Johannes Heurix

A methodology for the pseudonymization of medical data

PURPOSEnE-health enables the sharing of patient-related data whenever and wherever necessary. Electronic health records (EHRs) promise to improve communication between health care providers, thus leading to better quality of patients treatment and reduced costs. However, as highly sensitive patient information provides a promising goal for attackers and is also frequently demanded by insurance companies and employers, there is increasing social and political pressure regarding the prevention of health data misuse. This work addresses this problem and introduces a methodology that protects health records from unauthorized access and lets the patient as data owner decide who the authorized persons are, i.e., who the patient discloses her health information to. Therefore, the methodology prevents data disclosure that negatively influences the patients life (e.g., by being denied health insurance or employment).nnnMETHODSnThis research uses a combination of conceptual-analytical, artifact-building and artifact-evaluating research approaches. The article starts with a detailed exploration of existing privacy protection mechanisms, such as encryption, anonymization and pseudonymization, by comparing and analyzing related work (conceptual-analytical approach). Based on these results and the identified shortcomings, a pseudonymization methodology is defined and evaluated by means of a threat analysis. Finally, the research results are validated with the design and implementation of a prototype (artifact building and artifact evaluation).nnnRESULTSnThis paper presents a new methodology for the pseudonymization of medical data that stores health data decoupled from the corresponding patient-identifying information, allowing privacy-preserving secondary use of the health records in clinical studies without additional anonymization steps. In contrast to clinical studies, where it is not necessary to identify the individual participants, insurance companies and employers are interested in the health status of individuals such as potential insurance or job applicants. In this case, pseudonymized records are practically useless for these parties as the patient controls who is able to reestablish the link between health records and patient for primary use - usually only trusted health care providers.nnnCONCLUSIONSnThe framework provides health care providers with a unique solution that guarantees data privacy (e.g., according to HIPAA) and allows primary and secondary use of the data at the same time. The security analysis showed that the methodology is secure and protected against common intruder scenarios.

Current challenges in information security risk management

Purpose – The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results. Design/methodology/approach – To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature survey...

Defining Secure Business Processes with Respect to Multiple Objectives

Business processes are of major importance in todays business environments, and their unimpeded execution is crucial for a companys success. Since business processes are permanently exposed to a variety of threats, organizations are forced to pay attention to security issues. Although the security of business activities is widely recognized as important, business processes and security aspects are often developed separately and without considering different objectives. This paper proposes a methodology that supports corporate decision makers with the elicitation of security requirements based on business processes, for the analysis of threats and vulnerabilities, and for the selection of appropriate security measures.

Model-Driven Development Meets Security: An Evaluation of Current Approaches

Although our society is critically dependent on software systems, these systems are mainly secured by protection mechanisms during operation instead of considering security issues during software design. Deficiencies in software design are the main reasons for security incidents, resulting in severe economic consequences for (i) the organizations using the software and (ii) the development companies. Lately, model-driven development has been proposed in order to increase the quality and thereby the security of software systems. This paper evaluates current efforts that position security as a fundamental element in model-driven development, highlights their deficiencies and identifies current research challenges. The evaluation shows that applying special-purpose methods to particular aspects of the problem is more suitable than applying generic ones, since (i) the problem can be represented on the proper abstraction level, (ii) the user can build on the knowledge of experts, and (iii) the available tools are more efficient and powerful.

Pseudonymization with Metadata Encryption for Privacy-Preserving Searchable Documents

The average costs of data leakage are steadily on the rise. As a consequence, several data security and access control mechanisms have been introduced, ranging from data encryption to intrusion detection or role-based access control, doing a great work in protecting sensitive information. However, the majority of these concepts are centrally controlled by administrators, who are one of the major threats to corporate security. This work presents a security protocol for data privacy that is strictly controlled by the data owner. Therefore, we integrate pseudonymization and encryption techniques to create a methodology that uses pseudonyms as access control mechanism, protects secret cryptographic keys by a layer-based security model, and provides privacy-preserving querying.

A HYBRID APPROACH INTEGRATING ENCRYPTION AND PSEUDONYMIZATION FOR PROTECTING ELECTRONIC HEALTH RECORDS

Federated Health Information Systems (FHIS) integrate autonomous information systems of participating health care providers to facilitate the exchange of Electronic Health Records (EHR), which improve the quality and efficiency of patients’ care. However, the main problem with collecting and maintaining the sensitive data in electronic form is the issue of preserving data confidentiality and patients’ privacy. Although multiple technical measures to restrict access to only authorized persons are implemented, they are usually aimed against external attackers. In this work, we propose to integrate pseudonymization and encryption to a hybrid approach which not only protects against external attackers, but also ensures that even potential internal attackers with full data access, like administrators, cannot gain any useful information.

PERiMETER – pseudonymization and personal metadata encryption for privacy-preserving searchable documents

The average costs of data leakage are steadily on the rise. Especially in healthcare, the disclosure of sensitive information may have unfavorable consequences for the patient. As a consequence, several data security and access control mechanisms have been introduced, ranging from data encryption to intrusion detection or role-based access control, doing a great work in protecting sensitive information. However, the majority of these concepts are centrally controlled by administrators who are a major threat to the patients’ privacy. Apart from administrators, other internal persons, such as hospital staff members, may exploit their access rights to snoop around in private health data. This work presents PERiMETER, a security protocol for data privacy that is strictly controlled by the data owner. It integrates pseudonymization and encryption to create a methodology that uses pseudonyms as access control mechanism, protects secret cryptographic keys by a layer-based security model, and provides privacy-preserving querying.

Privacy-preserving storage and access of medical data through pseudonymization and encryption

E-health allows better communication between health care providers and higher availability of medical data. However, the downside of interconnected systems is the increased probability of unauthorized access to highly sensitive records that could result in serious discrimination against the patient. This article provides an overview of actual privacy threats and presents a pseudonymization approach that preserves the patients privacy and data confidentiality. It allows (direct care) primary use of medical records by authorized health care providers and privacypreserving (non-direct care) secondary use by researchers. The solution also addresses the identifying nature of genetic data by extending the basic pseudonymization approach with queryable encryption.

Data Models for the Pseudonymization of DICOM Data

DICOM has become the most widely implemented and supported communications standard for medical imaging. The security of DICOM relies on the encryption of the communication channels. However, for highly sensitive medical data this is often not sufficient. This paper presents a data model for systems using DICOM based on the PIPE pseudonymization approach. A DICOM message intercepting proxy based on three different scenarios from practice was implemented in Java using the established open source PACS DCM4CHE. This system provides health care providers with an efficient architecture to reduce the danger of privacy violation and comply to legal demands, such as HIPAA.

LiDSec- A Lightweight Pseudonymization Approach for Privacy-Preserving Publishing of Textual Personal Information

Sharing personal information benefits both data providers and data consumers in many ways. Recent advances in sensor networks and personal archives enable users to record personal information including emails, social networking activities, or life events (life logging). These information objects are usually privacy sensitive and thus need to be protected adequately when being shared. In this work, we present a lightweight pseudonymization framework which allows users to benefit from sharing their personal information while still preserving their privacy. Furthermore, this approach increases the data owners awareness of what information they are sharing, thus rendering data publishing more transparent.