close

Вход

Забыли?

вход по аккаунту

?

Playing Hide Seek with Metadata: How to Find Protect - nchica

код для вставки
June 23, 2014
Playing Hide & Seek with Metadata:
How to Find & Protect Unseen ePHI
NCHICA AMC 2014
Shelly Clark Epps, MS
Information Security Office
Duke Medicine
Copyright В© 2013 Allscripts Healthcare Solutions, Inc.
Jeremy Maxwell, PhD
Application Security Architect
Allscripts
1
Introductions & Talk Overview
• Jeremy Maxwell, PhD – Application Security Architect, Allscripts
 Deidentification basics
 Deidentification lessons learned and pitfalls
• Shelly Clark Epps, MS – Information Security Analyst, Duke Medicine
 Duke Medicine approach to metadata ePHI
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
2
Deidentification and What it Means to You
• Deidentification is a key tool to enable novel data uses while maintaining
individual privacy
• When done incorrectly, results can be disastrous
–
–
–
–
NetFlix challenge dataset – movie ratings from 480k users
AOL data set – search queries from 650k users
87% of individuals can be uniquely identified through zip code, sex, & birthdate
Geocoding in social media images
• Reidentification most often occurs through combining multiple datasets
– Data aggregation threat
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
3
Deidentification Requires Tradeoffs
Utility
Privacy
• Deidentification under HIPAA is binary
• HIPAA minimum necessary standard
• Utility vs. privacy not always zero sum
• Finding the right balance
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
4
HIPAA Deidentification
• HIPAA allows PHI to be deidentified
• When properly deidentified, data ceases to be considered PHI
• Two methods in HIPAA:
– Statistical certification/Expert determination
– Safe Harbor standard
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
5
Source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
6
Expert Determination Method
• Statistical expert examines a specific dataset to determine if the risk of
reidentification is sufficiently small
– Multiple methods/strategies permissible
– Need to consider data available to data recipient as well
• Statistical certification is valid for one data set—even changing one record
invalidates the certification
– Typically costly to use more than a few times
• Useful when data set is static and recipient is known
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
7
Safe Harbor Method
• A list of 18 data elements that may be removed to create a deidentified data
set
• Must be removed for patient, patient relatives, patient’s employers, and
household members
• Remaining data cannot be used in combination with other data to reidentify
the individual; reidentification key must not be disclosed to recipient
• Useful when deidentification must be done regularly or when recipients are
not known at the time of deidentification
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
8
18 Identifiers
•
•
•
•
•
•
(2)(i) The following identifiers of the individual or of relatives,
employers, or household members of the individual, are
removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including
street address, city, county, precinct, zip code, and their
equivalent geocodes, except for the initial three digits of a
zip code if, according to the current publicly available data
from the Bureau of the Census: (1) The geographic unit
formed by combining all zip codes with the same three initial
digits contains more than 20,000 people; and (2) The initial
three digits of a zip code for all such geographic units
containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly
related to an individual, including birth date, admission date,
discharge date, date of death; and all ages over 89 and all
elements of dates (including year) indicative of such age,
except that such ages and elements may be aggregated into
a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license
plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable
images; and
(R) Any other unique identifying number, characteristic, or
code, except as permitted by paragraph (c) of this section;
and
(ii) The covered entity does not have actual knowledge that
the information could be used alone or in combination with
other information to identify an individual who is a subject of
the information.
9
Source: http://www.nchica.org/HIPAAResources/Samples/safeharbor.pdf
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
10
Safe Harbor Deidentification Overview
• Start with the direct 17 identifiers listed in HIPAA
• Patient names, addresses, SSN, phone numbers, health plan numbers, MRNs, etc.
• Deidentification strategies:
•
Redaction
•
Replacement with static data
•
Replacement with generated data
•
Replacement with manipulated data пѓ Use at your own risk
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
11
Deidentification Gotchas
• 18th “data element”
• (R) Any other unique identifying number, characteristic, or code, except as
permitted by paragraph (c) of this section; and
• (ii) The covered entity does not have actual knowledge that the information could
be used alone or in combination with other information to identify an individual
who is a subject of the information.
• Provider information
• Communicable diseases
• CDC National Notifiable Infectious Conditions
• File metadata
Copyright В© 2014 Allscripts Healthcare Solutions, Inc.
12
Duke Medicine Approach to Metadata ePHI
Shelly Epps, MS
Duke Medicine
Information Security Officer
Page 13
ePHI in Metadata
• Engage SMEs and key stakeholders to understand
challenges
14
Overview of DICOM
• DICOM: Digital Imaging and Communications in
Medicine (DICOM) standard
• Medical Images:
– pixel data- potential for �burned in’ PHI
– meta data- over 3500 DICOM tags with
interspersed PHI
– accompanying documentation- may
contain the very identifiers you’re stripping
from the image
15
ePHI & Imaging Data: Lessons
