canadian ai 2014 conference keynote - deploying smc in practice

Deploying SMC in Practice

Khaled El EmamElectronic Health Information Laboratory & uOttawa

EXAMPLES IN HEALTHCARE SETTINGS

Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca

Researchers’ Need for Data• Digitization, performance-based funding, greater

inter-operability and fiscal pressures make more data available for research

• Linked data allows analyses to span more of the continuum of care and look at social determinants of health

• Severe competition for research funding means there is an urgency to providing access to data to support proposals, funding, and delivery of results


Benefits of Sharing Research Data

• Confirmation of published results• Availability for meta-analyses• Feedback to improve data quality• Cost savings from not collecting the data

again• Minimize need for participants to provide

data repeatedly• Data for instruction and education

1


Benefits of Sharing Data: Commercial• Software testing• Targeted marketing campaigns• Post marketing surveillance• Monetization of data• Information product development• Internal analytics (models for decision

support)• Device diagnostics

1


Regulatory Framework

• Legislation and regulations cover personally-identifiable health data

• When not mandated or permitted, use and disclosure of health data for secondary purposes requires either consent or anonymization in accordance with regulations

1


Secondary Purposes

• Secondary purposes means non-direct care uses of personal health information including:– Research– Public health– Quality/safety measurement– Payment– Provider certification or accreditation– Marketing– Other commercial activities

1

Safran C, Bloomrosen M, Hammond E, Labkoff S, S K-F, Tang P, Detmer D. Toward a national framework for the secondary use of health data: An American Medical Informatics Association white paper. Journal of the American Medical Informatics Association, 2007; 14:1-9.


Types of Data Flows

1


Data Flows

• Uses by an agent/affiliate for secondary purposes (e.g., financial analysis, human resources planning)

• Mandatory disclosures (e.g., communicable diseases, gunshot wounds)

• Permitted discretionary disclosures for secondary purposes (e.g., public health and research)

• Other disclosures for secondary purposes (e.g., marketing)

1


Facilitating Disclosure• Privacy and confidentiality concerns have

made many health organizations very reluctant to share data and to take advantage of large scale analytics on the cloud. Three factors contribute:• Regulations that limit disclosure of personal

information• Legitimate concerns

about potential data leaks• Compelled disclosures


Methods to Facilitate Disclosure• Two options now exist for disclosing

personal information for complex analytics to avoid being the “creepy guy in the room”– Anonymization– Secure multi-party

computation


ANONYMIZATION


De-identification


PARAT

Providing organizations with a scalable solution to automate the anonymization of structured & unstructured data

• Measure risk of re-identification under different attacks

• Transform data to ensure that the risk is below a given threshold

• Configure re-identification risk threshold settings directly from Privacy Analytics’ online Risk Assessment application

• Determine enterprise policies for data sharing to ensure that administrative controls are in place to manage risk

• Automate data sharing agreements and certifications that confirm risks are “very small” for re-identification


PARAT Software


SECURE COMPUTATION

What is secure computation?


Secure Computation• A set of techniques (protocols) developed to

allow computations to be performed on encrypted data – do analytics without knowing or exposing the raw data

• Example computations: Public health surveillance: rates, categorical data analysis Rare adverse drug event detection using regression

models (GLM and GEE) for distributed data Secure matching: record lookup without revealing the

record details, matching databases without revealing matching keys


SECURE COMPUTATION

How does secure computation work?


Public key

Encryption

9


Randomized Public key

Encryption

10



Encryption

1 2 1 2 ,If r r then c c but 1 2sk skDec c Dec c m

11



Encryption

Notation denoting an encrypted

plaintext


Additively Homomorphic

Encryption


SECURE SURVEILLANCE


ARO Surveillance from Long Term Care Homes in Ontario

Disclosure of Colonization / Infection RatesNot Currently Legally RequiredFrom LTCHs in Ontario

Objective:

Compute colonization rates without knowing the values for any single LTCH


DISEASE SURVEILLANCE

Data Aggregator

Key holder[count1] x [count2] x[count3] x [count4] =

[count1 + count2 +count3 + count4]

[count1]

[count2]

[count3]

[count4]

(count1 + count2 +count3 + count4) / 4



High Response Rate = 82%



Region 0-60 61-120 121-180 180 + Facilities participating / total (%)

North 15 / 18 19 / 25 10 / 15 5 / 5 49 / 63 (77.7)East 23 / 23 34 / 34 25 / 25 13 /15 95 / 97 (97.9)Central East 16 / 16 35 / 41 43 / 49 30 / 34 124 / 140 (88.6)Toronto 3 / 6 5 /7 10 / 12 12 / 13 27 / 38 (71.1)Central West 12 / 13 40 / 46 51 / 56 19 / 22 122 / 137 (89.1)West 23 / 34 42 / 68 23 / 34 7 /10 95 / 146 (65.1)Total(%)

89 / 110 (80.9)

175 / 221 (79.2)

162 / 191 (84.8)

86 / 99 (86.7)

512 / 621 (82.4)


DISEASE SURVEILLANCE (MRSA)

Regions

Facility number of beds

Central West

North East Toronto West Central East

Bed group prevalence

0-60 3.31 1.57 3.17 -- 8.38 0.72 3.87

61-120 2.73 1.07 2.04 -- 7.88 1.8 3.34

121-180 3.15 0.56 2.54 0.91 7.83 1.08 2.94

180 + 2.91 -- 2.37 2.58 8.63 1.68 2.61

Regional prevalence

3.00 0.79 2.42 1.86 8.04 1.44


ANONYMOUS LINKING


Anonymous Linking

• Typical use cases:– The best fields to link databases on are quite

sensitive: health insurance number, social security/insurance number, medical record number

– Organizations do not have the authority to exchange data, but need to de-duplicate databases or do lookups

• Anonymous linking allows the linking of records in remote databases without sharing any sensitive or personal information or sharing any secrets


Generation and

distribution of keys


Encryption of OHIP# using a

public key


Encryption of local OHIP# using the

same

public key


Perform homomorphic

equality test on the two

encrypted values


Decrypt the results of the equality tests

using the

private key


Results of matches can be used to de-duplicate, link, or return a lookup

outcome


ONLINE & OFFLINE PURCHASES


Chlamidya Screening

Objective: compute screening rates and evaluate impact of interventions to improve them

Pulling data out of EMRs (family doctors) about females 14-24 eligible for Chlamidya screening and match that with lab data to determine how many have been screened (match rates)

Matching on OHIP#, name, DoB

No release of personal information in the process


Critical Success Factors / Risks• Embedding within a healthcare environment• Large multi-disciplinary teams• Supporting software after the initial prototype• Academic evaluation criteria• Publishing outside the traditional computer

science community• Managing and protecting IP


Contact

[email protected]

@kelemam

www.ehealthinformation.ca

canadian ai 2014 conference keynote - deploying smc in practice

Data & Analytics