医疗资讯安全和隐私基础理论和现况课件.ppt

1、按一下以編輯母片標題樣式,按一下以編輯母片,第二層,第三層,第四層,第五層,*,*,*,文档仅供参考，不能作为科学依据，请勿模仿；如有不当之处，请联系网站或本人删除。,資訊隱私理論基礎：,隱私權之意涵(10 mins)?,隱私權之哲學基礎(10 mins),醫療資訊隱私與醫療倫理(10 mins),基本價值之競合(20 mins),資訊技術扼殺了個人隱私？(10 mins),醫療資訊之發展對隱私之影響?(10 mins),醫療資訊隱私之未來？(20 mins),資訊安全理論基礎：,什麼是安全？(5 mins),資訊安全和其它的安全有何不同？(15 mins),醫療資訊系統之安全要求(10 mi

2、ns),三個字母的世界（PKI,SHA,RSA.)(15 mins),網路世界的信任關係(15 mins),醫療隱私安全相關規範與指引(10 mins),Q&A,隱私權的意涵,An expression of ones personality or personhood,focusing on the right of the individual to define his or her essence as a human being.（R.Pound,Freud）,Autonomy-the moral freedom of the individual to engage in his

3、or her own thoughts,actions and decisions.（Louis Henkin）,Citizens ability to regulate information about themselves,and thus control their relationship with other human beings.（Westin,Fried）,Secrecy,anonymity and solitude are essential component of privacy.（Gavison）,不受干擾的權力,控制與自己有關之資訊的權力,免於環境之外加影響的權力

4、可以選擇離群素居，不受困擾，不,受侵犯的權力,資訊時代,Gigabytes 彈指之間複製完成,Gigabytes 不費吹灰之力傳送千里,Gigabytes 不傷腦筋就分析處理完畢,付出少收益大-有經濟誘因,資訊時代的個人健康資料,資料的使用者增加,Managed Care,Integrated delivery system,資料的使用方式改變,Data Mining,Direct Marketing,大量高品質的資料上線,大眾焦慮的原因,1、不知道有哪些與我相關之資料,2、無法控制誰可以閱讀與處理,3、不知處理流程與使用方式,資訊與倫理,保密為醫療倫理的一環,應賦予個人對其醫療健康資 訊分

5、享（sharing of personal data）的自主決定權,Informed Consent,經濟觀點,1、對就業市場機制可能產生負面影響,2、扭曲個人的行為,3、扭曲健保市場,4、增加不必要之健保費用,健康資訊保護法律面,1、美國,2、歐盟,3、我國,電腦處理個人資料保護法,醫療法（第49條）,法之必要性,醫病權力之不平衡,保障病人隱私並不是吸引病人,的主因，沒有經濟誘因,在緊急情形下，必須有特別的,考慮,Medical records不再只有醫療,供者使用,medical record適當的流通對個人有益,資訊安全,Management,Policy,Technology,Law,

6、Autheutication,Access Control,Audit Trails,Physical Security of Communication,computer,and display systems,Software Discipline,System back and recovery procedures,Cryptography,Information Privacy Principle,Personal information should be acquired,disclosed,and used only in ways that respect an indivi

7、duals privacy.,Information Integrity Principle,Personal information should not be improperly altered or destroyed.,Information Quality Principle,Personal information should be accurate,timely,complete,and relevant for the purpose for which it is provided and used.,Principles for Users of Personal In

8、formation,Acquisition Principles,Information users should：,1、Assess the impact on privacy in deciding whether to acquire,disclose,or use personal information.,2、Acquire and keep only information reasonably expected to support current or,planned activities.,Notice Principle,Information users who coll

9、ect personal information directly from the individual should provide adequate,relevant information about：,1、Why they are collecting the information;,2、What the information is expected to be used for;,3、What steps will be taken to protect its confidentiality,integrity,and quality.,Common sense inform

10、ation security,王大為,中研院 資訊所,Use your common sense to deal with information security problem,Why do you need information security,What are the valuables,How to do it,Daily security decision,Dont talk to strangers,Dont walk alone in a dark alley,Dont hand your ATM card to anyone,Do lock your door,Put v

11、aluable to a safety box,Buy insurance,Dont put all eggs in one basket,Why and What,Information security goals,to maintain data,Availability,Integrity,Confidentiality,What are the valuable information assets?,What are the threats?,How much will security incidents cost you?,Whats the odd an incident o