learned from Image SMEs
• Imaging data presents unique challenges
• HIPAA does not provide a list of relevant DICOM tags
(there are over 3500 DICOM tags)
• Various unique identifiers (UIDs) for image, study,
series, etc.
• Burned-in PHI
• Private DICOM tags
• Must modify data while maintaining DICOM compliance
and serial reference integrity
16
ePHI in Metadata
• Engage SMEs and key stakeholders to understand
challenges
• Identify relevant policies/standards
17
Relevant Duke Policies/Standards
•
De-identification of Protected Health Information Policy
– Description of HIPAA elements
– Process of Safe Harbor Method of De-identification
•
Mobile Computing and Device Standard
– Categories of mobile devices (laptops, CDs, DVDs, portable hard drives, USBs,
etc) – all commonly used to store medical test data.
– Requirements for encryption and secure disposal
•
System Secure Use Memo
– Research data collected from Duke Medicine clinical activities under an IRBapproved protocol must be stored on Duke Medicine managed servers, not other
third party servers, unless (a) it has been fully de-identified or anonymized, (b)
outlined in an informed consent, or (c) a Data Transfer Agreement​ has been put
in place to allow the third party to receive that data.
18
ePHI in Metadata
• Engage SMEs and key stakeholders to understand
challenges
• Identify relevant policies/standards
• Populate your toolbox
– For DICOM, we chose to use centralized deidentification
resources and standardized ICF language as our primary tools.
19
SOPs
Development of a standard operating procedure for use with
departmentally provisioned image de-identification software to
ensure awareness of and adherence to intended use.
•
Limited to Research
•
Multiple software programs exist to edit DICOM images, both in the visual image and in
the metadata tags. Understanding both HIPAA requirements and DICOM architecture
is necessary to configure the software to make sure that we achieve compliance.
Below is a suggested list of steps to follow. It is strongly recommended that those
unfamiliar with image management seek the support and advice of image subject
matter experts at Duke rather than attempting image management themselves.
•
Use of software should be approved by department. Individuals should not search for
and download free or purchased software (for de-identification, viewing, or transmitting
images or other purposes) onto their computers without getting departmental approval
and ensuring that the software is vetted, compliant, appropriately licensed, fit for
purpose, and free of malware.
Service based or departmental use
……seek the support and advice of image subject matter
experts at Duke
•
Service based
– Multi-Dimensional Image Processing Lab (MultiD)
– Brain Imaging and Analysis Center (BIAC)
•
Departmentally managed
– Radiology
– Heart Center
Informed Consent Use
WILL MY INFORMATION BE KEPT CONFIDENTIAL?
Study records that identify you will be kept confidential as required by law.
Federal Privacy Regulations provide safeguards for privacy, security, and
authorized access. Except when required by law or as outlined in this
consent, you will not be identified by name, social security number,
address, telephone number, or any other direct personal identifier in study
records disclosed outside of Duke University Health System (DUHS). For
records disclosed outside of DUHS, you will be assigned a unique code
number. The key to the code will be kept in a locked file in Dr. [PI]'s office.
As part of this study, you will have [image tests]. For the tests to be
useful, limited identifiers like test dates [include other identifiers as
necessary, e.g. date of birth, initials] are necessary. By signing this
consent form, you authorize Dr. [PI] to send these specific identifiers in the
images to [Sponsor Name] and their designated affiliates.
http://irb.duhs.duke.edu/modules/irb_stdlng/index.php?id=5 (Standard Language)
ePHI in Metadata
• Engage SMEs and key stakeholders to understand
challenges
• Identify relevant policies/standards
• Populate your toolbox
• Awareness and Training
23
Awareness and Training
•
Discussions with Duke Image SMEs
– Targeted focus with those that provide de-identification as a service or
manage departmental tools
•
Meetings with Compliance, Contracts and IRB offices
•
Open presentation to Duke Research Community
•
Information further disseminated via:
–
–
–
–
Research Practice Managers who provide training oversight to coordinators
Research newsletter by email blast
Postings on Duke Office of Clinical Research website
Monthly offering of Research Data Integrity & Security course
•
Training Research Data Security Plan reviewers
•
Positive reinforcement for early adopters and “champions”
ePHI in Metadata
• Engage SMEs and key stakeholders to understand
challenges
• Identify relevant policies/standards
• Populate your toolbox
• Awareness and Training
• Assess & Refine
25
Venues for Assessment
•
Research Data Security Plan reviews
•
Study internal audits
– Use of appropriate ICF language
•
Invited feedback from service based and departmental units on
centralized uptake
•
Decreased requests for image software download
ePHI in Metadata
• Engage SMEs and key stakeholders to understand
challenges
• Identify relevant policies/standards
• Populate your toolbox
• Awareness and Training
• Assess & Refine
• Recycle
27
ePHI in �smart’ Metadata
29
Hypothetical medical scenario: Hospice worker uses
cell phone to take an image of a wound to show to
attending MD upon return to hospital, unintentionally
leaving GPS enabled.
Page 30
June 23, 2014
Thank you!
Shelly Clark Epps, MS
Information Security Office
Duke Medicine
Copyright В© 2013 Allscripts Healthcare Solutions, Inc.
Jeremy Maxwell, PhD
Application Security Architect
Allscripts
31
Документ
Категория
Без категории
Просмотров
32
Размер файла
746 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа