Social Networking in Health Care Towards secure, privacy-preserving systems James Williams, BA, BSc, JD, Privacy Officer, Ontario Telemedicine Network

Social Networking in Health Care Towards secure, privacy-preserving systems

James Williams,BA, BSc, JD,Privacy Officer, Ontario Telemedicine Network.PhD candidate, University of Victoria.

Goal

This presentation is an introduction to an understudied area in health informatics. We will address the following issues:

1. What are social networking applications for health care?

2. What unique security and privacy issues exist?

3. What techniques can address them?4. What remains to be done?

OUTLINE

Background• Basics of Social Networking (SN)

applications.• Social Networking for Health Care • Examples

Security/Privacy Issues• Issues with SN apps in general.• Unique features of the healthcare domain.• Current work.

Future work.

Basics of Social NetworkingThe social web

•The term ‘Web 2.0’ has been used to refer to internet architectures that permit content to be easily generated and published by users•Users are enabled to act both as readers and writers, generating content and creating a visible history of their activities.•Key notions include:• interpersonal networking, • personalization• individualism• empowerment

Basics of Social NetworkingOnline networks

•First generation web applications like bulletin boards allowed users to communicate and collaborate.

•Social networking (SN) applications expand upon Web 1.0 apps by:• providing a persistent, explicit and

publically visible representation of social networks.

• providing a variety of mechanisms by which users may organize themselves. (ie: groups)

• incorporating privacy protection.

Basics of Social Networks

A social network involves:1. A set of users, represented by individual

user profiles.2. A set of mechanisms for exchanging

information, such as message boards, email, and wall posts.

3. A set of binary relationship types. 4. A set of search functions, to locate

user profiles.5. A site operator, who controls the site.

•A social network is naturally represented as a dynamic graph in which an edge between two vertices represents a relationship between two user profiles.

Basics of Social Networks Model of an SN

.

Social Networks in Health CareRationale

‘Healthcare 2.0’ has been used to denote the use of social software, with an emphasis on its ability to promote collaboration between patients, caregivers and medical professionals.Patient empowerment may be a critical factor in achieving sustainability of the health care system.•Traditionally, the physician-patient relationship has exhibited a degree of information asymmetry. •SNAHC systems emphasize collaboration and independence.•User communities are springing up around ailments.•Active management may make patients more health conscious.

Social Networks in Health CareDifferences

In the case of health care, we have more than one type of user:

•Patients•Providers•Care givers•Support staff•Family members•Substitute decision makers.

Social Networks in Health Care Examples: PHRs.

Basic social networking features are found in personal health record (PHR) systems, including Google Health, Microsoft HealthVault, and Dossia.

Google Health:•Allows users to store/manage PHI, including medical conditions, allergies and medication histories.•Users can search for information about medical conditions or adverse drug interactions. •Information in the health record can be shared. Users invite others to view their profile through email.

Social Networks in Health Care Examples

Microsoft Healthvault:•Platform that provides basic services for PHR and social networking products.•Vendors can build customized products on top of it.•Each individual owns his or her record. •Others can be granted access to it, if desired. •The mapping between records to users is many-many, allowing for substitute decision makers and other scenarios.


Healthy Circles•Patients can store emergency contacts, insurance plans, medications, immunizations, past procedures, test results, medical conditions, allergies and family histories•Users can enter basic health metrics and view reports.•Programs are interactive applications that typically require users to enter personal information in order to provide diagnoses or recommend treatment regimens or health management strategies. •users can purchase consultation or monitoring services from registered health care providers


Patients Like Me•Patients can store a wide array of information.•The site operator encourages users to share as much information as possible.•Pharmaceutical companies are partners, using the site as a repository for voluntarily contributed data on outcomes. •Uses a more advanced social networking model.

Security / Privacy Issues in SN

Awareness of Risk:Empirical studies show that users:• do value informational privacy.• typically do not change default settings.• are inclined to disclose information freely

online.• often restrict their information only after

breaches have occurred.

•Users may lack a method for assessing risks in social networks. Social cues are missing. •They may also be unaware of the mechanisms for reducing risk.


Ease of Network Formation:•An individual’s online social network tends to be more expansive, (containing more weak ties), than the same individual’s offline network•users often misjudge the extent, activity and accessibility of their online social networks

Complex Workflows:•In general, social networking applications offer complex, many-to-many communications mechanisms.•The workflows are not easy to grasp, which makes the task of risk assessment more difficult.


Trust:•Attackers may create fake profiles, and site operators may not follow their privacy policies.•Trust is a ‘social glue’ in a SN system.

Data Lifecycle:•Users have little knowledge about retention periods, backups, and the like. •Information posted on a SN may have ramifications for the user.


