View
373
Download
0
Category
Preview:
DESCRIPTION
This presentation describes what organizational steps can be taken to separate personally identifiable information from the necessary administrative information. When such procedures are applied patient data can be secured and privacy rules followed.
Citation preview
How To Organize Patient Information To Protect Data Privacy
Identity And Access Management In Healthcare. Seminar 24.01.2013 Zurich EPI-Park
Bangalore Campus
Dr. rer. nat. Hellmuth BrodaPrincipal Technology Architect
Retail, Consumer Goods, Life SciencesInfosys Limited
2
Agenda
● About Infosys● Privacy—An
Obsolete Model?● Challenges with
Identities● An Architecture for
Trust● How to Organize
InformationPune Campus
3
Over 150,000 employees from 89 nationalities
Operations in 77 cities across 32 countries
4
WE FUELLEDOUR GROWTH
4
2000 2012 2000 2012
5389
153,761+
200 M
1500 EMPLOYEES $50 MILLION REVENUE
4 out of top 5Global Aerospace & Defense
4 out of top 5US Banks
6 out of top 10Global Telecommunication
Giants
3 out of top 5Health Plans
8 out of top 10US Retailers
7.12 Billion
5
POWERFUL FORCES ARE DRIVING OPPORTUNITIES
Emerging Economies
Smarter Organizations
Digital Consumers New Commerce
Pervasive Computing
Sustainable TomorrowHealthcare Economy
66
WE PARTNER WITH CLIENTS TO
BUILDTOMORROW’S
ENTERPRISE
ACCELERATEINNOVATION
BUSINESS TRANSFORMATION
OPTIMIZE OPERATIONS
77
INNOVATIVE COMPANIESTHE WORLD’S MOST
2012
8
8TIME WINNER OF THE GLOBAL MOST ADMIRED KNOWLEDGE ENTERPRISES AWARD
2004 2005 2006 2007 2008 2009 2010 2011
8
9
IT HAS COST US THE EQUIVALENT OF A SPACE SHUTTLE LAUNCH TO
BUILD OUR TRAINING CENTER
• Click icon to add picture
10
• Click icon to add picture
The World’s Largest Corporate University
• Click icon to add picture
11
Training 16’000 Students per Year
12
Upcoming Challenges In Security, Governance, Compliance
Perimeter security cannot serve the collaborative external ecosystems. It will be augmented
(and eventually replaced) byapplication security and
secure tunnels
We will move from secure castles to secured tunnels
13
Multiple Defence Rings Will Become Standard
Perimeter securityNetwork securityNW intrusion detectionNode/zone based securityLaptop encryptionMobile device securityApplication securityData leakage preventionCompliance framework
14
Privacy—An Obsolete Model?● “You already have zero privacy anyway—
get over it!” (Scott McNealy, CEO Sun Microsystems,1999)
● Mobile phones track your location● Navigation systems track you and OnStar
even records your preferred gas stations● 200 CHF quadrocopter drones turn your
neighbour into a spy● Google traces your behaviour to offer
“better services”● “Bundestrojaner” scans German (only?)
computers
15
Invasion By Authorities But Also Crooks
● Are our basic privacy rights at stake?● Is everything allowed that is technically feasible?● Is there no limit?● Who will control the
controllers?● Are we making it easy
to become prey?
Image at datonel.deviantart.com
16
Fallacy Of Poorly Organized Information● We are following a long tradition of
“male chauvinism” by building information pyramids
● The first thing we do is look for a (global) identifier
● Then we attach all attributes to this identifier
● And then we try to sprinkle some security on top
● This model does not work and is a Blanco invitation to data security breaches
17
How Do We Do It In Real Life?
● We don’t use global identifiers in real life● My passport number is different from my Swiss
ID card number● My driver’s licence has a different number● My bank account has another number● We sometimes even put information into the key
(which is a cardinal sin) – c.f. our old AHV number in Switzerland
18
But Connecting Identities Became Easy● Proven models for federated identity
connect a person’s frequent flyer number to his car rental loyalty card
● Following the traces on the web became a real business for market research firms
● We are becoming more and more transparent
● While on the move to Personalized Medicine—will my insurer hold a copy of my DNA and “adjust” my premium according to the predicted disease probabilities?
Image by alancleaver_2000 via Flickr
19
What Can We Do About This?
● Many global organizations have been working on privacy protection and the organizational mechanisms to conceal personal identifiable information (PII): Liberty Alliance, Kantara Initiative, Internet Society, W3C, . . .
● Mechanisms for secure identity assertions allow combination/translation of identifiers to combine services as well as to keep identifiers and the corresponding information separate (federated identity)
20
So—Here Is The Trick
● Keep separate what does not need
to be in one domain● Use masking and pseudonymization wherever
possible● Protect the connection table that equates
identities really well (it is a small table—much easier to protect than an entire system)
● Selectively enable access to this table on a strict need basis
21
Confused? Let Me Explain . . .
● What exactly is privacy anyway?● What are Identity Management, Authentication,
Authorization, Policies● How can we organize such a system● “I still did not get it—can you explain more?”● “Glad you asked”
22
What Is So Special About Privacy And Trust?● The biggest concern (after health) of the patient is
privacy● Privacy does not mean that “nobody knows nothing about
me” *)● It is about managing the faith of the patient by adhering to
the agreed scope and holding the information in trust● Consumers and patients are afraid of
“Purpose Creep”● What could an architecture for privacy
and trust management look like?
