Social Networks in Health Care - Talk at ICSE 2010

Social Networking in Health

Care Towards secure, privacy-preserving systems

James Williams,

BA, BSc, JD,

Privacy Officer, Ontario Telemedicine Network.

PhD candidate, University of Victoria.

Goal

This presentation is an introduction to an

understudied area in health informatics. We will

address the following issues:

1. What are social networking applications for

health care?

2. What unique security and privacy issues

exist?

3. What techniques can address them?

4. What remains to be done?

OUTLINE

Background

•Basics of Social Networking (SN) applications.

•Social Networking for Health Care

•Examples

Security/Privacy Issues

•Issues with SN apps in general.

•Unique features of the healthcare domain.

•Current work.

Future work.

Basics of Social NetworkingThe social web

•The term ‘Web 2.0’ has been used to refer to

internet architectures that permit content to be easily

generated and published by users

•Users are enabled to act both as readers and

writers, generating content and creating a visible

history of their activities.

•Key notions include:

•interpersonal networking,

•personalization

•individualism

•empowerment

Basics of Social NetworkingOnline networks

•First generation web applications like bulletin boards

allowed users to communicate and collaborate.

•Social networking (SN) applications expand upon

Web 1.0 apps by:

•providing a persistent, explicit and publically

visible representation of social networks.

•providing a variety of mechanisms by which

users may organize themselves. (ie: groups)

•incorporating privacy protection.

Basics of Social Networks

A social network involves:

1. A set of users, represented by individual user

profiles.

2. A set of mechanisms for exchanging

information, such as message boards, email,

and wall posts.

3. A set of binary relationship types.

4. A set of search functions, to locate user

profiles.

5. A site operator, who controls the site.

•A social network is naturally represented as a

dynamic graph in which an edge between two

vertices represents a relationship between two user

Basics of Social NetworksModel of an SN

.

Social Networks in Health

CareRationale

‘Healthcare 2.0’ has been used to denote the use of

social software, with an emphasis on its ability to

promote collaboration between patients, caregivers

and medical professionals.

Patient empowerment may be a critical factor in

achieving sustainability of the health care system.

•Traditionally, the physician-patient relationship has

exhibited a degree of information asymmetry.

•SNAHC systems emphasize collaboration and

independence.

•User communities are springing up around ailments.

•Active management may make patients more health

conscious.


CareDifferences

In the case of health care, we have more than one

type of user:

•Patients

•Providers

•Care givers

•Support staff

•Family members

•Substitute decision makers.


CareExamples: PHRs.

Basic social networking features are found in

personal health record (PHR) systems, including

Google Health, Microsoft HealthVault, and Dossia.

Google Health:

•Allows users to store/manage PHI, including medical

conditions, allergies and medication histories.

•Users can search for information about medical

conditions or adverse drug interactions.

•Information in the health record can be shared.

Users invite others to view their profile through email.


CareExamples

Microsoft Healthvault:

•Platform that provides basic services for PHR and

social networking products.

•Vendors can build customized products on top of it.

•Each individual owns his or her record.

•Others can be granted access to it, if desired.

•The mapping between records to users is many-

many, allowing for substitute decision makers and

other scenarios.


CareExamples

Healthy Circles

•Patients can store emergency contacts, insurance

plans, medications, immunizations, past procedures,

test results, medical conditions, allergies and family

histories

•Users can enter basic health metrics and view

reports.

•Programs are interactive applications that typically

require users to enter personal information in order

to provide diagnoses or recommend treatment

regimens or health management strategies.

•users can purchase consultation or monitoring

services from registered health care providers


CareExamples

Patients Like Me

•Patients can store a wide array of information.

•The site operator encourages users to share as

much information as possible.

•Pharmaceutical companies are partners, using the

site as a repository for voluntarily contributed data on

outcomes.

•Uses a more advanced social networking model.

Security / Privacy Issues in

SN

Awareness of Risk:

Empirical studies show that users:

•do value informational privacy.

•typically do not change default settings.

•are inclined to disclose information freely online.

•often restrict their information only after

breaches have occurred.

•Users may lack a method for assessing risks in

social networks. Social cues are missing.

•They may also be unaware of the mechanisms for

reducing risk.


SN

Ease of Network Formation:

•An individual’s online social network tends to be

more expansive, (containing more weak ties), than

the same individual’s offline network

•users often misjudge the extent, activity and

accessibility of their online social networks

Complex Workflows:

•In general, social networking applications offer

complex, many-to-many communications

mechanisms.

•The workflows are not easy to grasp, which makes

the task of risk assessment more difficult.


SN

Trust:

•Attackers may create fake profiles, and site

operators may not follow their privacy policies.

•Trust is a ‘social glue’ in a SN system.

Data Lifecycle:

•Users have little knowledge about retention periods,

backups, and the like.

•Information posted on a SN may have ramifications

for the user.


SN

Unauthorized Uses and Disclosures:

•Site operators may use or disclose the data.

