Methods for the de-identification of electronic health records for genomic research

Emam, Khaled El

doi:10.1186/gm239

Cited by 58 publications

(40 citation statements)

References 44 publications

(62 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Metrics for measuring the extent of de-identification have been summarized elsewhere [69]. It is only then that we will have an evidence-based understanding of the extent to which de-identification protects against real attacks.…”

Section: Discussionmentioning

confidence: 99%

A Systematic Review of Re-Identification Attacks on Health Data

et al. 2011

Self Cite

View full text Add to dashboard Cite

BackgroundPrivacy legislation in most jurisdictions allows the disclosure of health data for secondary purposes without patient consent if it is de-identified. Some recent articles in the medical, legal, and computer science literature have argued that de-identification methods do not provide sufficient protection because they are easy to reverse. Should this be the case, it would have significant and important implications on how health information is disclosed, including: (a) potentially limiting its availability for secondary purposes such as research, and (b) resulting in more identifiable health information being disclosed. Our objectives in this systematic review were to: (a) characterize known re-identification attacks on health data and contrast that to re-identification attacks on other kinds of data, (b) compute the overall proportion of records that have been correctly re-identified in these attacks, and (c) assess whether these demonstrate weaknesses in current de-identification methods.Methods and FindingsSearches were conducted in IEEE Xplore, ACM Digital Library, and PubMed. After screening, fourteen eligible articles representing distinct attacks were identified. On average, approximately a quarter of the records were re-identified across all studies (0.26 with 95% CI 0.046–0.478) and 0.34 for attacks on health data (95% CI 0–0.744). There was considerable uncertainty around the proportions as evidenced by the wide confidence intervals, and the mean proportion of records re-identified was sensitive to unpublished studies. Two of fourteen attacks were performed with data that was de-identified using existing standards. Only one of these attacks was on health data, which resulted in a success rate of 0.00013.ConclusionsThe current evidence shows a high re-identification rate but is dominated by small-scale studies on data that was not de-identified according to existing standards. This evidence is insufficient to draw conclusions about the efficacy of de-identification methods.

show abstract

Section: Discussionmentioning

confidence: 99%

A Systematic Review of Re-Identification Attacks on Health Data

et al. 2011

Self Cite

View full text Add to dashboard Cite

show abstract

“…This is suggested by the fact that "all the publicly known examples of re-identification of personal information have involved identity disclosure" [15] and by the fact that the majority of healthcare data anonymization methods focus on preventing identity disclosure. However, our algorithm can be extended to prevent attribute disclosure [72], when there are sensitive diagnosis codes with which patients are not willing to be associated.…”

Section: Discussionmentioning

confidence: 99%

“…In this section, we discuss anonymization methods that are closer to ours (see [15,52,25] for surveys). For extensive surveys on anonymization principles and methods for healthcare data, the reader is referred to [17,25,27].…”

Section: Related Workmentioning

confidence: 99%

“…In particular, the privacy-preserving sharing of healthcare data beyond authorized recipients (e.g., researchers or employees of the institution that has collected the data) is challenging [15,16,25]. This is partly because it cannot be facilitated based on access control and encryption-based methods [59,65], or by relying solely on policies (e.g., the HIPAA Privacy Rule [57] in the US, the Anonymization Code [56] in the UK, and the Data Protection Directive [58] in the EU).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Anonymizing datasets with demographics and diagnosis codes in the presence of utility constraints

Poulis

Loukides

Skiadopoulos

et al. 2017

Journal of Biomedical Informatics

View full text Add to dashboard Cite

Publishing data about patients that contain both demographics and diagnosis codes is essential to perform large-scale, low-cost medical studies. However, preserving the privacy and utility of such data is challenging, because it requires: (i) guarding against identity disclosure (re-identification) attacks based on both demographics and diagnosis codes, (ii) ensuring that the anonymized data remain useful in intended analysis tasks, and (iii) minimizing the information loss, incurred by anonymization, to preserve the utility of general analysis tasks that are difficult to determine before data publishing. Existing anonymization approaches are not suitable for being used in this setting, because they cannot satisfy all three requirements. Therefore, in this work, we propose a new approach to deal with this problem. We enforce the requirement (i) by applying (k, k m )-anonymity, a privacy principle that prevents re-identification from attackers who know the demographics of a patient and up to m of their diagnosis codes, where k and m are tunable parameters. To capture the requirement (ii), we propose the concept of utility constraint for both demographics and diagnosis codes. Utility constraints limit the amount of generalization and are specified by data owners (e.g., the healthcare institution that performs anonymization). We also capture requirement (iii), by employing well-established information loss measures for demographics and for diagnosis codes. To realize our approach, we develop an algorithm that enforces (k, k m )-anonymity on a dataset containing both demographics and diagnosis codes, in a way that satisfies the specified utility constraints and with minimal information loss, according to the measures. Our experiments with a large dataset containing more than 200, 000 electronic health records show the effectiveness and efficiency of our algorithm.

show abstract

“…For example, a variation of FHE known as Partial Homomorphic Encryption (PHE) technique like Paillier [20] provides better performance over FHE while maintaining the security and confidentiality of the data. Another recent advancement to ensure data confidentiality is known as data de-identification [21]. This method ensures the privacy of the individuals by removing the identity of individuals to relate the data with them.…”

Section: Introductionmentioning

confidence: 99%

On the use of CryptDB for securing Electronic Health data in the cloud: A performance study

Shahzad¹,

Iqbal

Bokhari

2015

2015 17th International Conference on E-Health Networking, Application &Amp; Services (HealthCom)

View full text Add to dashboard Cite

Electronic Health Records (EHRs) are the very personal data and ensuring its privacy and security is an utmost priority. Various laws require the privacy of this data to be ensured and usually this is achieved using strict access control methods. However, these methods have limitations, specifically in case of a server breach. In this paper, we use CryptDB to ensure data confidentiality in EHR Systems. In particular, we investigate the performance of CryptDB with OpenEMR, on different deployment scenarios and varying workloads over the cloud and a local testbed. We identify that CryptDB successfully provides the data confidentiality on the database server when deployed on the cloud. We also find that for a mix workload, the average performance of the OpenEMR with CryptDB in the cloud remains under two seconds which makes CryptDB a viable option for providing security to EHR systems deployed in the cloud. This is the first study to integrate CryptDB with OpenEMR and to profile performance overhead to ensure the data confidentiality under different deployment and varying workload scenarios in the cloud.

show abstract

Methods for the de-identification of electronic health records for genomic research

Cited by 58 publications

References 44 publications

A Systematic Review of Re-Identification Attacks on Health Data

A Systematic Review of Re-Identification Attacks on Health Data

Anonymizing datasets with demographics and diagnosis codes in the presence of utility constraints

On the use of CryptDB for securing Electronic Health data in the cloud: A performance study

Contact Info

Product

Resources

About