*The Sopranos Purpose Creep
Original Agreement
23
Architecture for Trust ManagementDefinitions
A combination of business and technology practices which define how a relationship is conducted and services are performed
A set of rules governing decisions about what the user can do: access to information, services or resources
Assertion of validity of a set of credentials. Credentials express a person´s identity.“A Yes/No answer”
Policy/Governance
Authorization
Authentication
Identity Basic set of information that creates a “unique” entity (a name with a corresponding set of attributes)
24
Architecture for Trust Management Real World Example: Drivers License
4. The fact that we do have police; the rules that allow me to drive with my national license in other countries
3. The policeman will then see which kind of vehicle you are authorized to drive and if you are allowed to drive the one you are operating now
2. Assertion of validity: The policeman compares the document with you. Result: “A Yes/No answer”
Policy/Governance
Authorization
Authentication
Identity 1. Name, address, picture identify the driver and provide together with the document the credentials expressing that the carrier is identical to the person that passed the driving tests
25
Architecture for Trust ManagementDigitally Speaking . . .
4. Business practices to manage risk, enforce security/privacy, provide auditability.User, customer preferences, history, personalized services,
3. Determination of access rights to systems, applications and information: Match credentials against profiles, ACLs, policy
2. Log on with a UID/PW, token, certificate, biometrics etc. A process that demands the prove that the person presenting them is indeed the person to which credentials were originally issued. accept or reject1. User, customer, device “facts”, e.g., name, address, ID, token, keys; credentials, certificates that were issued by a Certification Authority (CA)
Policy/Governance
Authorization
Authentication
Identity
26
How People Will Trust Policies
Policy and its audit have to be guaranteed and certified by a approved public or private independent organization, e. g.: Federal or state data protection agency TÜV (private institution) Audit firm Chamber of Commerce Postal Service or other basic service provider, . . .
This can be achieved with defined processes and responsibilities similar to ISO 9000
Trust is based on policies and the audit of those -- not just on security
27
Where to Safeguard User's Information
Health & TravelInsurance
LoyaltyProgram
RetailBank
CarRental
HotelChain
Airline
TravelAgent
Insurance Records
Travel History
Meal PreferencesCredit History
Health History
Meal Preferences Car Type Preferences
Single IdentityOperator
Credit History
Health History
Travel History
Insurance Records
Meal Preferences
28
A Federated Structure Promotes Privacy and Security● Federated structure means no single centralized
data storage that would be vulnerable to attack● End user has more control of data because
permissions travel with data, guiding its use
No global identifier -- this model protects against unauthorized data sharing
29
How it Happens
Identity Provider Authentication Federation Discovery Service Personal Profile
Service Provider
e.g. Pharmacy
Identity-Based Web Service
Provider e.g.
ePrescriptions.com
Identity Provider Authentication Federation Discovery Service Personal Profile
Principale.g. Patient
Circle of Trust
Circle of Trust – organizations and individuals(example healthcare)
● Business relationships based on Liberty architecture & operational agreements
● Enables patients, physicians and healthcare organizations to safely share information in a secure and apparently seamless environment
Without violating privacy
Service Provider
e.g. Physician
Service Provider
e.g. Hospital
Principale.g. Physician
Principale.g. Physician
Principale.g. Physician
30
The Example: Information Management In The Practitioner’s Office● Today your GP (house
doctor) keeps a folder for each patient with administrative and medical information in one place
● Due to the sensitivity of patient data this cabinet should always be locked
● But every secretary, nurse (and visitor?) has (to have) access
31
Enters The Smart Doctor● He keeps patient’s information in two separate file cabinets
● Cabinet One holds the administrative data of patients (name, birth date, address, phone, insurance information etc.)
● Cabinet Two holds the folders with cases, a knee operation, a liver exam, a x-ray, blood exam results . . .
● But the identifiers do not point to each other, but to entries in a little black book, which the doctor keeps in a safe place.
● Only with this booklet the connection between individuals and cases can be made
image at: uniforms-4all.com
32
Advantage Of This Data Masking
● Cabinet One holds only administrative information (phone book) and can be left open
● Cabinet Two holds only cases and can be used e.g. for Public Health research and can be left open
● Pointers are only resolved in the “Little Black Book” which is secured
23F147: H23KF23XL
M4DB9
33
What About the Electronic Patient Records?● Patient owns his medical
record in the cloud● Records should be
compartmentalised (“cases”)● No patient information (PII)
is needed in the records● Patient holds the “little black book” locked● Override for emergency services (with audit trail)
can be established● Electronic records open for public health studies
34
What Can We Learn From This Example?
● By building information systems without global identifiers we can compartmentalize information so that information security and privacy become an integral property of such architecture
● Such systems can be secured and compliance to data privacy laws can much easier be followed
● The client/patient/consumer will acknowledge this and build trust into such systems
quickbase.intuit.com
35
Bangalore Campus
36
THANK YOUHellmuth_Broda@infosys.com
www.infosys.comThe contents of this document are proprietary and confidential to Infosys Limited and may not be disclosed in whole or in part at any time, to any third party without the prior written consent of Infosys Limited.
© 2013 Infosys Limited. All rights reserved. Copyright in the whole and any part of this document belongs to Infosys Limited. This work may not be used, sold, transferred, adapted, abridged, copied or reproduced in whole or in part, in any manner or form, or in any media, without the prior written consent of Infosys Limited.
Recommended