WMA-HDB-Seoul_KIM

Télécharger un document PDF


1
Data Confidentiality
and Gene Privacy
Ju Han Kim, M.D., Ph.D.
Professor and Founding Chair, Div. of Biomedical
Informatics, Seoul Nat’l Univ. College of Medicine
juhan@snu.ac.kr
No one wants to expose…
• credit card numbers
• bank account numbers
• passwords
• sensitive data (patient data)
2
Protecting…
• What?
• Security
• Privacy
• Confidentiality
• Against what?
• Evil hackers
• Malicious insiders
• Stupidity
Privacy
• Right to be alone; e.g.:
• applies mostly to known individuals
• Correlation among pervasive databases
• sensus
• marketing
• health
3
Confidentiality
• Use of sharing information by multiple
users at many institutions
• Should be controlled by coherent policy
• Enforced by appropriate technology
• E.g., who may use your results of life
insurance, for what purposes?
프라이버시 / 기밀유지 / 보안
• Privacy: managing your own information
to suit your needs
• Confidentiality: managing someone else’s
information to protect their privacy
• Security: physical security
right to remain unknown
4
Privacy & Intruders
Freedom from
1. intrusion
2. surveillance
3. right to self control à (Patient control)
ü Giving patients control of the use of their data
ü To be informed and to control who, when, how, and why
their health information is accessed/used
ü Broader concept than the right to inspect/read
5
Privacy as the right to life
• Competition
ü Competition at equality condition
• Autonomy and Freewill
ü Right to choose religion and good and evil
ü Right to belief
• Right to forget or not recognize discrimination
ü Race, gender, regional sentiment
* Privacy Case Nydia Velázquez  (1982) Three weeks after
Nydia Velázquez won the New York Democratic Party’s
nomination to serve in the U.S. House of Representatives,
somebody at St. Claire Hospital in New York faxed
Velázquez’s medical records to the New York Post. The
records detailed the care that Velázquez had received at the
hospital after a suicide attempt–an attempt that had happened
several years before the election.
Database Nation: The Death of Privacy in the 21st Century, Simson
Garfinkel, Jan 2000, 1-56592-653-6
6
The intruders
l The Big Brother
l The Little Sisters
l Intrusive Technologies
l Stupidity
l Internal breaches
l Ever increasing stakeholders
l Data integration
l Re-identification of the de-identified
Big brother is watching you!
• Governmental DBs
• National Surveillance
• International Collaborations
The Intruders – Big Brother
7
The Sisters are nearer than the Bros
• Flaming
• Flame war
• Cyberbullying
• Internet Trolling
• Smack Talk
The Intruders – Little Sisters
The Intruders –Technologies
8
The Intruders – Stupidity
• frigidity
• ignorance
• divide
출처: 중앙일보 2005년6월23일자
Internal breaches
The dark side
9
• Dr.
• Nr.
• Therapists
• Laboratory
• Radiology
• Pharmacy
• Admissions
• Administrations
… more than 70
• Managers
• Patients
• Payers
• Reviewers
• Gov. Institutions
• Insurance Company, Pharma
• Hackers
• and more and more people…
The Intruders – ever increasing stakeholders
The Intruders – Data Integration
10
The Intruders – Data Integration
The Intruders – Data Integration
11
Former Governor, William F. Weld
Group Insurance Commission RecordDecoded
Messachusettes
Group Insurance
Commission Released
Medical Records
of Gov. Officers
(de-identified)
Voter list for $20
출처: Sherman E. It doesn’t take much to make you stand out. Cambridge, Mass.:
Harvard University Extension School Bulletin, Fall 2001
De-identification &Re-identification
Names of the 35% of the victims
were reidentified
(only with public data)
12
Malin and Sweeney at Carnegie Mellon Univ. integrated
(1) Illinois’publicly available de-identified discharge summary data (1990-
1997) with (2) Census data and (3) Voter list,
surprisingly re-identifying real names of rare disease patients by using the
publicly available data only
Cystic fibrosis: 33%
Huntington disease: 50%
Fanconi Anemia: 70%
Refsum disease: 100%
Re-identification < Rare disease >
New England Journal of Medicine (2005)
British Medical Journal (2001)
13
Efforts
regional and international
Legislative efforts in Korea
• Constitution
ü 제17조: “모든 국민은 사생활의 비밀과 자유를 침해받지 아니한다.”
