A practical approach to achieve private medical record linkage in light of public resources

Kuzu, Mehmet; Kantarcıoğlu, Murat; Durham, Elizabeth; Tóth, Csaba D.; Malin, Bradley

doi:10.1136/amiajnl-2012-000917

Cited by 39 publications

(38 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Restricting the problem further to the set of only the 20 most frequent names, the CSP assigned four of those 20 names correctly. Nevertheless, Kuzu et al (2013) A different and highly successful attack on simple Bloom filters has been published by Niedermeyer et al (2014). Very little computational effort is needed and only publicly available name frequency lists are used for this form of attack.…”

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

“…In their second paper, Kuzu et al (2013) evaluated the practical use of their own attack more critically. Personal identifiers in a given application database such as a medical registry are unlikely to be a random sample of an available population list.…”

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

“…Personal identifiers in a given application database such as a medical registry are unlikely to be a random sample of an available population list. Thus, Kuzu et al (2013) investigated whether voter registration records could be used to identify encrypted personal identifiers from a medical center. In this more realistic scenario, the attacked database is not a random sample of the available population list.…”

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

See 2 more Smart Citations

Privacy‐preserving record linkage

Schnell

2015

Methodological Developments in Data Linkage

View full text Add to dashboard Cite

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

See 1 more Smart Citation

Privacy‐preserving record linkage

Schnell

2015

Methodological Developments in Data Linkage

View full text Add to dashboard Cite

“…Kuzu et al recently demonstrated an attack that can utilize a global dataset with demographic data (often available publicly) to determine what input strings were used to create the Bloom filter encodings [26]. In a follow up study, the authors demonstrated that the attack is feasible in practice, but the speed and precision of the attack may be worse than theoretical predictions [27]. Methods such as encoding n-grams from multiple identifiers into a single Bloom filter may provide resistance to such attacks, but can adversely impact linkage performance.…”

Section: Related Workmentioning

confidence: 99%

Linking Health Records for Federated Query Processing

Dewri

Ong

Thurimella

2016

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

A federated query portal in an electronic health record infrastructure enables large epidemiology studies by combining data from geographically dispersed medical institutions. However, an individual's health record has been found to be distributed across multiple carrier databases in local settings. Privacy regulations may prohibit a data source from revealing clear text identifiers, thereby making it non-trivial for a query aggregator to determine which records correspond to the same underlying individual. In this paper, we explore this problem of privately detecting and tracking the health records of an individual in a distributed infrastructure. We begin with a secure set intersection protocol based on commutative encryption, and show how to make it practical on comparison spaces as large as 10 10 pairs. Using bigram matching, precomputed tables, and data parallelism, we successfully reduced the execution time to a matter of minutes, while retaining a high degree of accuracy even in records with data entry errors. We also propose techniques to prevent the inference of identifier information when knowledge of underlying data distributions is known to an adversary. Finally, we discuss how records can be tracked utilizing the detection results during query processing.

show abstract

“…Two partially successful attacks on Bloom filters using a Constraint Satisfaction Solver have been reported by [42], [43]. In the more recent study, the authors used combined Bloom filters (a CLK variant).…”

Section: A Security Of Bloom Filter-based Approachesmentioning

confidence: 99%

Building a National Perinatal Data Base without the Use of Unique Personal Identifiers

Schnell

Borgs

2015

2015 IEEE International Conference on Data Mining Workshop (ICDMW)

View full text Add to dashboard Cite

Abstract-To assess the quality of hospital care, national databases of standard medical procedures are common. A widely known example are national databases of births. If unique personal identification numbers are available (as in Scandinavian countries), the construction of such databases is trivial from a computational point of view. However, due to privacy legislation, such identifiers are not available in all countries. Given such constraints, the construction of a national perinatal database has to rely on other patient identifiers, such as names and dates of birth. These kind of identifiers are prone to errors. Furthermore, some jurisdictions require the encryption of personal identifiers. The resulting problem is therefore an example of Privacy Preserving Record Linkage (PPRL). This contribution describes the design considerations for a national perinatal database using data of about 600,000 births in about 1,000 hospitals. Based on simulations, recommendations for parameter settings of Bloom filter based PPRL are given for this real world application. I. BACKGROUNDFor the medical assessment of German hospitals, a federal institution (GBA) 1 is obliged by law to link administrative records of more than 600,000 births yearly. The records are scattered across about 1,000 independent perinatal and neonatal units. The linked data is used for monitoring hospital performance and epidemiological analyses like spatial prevalence of very low birth weights. Due to privacy regulations, patient databases of hospitals are not linked by an electronic network. The hospitals use different electronic medical record systems, but have to use the same data exchange format. All details of the data exchange are part of a mandatory regulation. Because the German health insurance system has no common unique personal identifier number, other patient identifiers have to be used. Since the current regulations do not allow names in any form, encrypted or not, current linkage is based on different combinations of health insurance numbers, birth weight and hospital identifiers. Given the described constraints, only about 80% of the records can be linked [1].From a statistical point of view, non-linked records might cause a missing data problem [2]. If the fact, that a true link is missed, depends on variables of interest, this is referred to as differential linkage error [3], [4]. This might result in biased estimates of causal effects and population parameters [5], [6]. Concerning our field of application, evidence of bias caused by differences between linked and non-linked maternal data sets has been published [7], [8]. The easiest way to 1 For details, see www.english.g-ba.de.reduce differential linkage bias is improving the linkage rate. Therefore, using additional identifiers has been proposed to the regulatory authority [9]. As previous research has shown [10] [30]. In this paper, we will describe the design of a national perinatal database using Bloom filters for PPRL. 2 We are not aware of any published attack against encryp...

show abstract

A practical approach to achieve private medical record linkage in light of public resources

Abstract: Performance of cryptanalysis against BFEs based on patient data is significantly lower than theoretical estimates. The proposed countermeasure makes BFEs resistant to known practical attacks.

Cited by 39 publications

References 46 publications

Privacy‐preserving record linkage

Privacy‐preserving record linkage

Linking Health Records for Federated Query Processing

Building a National Perinatal Data Base without the Use of Unique Personal Identifiers

Contact Info

Product

Resources

About