12、ccurs?,High cost,very low probability:insurance.,Fire insurance,High cost,high probability:do something to reduce the cost and/or the probability,Low cost,high probability:do a cost-benefit analysis,Low cost,lost probability:whats the problem?,How,How do you secure your home or office?,How do you bu

13、ild a building?,How do you know your lift is safe?,How do you fight against bacteria/virus?,。,Working with the experts,Technical Jargons,If there is no common sense explanation,then either the person does not know it well enough or the technology is not mature.,Second opinions,Important clich,Inform

14、ation security is a process not a product,70%of the incidents caused by insiders,if not 80%,You wont get a medal for a good security job,and you dont want to be famous,Security is about balance not optimization,Cost-benefit,risk-convenience,Conclusions,Common sense can go a long way,Diving into the

15、ocean of technical jargons can be dangerous,Ask professionals,and ask twice,Protection Principle,Information users should use appropriate technical and managerial controls to protect the confidentiality and integrity of personal information.,Fairness Principle,Information users should not use person

16、al information in ways that are incompatible with the individuals understanding of how it will be used,unless there is a compelling public interest for such use.,Education Principle,Information users should educate themselves and the public about how information privacy can be maintained.,Principles

17、 for Individuals Who ProvidePersonal Information.,Awareness Principle,Individuals should obtain adequate,relevant,information about：,1.Why the information is being collected;,2.What the information is expected to be used for;,3.What steps will be taken to protect it confidentiality,integrity,and qua

18、lity;,4.The consequences of providing or withholding information;and,5.Any rights of redress.,Empowerment Principles,Individuals should be able to safeguard their own,privacy by having：,1.A means to obtain their personal information;,2.A means to correct their personal information that lacks suffici

19、ent quality to ensure fairness in its use;,3.The opportunity to use appropriate technical controls,such as encryption,to protest the confidentiality and integrity of communications and transactions;and,4.The opportunity to remain anonymous when appropriate.,Redress Principle,Individuals should,as ap

20、propriate,have a means of redress if harmed by an improper disclosure or use of personal information.,對個人相關資訊的控制權,電腦處理個人資料保護法（www.rdec.gov.tw/rdeclaw/law083.htm),第三條七（二）醫院、學校、電信業、金融業、證券業、保險業及大眾傳播業。,第四條 當事人就其個人資料依本法規定行使之左列權利，不得預先拋棄或以特約限制之。,一、查詢及請求閱覽。,二、請求製給複製本。,三、請求補充或更正。,四、請求停止電腦處理及利用。,五、請求刪除。,個人資料保

21、護 歷史背景,1970德國Hesse 第一個個人資料保護法,1973 瑞典第一個國家立法保護,七零年代在歐洲各國開始立法保護,OEDC 1980(organization for economic cooperation and development)Guidelines concerning the protection of privacy and transboard flows of personal data,1981 Council of Europe adopts Convention 有關自動處理個人資料下個人權益的保護,2/1990 United nation Guidel

22、ines concerning computerized personal data files,EU data protection directive,1995/10/24:EU Directive on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data,1998/10/24:Proposed date for implementation but was not done,歐洲與美國的比較,美國採取對不同的資

23、料分別立法（sectoral approach):Fair Credit Reporting Act 1970,Privacy Act 1974,Video Privacy Protection Act,Childrens On-Line Privacy Protection Act 1999 and Health Insurance Portability and Accountability Act 1996.,歐盟採取一法到底（omnibus approach),The EU Data Protection Directive,Member states must protect the

24、 fundamental rights and freedoms of natural persons,and in particular their right to privacy with respect to the processing of,personal data,No mention of the word“computer”Directive refers to data being,processed,“wholly or partly by automatic means”by a,data controller,so can include manual record

25、s,Applies to any information relating to an identified or identifiable natural person(the,data subject,),whether directly or indirectly identifiable,Special classification for especially,sensitive data,deserving of special protection-such data is subject to more extensive requirements than is the ca

26、se with other forms of data,The EU Data Protection Directive,“,Sensitive data”includes data referring to a data subjects physical or mental health or condition,or his sexual life,There is a general prohibition against the processing of such data,with a number of exceptional justifications for doing

