Privacy Concerns in Biomedical Informatics
by Brecht Claerhout
Consensus exists on the fact that the integration of Medical Informatics (MI) and Bio Informatics (BI) will lead to unprecedented scientific opportunities. This evolution towards BioMedical Informatics (BMI) is supported by the vision that a combination of information on all levels (molecule, cell, tissue, individual, population) will lead to an improved individualized healthcare. However there is a downside: the increased collection and (combined) processing of sensitive personal health information raises serious questions regarding citizens' privacy.
(Bio-)Medical data usually have a sensitive nature and although generally used for the benefit of the community, this information is quite prone to abuse. There is an appropriate concern about the proper treatment of the increasing volume of sensitive data. Incidents of abuse have been previously reported in the public media, proving that the threat is genuine. It can be easily understood that abuse of sensitive personal healthcare information can lead to considerable financial gain for malicious people. Imagine the impact on society, when banks, insurance companies, employers, etc. could access healthcare data about their customers, revealing past, current and probable future (cf. genomics) health conditions. Indeed, abuse of medical data can affect us all, as at some point in life practically everyone is confronted with loan, insurances or job applications.
Public authorities are also aware of these repercussions and are putting considerable effort into privacy protection legislation (especially in Europe). The further elaboration and application of these laws is oriented towards technical means for protecting a person's privacy, instead of focussing merely in obtaining 'informed consent' and following guidelines.
A classical approach towards safeguarding confidentiality focuses on the creators and maintainers of the data, prohibiting them from disclosing the information to inappropriate parties. Basically, this comes down to the deployment of traditional security measures (access control, authorisation). A more advanced approach is incorporating real Privacy Enhancing Techniques (PETs) into biomedical data collection and processing systems. Complementary to standard security solutions, PETs can be defined as (according to J. Borking): "A coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system."
Over the last decade a lot of research related to Privacy Enhancing Technologies has been performed, both in the USA and in Europe. In Europe a large part of this research has been funded by the European Commission (the European interest in privacy issues can also be seen in the legislation effort). Some of these projects have focussed on PET solutions for biomedical applications, such as the PRIDEH-GEN project (Privacy Enhancement in Data Management in E-Health for Genomic Medicine), which studied privacy protection of genomic information in particular. Although all characteristics, typically associated with genomic data, that impact privacy, are also encountered in routine clinical information (from the EHR), they deserve special attention. These characteristics as listed below are usually not found all together or to such an extent in medical data as in genomic data:
- genetic data not only concern individuals, but also their relatives. A person's consent to release his or her genetic information constitutes a de facto release of information about other individuals, ie, his or her relatives. In the case of genomic medicine, there is a complex interaction between individual rights and collective requirements
- medical data deal with past and current health statuses of persons, whereas genetic information can also give indications about future health or disease conditions
- the full extent of the information included in the genomic data is not known yet, hence it is difficult to assess the full extent of disclosure
- genomic data are easily wrongly interpreted by non-professionals, 'susceptibility' to diseases can easily be mistaken with certainty of illness.
This research has first off all proven the use of PETs in practical situations (also because of EU funded take-up-measures), and given birth to commercial grade privacy protection services. Commercial grade, meaning generic solutions needing little or no customisation and providing transparency towards already used ICT tools (eg offering privacy protection in a service oriented way). These applications, mainly de-identification tools (such as pseudonymisation systems, privacy risk assessment tools, controlled database alteration algorithms, etc.) are now deployed by pharmaceutical companies (eg for post marketing follow up) and research institutes (eg for epidemiological studies, disease management studies, etc.).
Secondly, privacy protection remains an important topic within eHealth research, evolving in synergy with healthcare ICT. Networks of Excellence exploring the possibilities of biomedical informatics, such as INFOBIOMED (http://www.infobiomed.org/) are aware of the increased privacy risks associated with their applications and put a considerable effort in deploying technical means for privacy protection (through pilots). It is common belief that without this effort valuable data will remain unlocked for research (people will not be willing to share data unless their personal privacy is adequately protected).
Privacy Enhancing Technology can help maintain the balance between personal well-being (right for privacy) and collective benefit (sharing of sensitive data for research). The increasing commercial deployment and continuing research effort (eg privacy and security solutions for Biomedical GRID) will hopefully lead to a situation where PETs are used 'by default' in eHealth.
Brecht Claerhout, Custodix NV, Belgium
Tel: +32 9 210 78 90