Good news. I was recently named a Stahlman Scholar by the Vanderbilt Center for Biomedical Ethics and Society (CBES). As many of you know, my research in data privacy is driven both from technical and social perspectives (especially due to the fact that privacy is an inherently social phenomenon). A large portion of my research has focused on the development of algorithms and software to re-identify seemingly anonymous health information, as well as provably protect health information shared for secondary research purposes. That said, my work has had little in terms of the ethics or social justice concerns regarding re-identification and protection technologies. The CBES award is to support an investigation into how re-identification technologies affect the scientific community and public at large. For example, one question that this work will look into is the following. Imagine that you develop a technology that can re-identify person-specific health information in a public repository. What should you do? Should you notify the individuals whose records you have re-identified? What about the organization that posted the records? Should you publish your methods to help advise other organizations on the pitfalls associated with "protecting" their records in the same way as the organization whose records you compromised?
In a sense, this work is similar to studies in the ethical hacking community. However, the problem is quite different because in a hacking environment, we are normally talking about systems or computer security. And, when you find a "hole" in the security, you can notify the owners the affected systems and post a patch (ala Microsoft's extreme programming model). Yet, when we consider privacy and re-identification issues, we have to recognize that data is public and may be used by many people for legitimate purposes and many times the privacy vulnerability are not due to a single location's negligence. Rather, multiple organizations disclose information that in combination lead to a failure of protection in the system. Thus, none of the organizations violated the law, and none may even be accountable for their actions, but the system is still broken.
Monday, December 10, 2007
Electronic Health Information and Privacy (the Canadian Way)
Last week, I had the pleasure of attending and speaking at the 3rd Electronic Health Information and Privacy Conference. The conference was overview of work in health privacy from many different perspectives, including behavioral economics (thanks to an excellent presentation of recent research by Alessandro Acquisi), data privacy, law, and policy. Though there was almost a foot of snow on the ground, the workshop was a tremendous success. They had to shuffle around sessions due to various delays at the airports (especially in Toronto) and the roads, but only one session was lost. In general, the majority of the conference focused on privacy and the challenges from a Canadian perspective. Personally, I found it amazing (and refreshing) how many of our neighbors to the north are thinking about technological and social issues.
Thanks to Khaled El Emam at the University of Ottawa for organizing a fantastic day of talks and discussion.
Thanks to Khaled El Emam at the University of Ottawa for organizing a fantastic day of talks and discussion.
23andme and you and everyone else
I just read an interesting article in Wired on Silicon Valley startup 23andme. The company aims to provide personalized predispositions based on single nucleotide polymorphisms. In short, here's the process: you send them your saliva, they sequence it, map the resulting SNP variants to the existing translational and clinical literature, and then provide you with a web accessible summary of your predispositions. It appears they have a crack team of biomedical and computational advisors. It's certainly something to keep an eye on
Monday, November 26, 2007
Trust Trumps Privacy?
A new study suggests that Internet users are willing to sacrifice privacy in exchange for more trustworthy websites.
An article summarizing the study can be found here.
An article summarizing the study can be found here.
Wednesday, October 17, 2007
Clooney Med Privacy Breach
A NJ hospital recently discovered (or just revealed) that more than twenty employees inappropriately accessed George Clooney's electronic medical record. Personally, I don't find this surprising, but I'm amazed that the hospital didn't have any protections in place for VIPs (How about a pseudonym?). Though the incident occurred, let's not be too quick to jump to conclusions about the hospital's data management or data access policies. The story is still unfolding.
Tuesday, October 9, 2007
Microsoft and Personal Health Records
If you keep up with the popular news outlets, then you've seen the fanfare associated with Microsoft's new online personal health record system, HealthVault. If not, here are several links to NY Times stories:
1: 10/4/07: Microsoft Rolls Out Personal Health Records
2: 10/5/07: Microsoft System to Track Health Records
To follow-up on the project, Annie Anton has written a good overview of the privacy concerns associated with Microsoft's HealthVault policies.
1: 10/4/07: Microsoft Rolls Out Personal Health Records
2: 10/5/07: Microsoft System to Track Health Records
To follow-up on the project, Annie Anton has written a good overview of the privacy concerns associated with Microsoft's HealthVault policies.
Friday, October 5, 2007
Illegally Accessing your EMR?
A recent story in Wyoming - several employees recntly broke federal privacy law by accessing their OWN records.
Read more on the story here.
Read more on the story here.
Subscribe to:
Posts (Atom)