27、so,Nominally,sensitive data cannot be processed without the explicit consent of the data subject unless this is necessary for medical purposes and is undertaken by a health professional or by a person owing an equivalent duty of confidentiality,“Medical purposes”is defined broadly to include“Prevent

28、ative medicine,medical diagnosis,medical research,the provision of care and treatment and the management of healthcare services.”,The EU Data Protection Directive,The“Safe Harbour”Principles:,July 2000:after extensive discussions between the European Commission and the US Department of Commerce a se

29、t of conditions generally known as the“safe harbour”principles were accepted,The Commission will accept use of the principles by US-based institutions and companies as ensuring conformity with European requirements,US-based organisations will usually be self-certifying by means of a letter to the De

30、partment of Commerce containing certain minimum information,Principles are compatible with OECD Guidelines though there are some concerns over the limited jurisdiction of the FTC,各國現況,兩種形式:一般性的隱私保護（如我國的個資法）為醫療資訊訂定隱私保護法,有法令特別為保護醫療資訊隱私的國家捷克Czech Republic 丹麥 匈牙利 日本（審理中）立陶宛 盧森堡 荷蘭 紐西蘭 瑞士 土耳其 美國 英國,Priva

31、cy-Technology,www.epic.org/Electronic privacy information center,Snoop Proof Email,Anonymous Remailers,Surf Anonymously,HTML Filters,Cookie Busters,Email and File Privacy,Motivation,National Health Insurance plan covers almost every one in Taiwan,Data collected for the health plan contains gold mine

32、 for many researchers,How to release the data while preserving confidentiality?,Related Works,Social Security Administration 1978 used the idea of“bin size”,-argus 1996,Datafly 1997,Our contribution,A modal logic based formal framework for data confidentiality,Distinguish between anonymity and data

33、confidentiality,Proposed a system architecture for enhance the privacy protection while releasing informaiton,Build a prototype system-Cellsecu,Id fields:those fields which can uniquely identify someone by that field alone,Easily known fields:those fields that can be easily collected(we assume that

34、the user already know the value of those fields before query the database),Unknown fields,Bin Size,A bin is a set of records which are“indistinguishable”,“indistinguishable”-two records are indistinguishable if the values of“easily known”attributes are all the same,Bin size as a measure of anonymity

35、You can not tell which record belongs to whom,but.,Data Confidentiality,You are looking at a picture,everyone dressed the same so you can not tell which one is John Doe,however,you noticed that everyone in the picture is bald.It is safe to say John is bald too.,Bin size measures anonymity,but some

36、personal information maybe released,Data confidentiality,Anonymity refers to that a person can not identify certain record belongs to any specific individual,Data confidentially refers to that a person can not identify the value of certain field belongs to any specific individual,non uniqueness,the

37、value of any fields in U can not be all the same in a bin.,Generalization,Some EK fields are generalized if non-uniqueness condition is not satisfied,Generalization makes data less specific,mm/dd/yy generalized to mm/yy,178cm generalized to 170,179 cm,Generalization causes bins merged,System perform

38、ance,The size of the database has little impact on the overall execution time.,The number of records in the upload file has significant impact on the over all execution time.,The time for confidentiality test and the time execute Generalize module takes less than 4%of the total execution time.,Futur

39、e works,Evaluate the impact of Cellsecu to the quality of researches conducted with filtered information.Both theoretical study and empirical study needed.,In this study we model words such as“know”and “identify”in a deterministic sense;we know something when we are 100%sure something is true.How to

40、 model probabilistic view?,Future work,Finish the whole system and put it on line,醫療資訊安全與隱私保護,王大為,中研院資訊所,CPR,減低成本 增加效率,資料的可及性增加,資料的及時性增加,電子化的資料容易作各類的分析,。,Security and Privacy？,The arguments,CPR 系統的安全性不會比現在的系統差,CPR 帶來的好處outweighs那萬分之一個人隱私被侵犯的危險,醫療從業人員有高標準的職業倫理準則,因為安全與隱私的理由反對或減緩CPR的推動是因噎廢食,The argumen

