biometric identifiers, including finger and voice prints
17.Full face photographic images and any comparable images;
18. Any other unique identifying number, characteristic, or code
Actual Knowledge
Case Study 1 – Safe Harbor
Automation dimension (is it automated)- They use a home grown scripts for implementing SH- The scripts do not have any external validation that they work or are
sufficient (L1) Challenges
- Despite these efforts, they have missed some key items- There have been pressures by analysts to provide more granular
data
Case Study 1 – Safe Harbor
- They have interpreted the SH regulation for dates such that they have only dealt with dates of birth rather than all dates
- They have not brought all zip down to 3, and for regions where there are fewer than 20K people replace with 000 per SH
- Some identifiers were missed (such as clinical trial participant numbers)
- Did not consider the Actual Knowledge requirement in SH
Case Study 2 – Masking
Company B is a claims processor They have a need for realistic data for software testing Practice Dimension (what you do):
- Their primary way of anonymizing is through data masking - This means they deal only with the direct identifiers (L2) Implementation Dimension (how well you do it):
- There is a clear process for doing masking and how they implement heuristics, which is well documented
- Because its documented, it’s repeatable (L3)
Case Study 2 – Masking
Automation dimension (is it automated)- They use a commercial product for masking- This product produces consistent results (L2) Challenges
- Despite these efforts, they have missed some key items – the quasi-identifiers
- Some dates and ZIP codes were not addressed- There is no evidence that the risk of re-identification was “very small”- The tool vendor architect provided assurance that this was OK
Case Study 3 – Governance
Company C is an EMR vendor They have a need to provide reports to their clients on trends and
benchmarks to help clients to improve their businesses Practice Dimension (what you do):
- They have a risk-based approach which includes anonymizing both direct identifiers (masking) and in-direct identifiers (de-identification)
Implementation Dimension (how well you do it):- There is a clear process for anonymizing the data which is well
documented- Because its documented, it’s repeatable
Case Study 3 – Governance
- They have on-going training of staff on how to do the anonymization
- They are able to quickly produce reports and metrics documenting what they did to the data before they released it
- They have automated data sharing agreements which specifies the controls that need to be in place by data users
- They have a full audit trail to demonstrate that the risk of re-identification is “very small” per HIPAA
- They track when there is overlap between the various data sets- Audits are conducted on data users to confirm compliance with
conditions
Case Study 3 – Governance
Automation Dimension (is it automated)- They use commercial software to do masking and de-
identification- The product produces consistent results- They are able to get defensible anonymization more quickly than
by doing it manually- The product has been scrutinized by other users & peers and is
upgraded on a regular basis- They are able to release more data sets, more quickly
Benefits of DMM
Determine whether an organization can defensibly ensure risk of re-identification is “very small” Provides a road map to meet regulatory and legal requirements Automation and governance allow organizations to share more data for
secondary purposes with fewer resources A higher the level of maturity results in higher quality data and greater
consistency in de-identification Significant improvement in ability to estimate resources and time
required to de-identify data sets
PRIVACYANALYTICS.CA© 2012-2013, Privacy Analytics. All Rights Reserved51 of 92
Key Learnings
Data Anonymization Resources
Book Signing: Sept 26,10:35 am Booth # 107
Khaled El Emam & Luk Arbuckle
Other Conference Activities
Session: Facilitating Analytics While Protecting Individual Privacy Using Data De-identification - Khaled El Emam- Thursday , September 26 @ 4:00pm, Salon F Office hours in the Sponsor Pavilion:
- Nathalie Holmes - Thursday, September 26 @ 3:10pm, Table D- Khaled El Emam - Thursday, September 26 @ 6:30pm, Table D
Contact
Nathalie Holmes:[email protected] ext 122
Khaled El Emam:[email protected]
@PrivacyAnalytic
2012 Start-Up Showcase Winner
Review Quiz
What does anonymization mean? What is the difference between data masking and de-identification? Why is it important to strive for balance between privacy and data utility? How many levels of maturity (Practice Dimension) are there in the DMM? Is it possible to be at Practice Dimension 1 (Ad hoc) and score well in the
Implementation Dimension? Ex. Have a repeatable, defined and measurable process? What are some advantages of having Standard Automation (software)? What is the main difference between Practice Dimension 4 (Risk Based) and
Dimension 5 (Governance)?