How to Organize Patient Information to Protect Patients' Data

How To Organize Patient Information To Protect Data Privacy

Identity And Access Management In Healthcare. Seminar 24.01.2013 Zurich EPI-Park

Bangalore Campus

Dr. rer. nat. Hellmuth BrodaPrincipal Technology Architect

Retail, Consumer Goods, Life SciencesInfosys Limited

2

Agenda

● About Infosys● Privacy—An

Obsolete Model?● Challenges with

Identities● An Architecture for

Trust● How to Organize

InformationPune Campus

3

Over 150,000 employees from 89 nationalities

Operations in 77 cities across 32 countries

4

WE FUELLEDOUR GROWTH

4

2000 2012 2000 2012

5389

153,761+

200 M

1500 EMPLOYEES $50 MILLION REVENUE

4 out of top 5Global Aerospace & Defense

4 out of top 5US Banks

6 out of top 10Global Telecommunication

Giants

3 out of top 5Health Plans

8 out of top 10US Retailers

7.12 Billion

5

POWERFUL FORCES ARE DRIVING OPPORTUNITIES

Emerging Economies

Smarter Organizations

Digital Consumers New Commerce

Pervasive Computing

Sustainable TomorrowHealthcare Economy

66

WE PARTNER WITH CLIENTS TO

BUILDTOMORROW’S

ENTERPRISE

ACCELERATEINNOVATION

BUSINESS TRANSFORMATION

OPTIMIZE OPERATIONS

77

INNOVATIVE COMPANIESTHE WORLD’S MOST

2012

8

8TIME WINNER OF THE GLOBAL MOST ADMIRED KNOWLEDGE ENTERPRISES AWARD

2004 2005 2006 2007 2008 2009 2010 2011

8

9

IT HAS COST US THE EQUIVALENT OF A SPACE SHUTTLE LAUNCH TO

BUILD OUR TRAINING CENTER

• Click icon to add picture

10


The World’s Largest Corporate University


11

Training 16’000 Students per Year

12

Upcoming Challenges In Security, Governance, Compliance

Perimeter security cannot serve the collaborative external ecosystems. It will be augmented

(and eventually replaced) byapplication security and

secure tunnels

We will move from secure castles to secured tunnels

13

Multiple Defence Rings Will Become Standard

Perimeter securityNetwork securityNW intrusion detectionNode/zone based securityLaptop encryptionMobile device securityApplication securityData leakage preventionCompliance framework

14

Privacy—An Obsolete Model?● “You already have zero privacy anyway—

get over it!” (Scott McNealy, CEO Sun Microsystems,1999)

● Mobile phones track your location● Navigation systems track you and OnStar

even records your preferred gas stations● 200 CHF quadrocopter drones turn your

neighbour into a spy● Google traces your behaviour to offer

“better services”● “Bundestrojaner” scans German (only?)

computers

15

Invasion By Authorities But Also Crooks

● Are our basic privacy rights at stake?● Is everything allowed that is technically feasible?● Is there no limit?● Who will control the

controllers?● Are we making it easy

to become prey?

Image at datonel.deviantart.com

16

Fallacy Of Poorly Organized Information● We are following a long tradition of

“male chauvinism” by building information pyramids

● The first thing we do is look for a (global) identifier

● Then we attach all attributes to this identifier

● And then we try to sprinkle some security on top

● This model does not work and is a Blanco invitation to data security breaches

17

How Do We Do It In Real Life?

● We don’t use global identifiers in real life● My passport number is different from my Swiss

ID card number● My driver’s licence has a different number● My bank account has another number● We sometimes even put information into the key

(which is a cardinal sin) – c.f. our old AHV number in Switzerland

18

But Connecting Identities Became Easy● Proven models for federated identity

connect a person’s frequent flyer number to his car rental loyalty card

● Following the traces on the web became a real business for market research firms

● We are becoming more and more transparent

● While on the move to Personalized Medicine—will my insurer hold a copy of my DNA and “adjust” my premium according to the predicted disease probabilities?

Image by alancleaver_2000 via Flickr

19

What Can We Do About This?

● Many global organizations have been working on privacy protection and the organizational mechanisms to conceal personal identifiable information (PII): Liberty Alliance, Kantara Initiative, Internet Society, W3C, . . .

● Mechanisms for secure identity assertions allow combination/translation of identifiers to combine services as well as to keep identifiers and the corresponding information separate (federated identity)

20

So—Here Is The Trick

● Keep separate what does not need

to be in one domain● Use masking and pseudonymization wherever

possible● Protect the connection table that equates

identities really well (it is a small table—much easier to protect than an entire system)

● Selectively enable access to this table on a strict need basis

21

Confused? Let Me Explain . . .

● What exactly is privacy anyway?● What are Identity Management, Authentication,

Authorization, Policies● How can we organize such a system● “I still did not get it—can you explain more?”● “Glad you asked”

22

What Is So Special About Privacy And Trust?● The biggest concern (after health) of the patient is

privacy● Privacy does not mean that “nobody knows nothing about

me” *)● It is about managing the faith of the patient by adhering to

the agreed scope and holding the information in trust● Consumers and patients are afraid of

“Purpose Creep”● What could an architecture for privacy

and trust management look like?