• Criminal Laws:
ü 제316조, 비밀침해 행위 처벌;
ü 제317조, 의사, 한의사, 치과의사, 약제사, 조산사 등이 업무처리 중 지득한 타인
의 비밀을 누설시 처벌
• Privacy Act
• Acts on Information and Communication:
ü 정보통신망이용촉진및정보보호등에관한법률 제21조(전자문서 등의 공개 제한)
및 제49조(비밀 등의 보호)
ü 전자서명법 제24조(개인정보의 보호)
ü 공공기관의개인정보보호에관한법률 제13조(처리정보의 열람제한)
• Medicine-related Acts
ü 보건의료기본법 제12조(비밀보장)
ü 의료법 제19조(비밀누설의 금지)
ü 전염병예방법 제54조의 6
ü 후천성면역결핍증예방법 제7조
ü 장기이식등에관한법률 제27조 26/62
14
HIPAA
• Since 1996, U.S. congress
• data interchange standards
• data security
• patient privacy
• HIPAA Security and Electronic Signature
Standards, 1998
• HIPAA Standards for Privacy of Individually
Identifiable Health Information, 2000
• HIPAA regulation starts in 2003
Health Insurance Portability and Accountability Act
Research
15
Multi-center studies
– The challenges
l Registries and Large databases
ü Cancer
ü Childhood immunizations
ü Cardiovascularsurgery
ü Mammography screening
l Quality improvement and assurance
l Technologic advancement, large-scale data sharing
l Federal, state laws & institutional policies
l Collection, storage, utilization and sharing
Categories of Information
16
Member sites
l Research endeavor vs. confidentiality protection
l Protect from unauthorized access
l Usage only in sanctioned and approved ways
l Prompt report and corrective measures against
breaches of the policy
l Prompt response to inquires from concerned
participants
Categories of Information
17
UK Association of Cancer Registries
l Regulation 2 of the Statutory Instrument (SI) on confidentiality – No. 1438, The Health
Service (Control of Patient Information) Regulations 2002 – permits cancer registries to
receive patient identifiable data without the need for informed consent.
l However, there remains uncertainty about the circumstances when cancer registries are
allowed to disclose patient identifiable data held by them to third parts.
l PIAG has requested UKACR to develop explicit guidance for cancer registries advising
them that they must comply with requests from patients to delete identifiable data about
themselves from their databases.
l The basic idea for protecting patient privacy has been de-identification.
l However, the dichotomy of identifiable vs. non-identifiable distinction cannot be
made.
l In reality, most of health data are ‘Potentially Identifiable’.
ü Individual records
ü Tabular data,basedon small geographic areas, with cell counts of fewer than five
cases/events (or where counts of lessthanfive can be inferredby simple arithmetic)
ü Tabular data containing cellsthat have underlying population denominatorsof less than
approximately 1000
34/62
UK Association of Cancer Registries
18
Potentially identifiable data
l the intended use(s) of the data should be stated clearly
l the use(s) of the data should be justified and the data should not be used for any
other purposes
l the registry should not release data that are more detailed than necessary to fulfill
the stated purpose
l the data should not be passed on to other third parties or released into the public
domain
l the data should be kept securely for the period of time that can be justified by the
stated purpose, and then destroyed
l no attempt should be made to identify information pertaining to particular
individuals or to contact individuals
l no attempt should be made to link the data to other data sets, unless agreed with
the data providers
l any public domain reports or papers resulting from analyses of the provided data
should be shared prior to publication with the cancer registry (or registries)
supplying the information.
American College of Epidemiology
Policy Statements
l Routine anonymization of archivedmedical data :
ü difficulty in tracing back to individuals
ü Unable to predict what linkage might be useful in the future
investigations
l Individual informedconsent
ü Untenable administrative, financial, and logistical burdens
ü Non-participation and selection bias
19
ACE with bigger challenges
New Challenges
20
Life Logs & Genomes
New Challenges
l Personal Genomes
ü Fundamentally identifiable in itself
ü Non-editability
ü Beyond person, sharedby family members
l Life logging
l Bio-Banksand biomedical research
l TaxonomyforSecondary Uses
21
22
Mom the worrier
You
Crazy Uncle Bill
Skeptical
brother
Early adopter
sister
Dad already signed up
to get sequenced
Grandpa says
no way!
Aunt Erma worried
about losing her
insurance because
of her son’s DNA
sequence
Cousin Betty
wants to donate
her sequence to
science and make
it totally public
Grandma is gone,
but a sample
of her DNA still
exists…
Impact on Family
HSLS, U.Pitt
personal genetics
education project
(link)
Your kids
Your potential kid?
Ethical
and
Technological
23
Thank you!
http://www.snubi.org/