Transcript Threats to the Privacy and Security of Health Information

Social Networking in Health Care
Towards secure, privacy-preserving systems
James Williams,
BA, BSc, JD,
Privacy Officer, Ontario Telemedicine Network.
PhD candidate, University of Victoria.
Goal
This presentation is an introduction to an understudied
area in health informatics. We will address the following
issues:
What are social networking applications for health
care?
2. What unique security and privacy issues exist?
3. What techniques can address them?
4. What remains to be done?
1.
OUTLINE
Background
•Basics of Social Networking (SN) applications.
•Social Networking for Health Care
•Examples
Security/Privacy Issues
•Issues with SN apps in general.
•Unique features of the healthcare domain.
•Current work.
Future work.
Basics of Social Networking
The social web
•The
term ‘Web 2.0’ has been used to refer to internet
architectures that permit content to be easily generated
and published by users
•Users are enabled to act both as readers and writers,
generating content and creating a visible history of their
activities.
•Key notions include:
•interpersonal networking,
•personalization
•individualism
•empowerment
Basics of Social Networking
Online networks
•First
generation web applications like bulletin boards
allowed users to communicate and collaborate.
•Social
networking (SN) applications expand upon Web
1.0 apps by:
•providing a persistent, explicit and publically visible
representation of social networks.
•providing a variety of mechanisms by which users
may organize themselves. (ie: groups)
•incorporating privacy protection.
Basics of Social Networks
A social network involves:
1. A set of users, represented by individual user
profiles.
2. A set of mechanisms for exchanging information,
such as message boards, email, and wall posts.
3. A set of binary relationship types.
4. A set of search functions, to locate user profiles.
5. A site operator, who controls the site.
•A
social network is naturally represented as a dynamic
graph in which an edge between two vertices represents
a relationship between two user profiles.
Basics of Social Networks
Model of an SN
.
Social Networks in Health Care
Rationale
‘Healthcare 2.0’ has been used to denote the use of
social software, with an emphasis on its ability to promote
collaboration between patients, caregivers and medical
professionals.
Patient empowerment may be a critical factor in
achieving sustainability of the health care system.
•Traditionally, the physician-patient relationship has
exhibited a degree of information asymmetry.
•SNAHC systems emphasize collaboration and
independence.
•User communities are springing up around ailments.
•Active management may make patients more health
conscious.
Social Networks in Health Care
Differences
In the case of health care, we have more than one type of
user:
•Patients
•Providers
•Care
givers
•Support staff
•Family members
•Substitute decision makers.
Social Networks in Health Care
Examples: PHRs.
Basic social networking features are found in personal
health record (PHR) systems, including Google Health,
Microsoft HealthVault, and Dossia.
Google Health:
•Allows users to store/manage PHI, including medical
conditions, allergies and medication histories.
•Users can search for information about medical
conditions or adverse drug interactions.
•Information in the health record can be shared. Users
invite others to view their profile through email.
Social Networks in Health Care
Examples
Microsoft Healthvault:
•Platform that provides basic services for PHR and social
networking products.
•Vendors can build customized products on top of it.
•Each individual owns his or her record.
•Others can be granted access to it, if desired.
•The mapping between records to users is many-many,
allowing for substitute decision makers and other
scenarios.
Social Networks in Health Care
Examples
Healthy Circles
•Patients can store emergency contacts, insurance plans,
medications, immunizations, past procedures, test results,
medical conditions, allergies and family histories
•Users can enter basic health metrics and view reports.
•Programs are interactive applications that typically
require users to enter personal information in order to
provide diagnoses or recommend treatment regimens or
health management strategies.
•users can purchase consultation or monitoring services
from registered health care providers
Social Networks in Health Care
Examples
Patients Like Me
•Patients can store a wide array of information.
•The site operator encourages users to share as much
information as possible.
•Pharmaceutical companies are partners, using the site as
a repository for voluntarily contributed data on
outcomes.
•Uses a more advanced social networking model.
Security / Privacy Issues in SN
Awareness of Risk:
Empirical studies show that users:
•do value informational privacy.
•typically do not change default settings.
•are inclined to disclose information freely online.
•often restrict their information only after breaches
have occurred.
•Users
may lack a method for assessing risks in social
networks. Social cues are missing.
•They may also be unaware of the mechanisms for
reducing risk.
Security / Privacy Issues in SN
Ease of Network Formation:
•An individual’s online social network tends to be more
expansive, (containing more weak ties), than the same
individual’s offline network
•users often misjudge the extent, activity and accessibility
of their online social networks
Complex Workflows:
•In general, social networking applications offer complex,
many-to-many communications mechanisms.
•The workflows are not easy to grasp, which makes the
task of risk assessment more difficult.
Security / Privacy Issues in SN
Trust:
•Attackers may create fake profiles, and site operators
may not follow their privacy policies.
•Trust is a ‘social glue’ in a SN system.
Data Lifecycle:
•Users have little knowledge about retention periods,
backups, and the like.
•Information posted on a SN may have ramifications for
the user.