*The Sopranos Purpose Creep

Original Agreement

23

Architecture for Trust ManagementDefinitions

A combination of business and technology practices which define how a relationship is conducted and services are performed

A set of rules governing decisions about what the user can do: access to information, services or resources

Assertion of validity of a set of credentials. Credentials express a person´s identity.“A Yes/No answer”

Policy/Governance

Authorization

Authentication

Identity Basic set of information that creates a “unique” entity (a name with a corresponding set of attributes)

24

Architecture for Trust Management Real World Example: Drivers License

4. The fact that we do have police; the rules that allow me to drive with my national license in other countries

3. The policeman will then see which kind of vehicle you are authorized to drive and if you are allowed to drive the one you are operating now

2. Assertion of validity: The policeman compares the document with you. Result: “A Yes/No answer”

Policy/Governance

Authorization

Authentication

Identity 1. Name, address, picture identify the driver and provide together with the document the credentials expressing that the carrier is identical to the person that passed the driving tests

25

Architecture for Trust ManagementDigitally Speaking . . .

4. Business practices to manage risk, enforce security/privacy, provide auditability.User, customer preferences, history, personalized services,

3. Determination of access rights to systems, applications and information: Match credentials against profiles, ACLs, policy

2. Log on with a UID/PW, token, certificate, biometrics etc. A process that demands the prove that the person presenting them is indeed the person to which credentials were originally issued. accept or reject1. User, customer, device “facts”, e.g., name, address, ID, token, keys; credentials, certificates that were issued by a Certification Authority (CA)

Policy/Governance

Authorization

Authentication

Identity

26

How People Will Trust Policies

Policy and its audit have to be guaranteed and certified by a approved public or private independent organization, e. g.: Federal or state data protection agency TÜV (private institution) Audit firm Chamber of Commerce Postal Service or other basic service provider, . . .

This can be achieved with defined processes and responsibilities similar to ISO 9000

Trust is based on policies and the audit of those -- not just on security

27

Where to Safeguard User's Information

Health & TravelInsurance

LoyaltyProgram

RetailBank

CarRental

HotelChain

Airline

TravelAgent

Insurance Records

Travel History

Meal PreferencesCredit History

Health History

Meal Preferences Car Type Preferences

Single IdentityOperator

Credit History

Health History

Travel History

Insurance Records

Meal Preferences

28

A Federated Structure Promotes Privacy and Security● Federated structure means no single centralized

data storage that would be vulnerable to attack● End user has more control of data because

permissions travel with data, guiding its use

No global identifier -- this model protects against unauthorized data sharing

29

How it Happens

Identity Provider Authentication Federation Discovery Service Personal Profile

Service Provider

e.g. Pharmacy

Identity-Based Web Service

Provider e.g.

ePrescriptions.com

Identity Provider Authentication Federation Discovery Service Personal Profile

Principale.g. Patient

Circle of Trust

Circle of Trust – organizations and individuals(example healthcare)

● Business relationships based on Liberty architecture & operational agreements

● Enables patients, physicians and healthcare organizations to safely share information in a secure and apparently seamless environment

Without violating privacy

Service Provider

e.g. Physician

Service Provider

e.g. Hospital

Principale.g. Physician



30

The Example: Information Management In The Practitioner’s Office● Today your GP (house

doctor) keeps a folder for each patient with administrative and medical information in one place

● Due to the sensitivity of patient data this cabinet should always be locked

● But every secretary, nurse (and visitor?) has (to have) access

31

Enters The Smart Doctor● He keeps patient’s information in two separate file cabinets

● Cabinet One holds the administrative data of patients (name, birth date, address, phone, insurance information etc.)

● Cabinet Two holds the folders with cases, a knee operation, a liver exam, a x-ray, blood exam results . . .

● But the identifiers do not point to each other, but to entries in a little black book, which the doctor keeps in a safe place.

● Only with this booklet the connection between individuals and cases can be made

image at: uniforms-4all.com

32

Advantage Of This Data Masking

● Cabinet One holds only administrative information (phone book) and can be left open

● Cabinet Two holds only cases and can be used e.g. for Public Health research and can be left open

● Pointers are only resolved in the “Little Black Book” which is secured

23F147: H23KF23XL

M4DB9

33

What About the Electronic Patient Records?● Patient owns his medical

record in the cloud● Records should be

compartmentalised (“cases”)● No patient information (PII)

is needed in the records● Patient holds the “little black book” locked● Override for emergency services (with audit trail)

can be established● Electronic records open for public health studies

34

What Can We Learn From This Example?

● By building information systems without global identifiers we can compartmentalize information so that information security and privacy become an integral property of such architecture

● Such systems can be secured and compliance to data privacy laws can much easier be followed

● The client/patient/consumer will acknowledge this and build trust into such systems

quickbase.intuit.com

35

Bangalore Campus

36

THANK [email protected]

www.infosys.comThe contents of this document are proprietary and confidential to Infosys Limited and may not be disclosed in whole or in part at any time, to any third party without the prior written consent of Infosys Limited.

© 2013 Infosys Limited. All rights reserved. Copyright in the whole and any part of this document belongs to Infosys Limited. This work may not be used, sold, transferred, adapted, abridged, copied or reproduced in whole or in part, in any manner or form, or in any media, without the prior written consent of Infosys Limited.