A U.S. coalition called HITRUST has created a De-Identification Framework for the healthcare industry, setting standards and controls for improving cybersecurity relating to patient health records.
A Canadian company that specializes in data anonymization for the health industry, Ottawa’s Privacy Analytics, played a role in the framework’s development.
De-Identification, in a nutshell, provides a way for health data to be anonymized in a way that it can’t be traced back to the identity of a patient, additionally revealing personal details that, if made publicly available, might affect that person’s life in negative ways.
Given the incidences of privacy breaches and identity reverse-engineering by hackers in recent years, the health industry needs to move on de-identification and the HITRUST initiative would seem to indicate that it is doing so.
The HITRUST De-Identification Network will be tied to the HITRUST Common Security Framework (CSF), which hospitals, insurance companys, sellers of health plans and various healthcare organizations regard as the most widely adopted and useful information security framework yet available to them.
“With this comprehensive De-ID framework tied to the CSF, we can increase the adoption of best practices for de-identification, and allow more responsible protection and sharing of health information,” said Khaled El Emam, CEO, Privacy Analytics. “The framework is based on methods that are currently used in the field and have been shown to be robust and ensure high data quality.”
Khaled El Emam, in a recent interview with Cantech Letter, memorably described the practice of most companies who handle data as “Mickey Mouse anonymization”, suggesting that a properly executed de-identification process is the only way to effectively make use of data while protecting the privacy of consumers.
The HITRUST De-Identification initiative arrives in the wake of a high-profile data security breach involving the second biggest health insurance company in the U.S., Anthem Inc., which saw the exposure of 78.8 million patient records compromised by a hacker attack.
The Anthem hack has drawn the scrutiny of Congress, which will be likely recommending an overall strengthening of patient health information.
In 2011, a Vietnam veteran named Ray Boylston had a motorcycle accident in Washington State after suffering a diabetic shock while riding. The incident was covered briefly in the local paper. The paperwork relating to his week-long stay in hospital was added to a database of 650,000 hospitalizations at that particular hospital during the year, which was then made available for purchase.
Generally, the market for the resale of health information consists of researchers and insurance companies, but the information is there for anyone who wants to buy it. All a hacker needs is a tiny piece of information to trace the ID-trail back to a particular individual.
Aside from merely identifying a patient through a publicly available database, such information can also be used to discriminate based on residency in a “risky” area code, or through knowledge of a patient’s medical history.
“If they’re going to release that kind of information, they should consult with the patient,” Boylston told Bloomberg Business. “That’s personal information about me. It’s just not right.”
The solution to this problem is to anonymize patient data, rather than to make the data inaccessible, since medical advancement depends on patient information for research purposes.
“One of the challenges is insufficient standards for how to do this well,” Dr. El Emam told Cantech Letter. “I think this is being recognized, and there are efforts now to develop standards. So that’s a good development.”
“Electronic health information is like nuclear energy,” said Jim Pyles, principal of Powers Pyles Sutter & Verville PC in Washington, to Bloomberg. “If it’s harnessed and kept under tight control, it has potential for good. But if it gets out of control, the damage is incalculable.”
HITRUST will be hosting a webinar on March 24 to brief stakeholders on this development at the same time as it releases a draft of the new framework, which will be open to public comment for a 30-day period.