Security / Privacy Issues in SN
Unauthorized Uses and Disclosures:
•Site operators may use or disclose the data.
•As an example, SN operators report increased demands
for bulk data from governments.
Leakage to Applications:
•Applications typically draw data from the system in order
to deliver personalized experiences.
•In many early architectures, they could retrieve quite a
lot of information, including information about one’s
friends.
Security / Privacy Issues in SN
Aggregation by Third Parties:
•Third parties (ie: ad servers) can receive personal
information.
•Since 70% of the market is controlled by a small number
of firms, these companies are in a position to aggregate
data from various sources.
•Users typically are not aware that disclosures on one site
may be linked to disclosures on another site.
Security / Privacy Issues in SN
Complex Privacy Policies:
•Because of the complex user scenarios, privacy policies
for SN systems tend to be complex.
•Studies indicate that some are inaccessible to users.
•Enforcement is more difficult. Unlike ecommerce, a user
may see another’s activities.
•Market lacks competition for comprehensible privacy
policies.
•There are few methods for negotiating policies on a
user’s behalf.
Security / Privacy Issues in SN
Sunken Costs:
•In Ecommerce, it is fairly easy to switch service
providers.
•In SN settings, the costs associated with switching
providers are fairly severe.
•Users may stay with an insecure and non-private system.
Shared Content:
•Shared content creates privacy risks for users, since
information may be linked to their profile without
consent or knowledge
Features of the Heath Domain
Sensitivity of Information:
•Tends to be very high, and protected by law.
Motivated Data Recipients:
•Employers, insurers, researchers.
Secondary Damage:
•Since many serious health concerns are genetically based,
information about an individual can convey information
about a family member.
Features of the Heath Domain
Community Interests:
•Individuals sharing information on health trends can, if
their submissions are aggregated, reveal information about
the health issues affecting groups.
Motivated Data Recipients:
•Employers, insurers, researchers.
Signaling:
•The mere act of making an inquiry about a condition can
be a signal that the individual in question has the
condition. The same is true of an individual’s connections.
Features of the Heath Domain
Compensability:
•Difficult to value PHI.
•Indemnification and compensation is much more difficult.
Dynamic Networks:
•Health teams form around episodes.
•They are ephemeral.
What can we do (as software engineers,
developers and systems architects) to
alleviate some of these issues?
Current Work
Securing the Framework
Restrict information flowing to apps:
•Privacy by Proxy.
•User-to-application policies.
New Access Models:
•‘proof’ to access particular resources.
•Social Access Control List.
• Walk through trusted nodes in the network structure.
Current Work
Securing the Framework
Anonymizing Users
•Use encryption and various key exchange mechanisms.
•FlybyNight: uses client side javascript.
•Respondent k-anonymity.
•Fake data.
•NOYB: map operations on fake data back to real
data. Avoid ciphertext. Replace values
pseudonoymously from a dictionary. Keys distributed
out of band. Only works for small # of users.
•FaceCloak: another approach using dictionary
techniques.
Current Work
Dealing with Extracts
•Social
network data can be extracted for processing or
data mining.
•Attacker may have background information, including
knowledge of certain properties of the network.
•Most of the techniques are based on anonymization.
•Tabular algorithms don’t work well with network data.
•Need to know privacy risk model, background
knowledge, and intended use of data.
•Two camps:
1. Clustering based.
2. Graph modification
Future Work
Improved Privacy Controls:
•Current social network applications allow the
construction of hierarchies, including groups.
•We need efficient, concise and usable controls for this.
•Taking advantage of automation or group knowledge:
•Agents
•Automatically assigning trust to users/resources.
•Heuristics (weighting), voting, reputation mechanisms.
•Better user interfaces for privacy control management.
•Show the effects of privacy control decisions.
•Show what other users tend to do.
Future Work
Network Visualization Tools:
•Some of the uncertainty surrounding privacy risks could
be dispelled if users were able to visualize their networks.
• To this end, user interfaces for displaying a user’s profile
accessibility would be highly useful
•increase the utilization of privacy options by clear
representations of social networks, friend proximity, and
availability of profile features.
Future Work
Detecting Attacks:
•Future software architectures for health care could
include facilities to discourage or detect common attacks.
•For instance, prototypes could be developed that scan
for fake user profiles
•Also, search functionality can serve as a form of querying
that can reveal both user identities and protected user
information.
•Find heuristic approaches for limiting queries.
Future Work
Security in the Architecture:
•We need to do further work on secure architectures,
along the lines of the efforts we have discussed above.
•In
particular, we should develop architectures that:
•Work for all users (not just a subset)
•Provide anonymity against the platform.
•Make it easy to exchange keys.
Future Work
Shared Content Management:
•We need mechanisms for assigning permissions to shared
content.
•This is particularly relevant in the health domain, where
secondary disclosures may cause information to be
revealed about the health of family members.
Future Work
Policy Negotiation and Representation:
•Continue the development of tools and languages for
representing policies.
•Many privacy policy tools were developed with a single
organization’s behaviour in mind. We also need tools for
data exchange.
•Methods for evaluating formal requirements in the
context of policies would be highly useful.