Unauthorized Uses and Disclosures:•Site operators may use or disclose the data. •As an example, SN operators report increased demands for bulk data from governments.

Leakage to Applications:•Applications typically draw data from the system in order to deliver personalized experiences.•In many early architectures, they could retrieve quite a lot of information, including information about one’s friends.


Aggregation by Third Parties:•Third parties (ie: ad servers) can receive personal information. •Since 70% of the market is controlled by a small number of firms, these companies are in a position to aggregate data from various sources. •Users typically are not aware that disclosures on one site may be linked to disclosures on another site.


Complex Privacy Policies:•Because of the complex user scenarios, privacy policies for SN systems tend to be complex. •Studies indicate that some are inaccessible to users.•Enforcement is more difficult. Unlike ecommerce, a user may see another’s activities.•Market lacks competition for comprehensible privacy policies. •There are few methods for negotiating policies on a user’s behalf.


Sunken Costs:•In Ecommerce, it is fairly easy to switch service providers.•In SN settings, the costs associated with switching providers are fairly severe. •Users may stay with an insecure and non-private system.

Shared Content:•Shared content creates privacy risks for users, since information may be linked to their profile without consent or knowledge

Features of the Heath Domain

Sensitivity of Information:•Tends to be very high, and protected by law.

Motivated Data Recipients:•Employers, insurers, researchers.

Secondary Damage:•Since many serious health concerns are genetically based, information about an individual can convey information about a family member.


Community Interests:•Individuals sharing information on health trends can, if their submissions are aggregated, reveal information about the health issues affecting groups.

Motivated Data Recipients:•Employers, insurers, researchers.

Signaling:•The mere act of making an inquiry about a condition can be a signal that the individual in question has the condition. The same is true of an individual’s connections.


Compensability:•Difficult to value PHI.•Indemnification and compensation is much more difficult.

Dynamic Networks:•Health teams form around episodes. •They are ephemeral.

What can we do (as software engineers, developers and systems architects) to alleviate some of these issues?

Current Work Securing the Framework

Restrict information flowing to apps:•Privacy by Proxy.•User-to-application policies.

New Access Models:•‘proof’ to access particular resources.•Social Access Control List.• Walk through trusted nodes in the network structure.

Current Work Securing the Framework

Anonymizing Users•Use encryption and various key exchange mechanisms.•FlybyNight: uses client side javascript. •Respondent k-anonymity.•Fake data. • NOYB: map operations on fake data back

to real data. Avoid ciphertext. Replace values pseudonoymously from a dictionary. Keys distributed out of band. Only works for small # of users.

• FaceCloak: another approach using dictionary techniques.

Current WorkDealing with Extracts

•Social network data can be extracted for processing or data mining. •Attacker may have background information, including knowledge of certain properties of the network. •Most of the techniques are based on anonymization. •Tabular algorithms don’t work well with network data.•Need to know privacy risk model, background knowledge, and intended use of data.•Two camps:

1. Clustering based. 2. Graph modification

Future Work

Improved Privacy Controls:•Current social network applications allow the construction of hierarchies, including groups. •We need efficient, concise and usable controls for this.•Taking advantage of automation or group knowledge:• Agents• Automatically assigning trust to

users/resources.• Heuristics (weighting), voting, reputation

mechanisms.•Better user interfaces for privacy control management.• Show the effects of privacy control

decisions.• Show what other users tend to do.

Future Work

Network Visualization Tools:•Some of the uncertainty surrounding privacy risks could be dispelled if users were able to visualize their networks. • To this end, user interfaces for displaying a user’s profile accessibility would be highly useful•increase the utilization of privacy options by clear representations of social networks, friend proximity, and availability of profile features.

Future Work

Detecting Attacks:•Future software architectures for health care could include facilities to discourage or detect common attacks. •For instance, prototypes could be developed that scan for fake user profiles•Also, search functionality can serve as a form of querying that can reveal both user identities and protected user information.•Find heuristic approaches for limiting queries.

Future Work

Security in the Architecture:•We need to do further work on secure architectures, along the lines of the efforts we have discussed above.

•In particular, we should develop architectures that:• Work for all users (not just a subset)• Provide anonymity against the platform.• Make it easy to exchange keys.

Future Work

Shared Content Management:•We need mechanisms for assigning permissions to shared content.•This is particularly relevant in the health domain, where secondary disclosures may cause information to be revealed about the health of family members.

Future Work

Policy Negotiation and Representation:•Continue the development of tools and languages for representing policies. •Many privacy policy tools were developed with a single organization’s behaviour in mind. We also need tools for data exchange.•Methods for evaluating formal requirements in the context of policies would be highly useful.

Documents

Social Networking in Health Care Towards secure, privacy-preserving systems James Williams, BA, BSc, JD, Privacy Officer, Ontario Telemedicine Network