41、ts continued,電子化的資料與紙本資料本質不同（容易拷貝，方便分析，。）,隱私權是基本人權的一部份,健康資料使用的範圍擴大（保險，研究，甚至行銷公司）,不重視安全與隱私，CPR系統會遭到很大的挑戰,航空業,符合經濟效益,飛航安全的規範,安全檢核的程序,保險制度,公開的失事資料,自願,It is all about,信任,社會規範,醫療法第四十九條,醫療機構及其人員因業務而知悉或持有他人之祕密，不得無故洩漏,醫師法 護理人員法 助產士法 藥師法,第二十三條 醫師除依前條規定外，對於因業務而知悉他人秘密，不得無故洩漏。,護理人員法 第二十八條 除依前條規定外，護理人員或護理機構及其人員對

42、於因業務而知悉或持有他人秘密，不得無故洩漏,。,社會規範,電腦處理個人資料保護法（www.rdec.gov.tw/rdeclaw/law083.htm),第三條七（二）醫院、學校、電信業、金融業、證券業、保險業及大眾傳播業。,第四條 當事人就其個人資料依本法規定行使之左列權利，不得預先拋棄或以特約限制之。,一、查詢及請求閱覽。,二、請求製給複製本。,三、請求補充或更正。,四、請求停止電腦處理及利用。,五、請求刪除。,HIPAA,Health Information Portability and Accountability Act,aspe.hhs.gov/admnsimp/pl104191

43、htm,Department of health and human service aspe.hhs.gov/admnsimp/,Proposed standards for Security and Electronic Signature,Proposed standards for Privacy of Individually Indetifiable Health Informaiton,規範建立,形成共識：平衡基本人權的保障與經濟效益,政府立法或自律公約,認證機制,程序透明 公開,實務推動,設立 security and privacy officer,員工教育訓練,瞭解規範與

44、罰則,從業人員資訊安全常識的提升,良好的資訊安全習慣-密碼的選取與更新，離開座位logout，不隨便開啟 activeX.exe,稽核評估,誘因！,資訊技術,密碼學-encryption,digital signature,one-way hash,authentication protocol,網際網路安全技術-SSL,VPN,IPSEC,Firewall.,安全管理-Risk analysis,Risk management,Emergency Response Procedure,Survivability analysis.,隱私,An expression of ones perso

45、nality or personhood,focusing on the right of the individual to define his or her essence as a human being.（R.Pound,Freud）,Autonomy-the moral freedom of the individual to engage in his or her own thoughts,actions and decisions.（Louis Henkin）,Citizen ability to regulate information about themselves,a

46、nd thus control their relationship with other human beings.(Westin,Fried）,Secrecy,anonymity and solitude are essential component of privacy.（Gavison）,資訊時代,Gigabytes 彈指之間複製完成,Gigabytes 不費吹灰之力傳送千里,Gigabytes 不傷腦筋就分析處理完畢,付出少收益大-有經濟誘因,對個人相關資訊的控制權,電腦處理個人資料保護法（www.rdec.gov.tw/rdeclaw/law083.htm),第三條七（二）醫院、

47、學校、電信業、金融業、證券業、保險業及大眾傳播業。,第四條 當事人就其個人資料依本法規定行使之左列權利，不得預先拋棄或以特約限制之。,一、查詢及請求閱覽。,二、請求製給複製本。,三、請求補充或更正。,四、請求停止電腦處理及利用。,五、請求刪除。,個人資料保護 歷史背景,1970德國Hesse 第一個個人資料保護法,1973 瑞典第一個國家立法保護,七零年代在歐洲各國開始立法保護,OEDC 1980(organization for economic cooperation and development)Guidelines concerning the protection of priva

48、cy and transboard flows of personal data,1981 Council of Europe adopts Convention 有關自動處理個人資料下個人權益的保護,2/1990 United nation Guidelines concerning computerized personal data files,EU data protection directive,1995/10/24:EU Directive on the Protection of Individuals with Regards to the Processing of Per

49、sonal Data and on the Free Movement of Such Data,1998/10/24:Proposed date for implementation but was not done,The EU Data Protection Directive,Member states must protect the fundamental rights and freedoms of natural persons,and in particular their right to privacy with respect to the processing of,

50、personal data,No mention of the word“computer”Directive refers to data being,processed,“wholly or partly by automatic means”by a,data controller,so can include manual records,Applies to any information relating to an identified or identifiable natural person(the,data subject,),whether directly or in