•As an example, SN operators report increased

demands for bulk data from governments.

Leakage to Applications:

•Applications typically draw data from the system in

order to deliver personalized experiences.

•In many early architectures, they could retrieve quite

a lot of information, including information about one’s

friends.


SN

Aggregation by Third Parties:

•Third parties (ie: ad servers) can receive personal

information.

•Since 70% of the market is controlled by a small

number of firms, these companies are in a position to

aggregate data from various sources.

•Users typically are not aware that disclosures on

one site may be linked to disclosures on another site.


SN

Complex Privacy Policies:

•Because of the complex user scenarios, privacy

policies for SN systems tend to be complex.

•Studies indicate that some are inaccessible to users.

•Enforcement is more difficult. Unlike ecommerce, a

user may see another’s activities.

•Market lacks competition for comprehensible privacy

policies.

•There are few methods for negotiating policies on a

user’s behalf.


SN

Sunken Costs:

•In Ecommerce, it is fairly easy to switch service

providers.

•In SN settings, the costs associated with switching

providers are fairly severe.

•Users may stay with an insecure and non-private

system.

Shared Content:

•Shared content creates privacy risks for users, since

information may be linked to their profile without

consent or knowledge

Features of the Heath

Domain

Sensitivity of Information:

•Tends to be very high, and protected by law.

Motivated Data Recipients:

•Employers, insurers, researchers.

Secondary Damage:

•Since many serious health concerns are genetically

based, information about an individual can convey

information about a family member.


Domain

Community Interests:

•Individuals sharing information on health trends can,

if their submissions are aggregated, reveal

information about the health issues affecting groups.

Motivated Data Recipients:

•Employers, insurers, researchers.

Signaling:

•The mere act of making an inquiry about a condition

can be a signal that the individual in question has the

condition. The same is true of an individual’s

connections.


Domain

Compensability:

•Difficult to value PHI.

•Indemnification and compensation is much more

difficult.

Dynamic Networks:

•Health teams form around episodes.

•They are ephemeral.

What can we do (as software

engineers, developers and systems

architects) to alleviate some of these

issues?

Current WorkSecuring the Framework

Restrict information flowing to apps:

•Privacy by Proxy.

•User-to-application policies.

New Access Models:

•‘proof’ to access particular resources.

•Social Access Control List.

• Walk through trusted nodes in the network

structure.

Current WorkSecuring the Framework

Anonymizing Users

•Use encryption and various key exchange

mechanisms.

•FlybyNight: uses client side javascript.

•Respondent k-anonymity.

•Fake data.

•NOYB: map operations on fake data back to real

data. Avoid ciphertext. Replace values

pseudonoymously from a dictionary. Keys

distributed out of band. Only works for small # of

users.

•FaceCloak: another approach using dictionary

techniques.

Current WorkDealing with Extracts

•Social network data can be extracted for processing

or data mining.

•Attacker may have background information,

including knowledge of certain properties of the

network.

•Most of the techniques are based on anonymization.

•Tabular algorithms don’t work well with network

data.

•Need to know privacy risk model, background

knowledge, and intended use of data.

•Two camps:

1. Clustering based.

2. Graph modification

Future Work

Improved Privacy Controls:

•Current social network applications allow the

construction of hierarchies, including groups.

•We need efficient, concise and usable controls for

this.

•Taking advantage of automation or group

knowledge:

•Agents

•Automatically assigning trust to users/resources.

•Heuristics (weighting), voting, reputation

mechanisms.

•Better user interfaces for privacy control

management.

Future Work

Network Visualization Tools:

•Some of the uncertainty surrounding privacy risks

could be dispelled if users were able to visualize their

networks.

• To this end, user interfaces for displaying a user’s

profile accessibility would be highly useful

•increase the utilization of privacy options by clear

representations of social networks, friend proximity,

and availability of profile features.

Future Work

Detecting Attacks:

•Future software architectures for health care could

include facilities to discourage or detect common

attacks.

•For instance, prototypes could be developed that

scan for fake user profiles

•Also, search functionality can serve as a form of

querying that can reveal both user identities and

protected user information.

•Find heuristic approaches for limiting queries.

Future Work

Security in the Architecture:

•We need to do further work on secure architectures,

along the lines of the efforts we have discussed

above.

•In particular, we should develop architectures that:

•Work for all users (not just a subset)

•Provide anonymity against the platform.

•Make it easy to exchange keys.

Future Work

Shared Content Management:

•We need mechanisms for assigning permissions to

shared content.

•This is particularly relevant in the health domain,

where secondary disclosures may cause information

to be revealed about the health of family members.

Future Work

Policy Negotiation and Representation:

•Continue the development of tools and languages

for representing policies.

•Many privacy policy tools were developed with a

single organization’s behaviour in mind. We also

need tools for data exchange.

•Methods for evaluating formal requirements in the

context of policies would be highly useful.

Health & Medicine

Social Networks in Health Care - Talk at ICSE 2010