Building Privacy-Awareness into Clinical Workflows

Transcript

1. B U I L D I N G P R

   I VA C Y A WA R E N E S S I N T O ( C L I N I C A L ) W O R K F L O W S S. Irem BESIK
 besiksal @ informatik.hu-berlin.de Supervisor: Prof. Johann-Christoph Freytag, Ph.D. !1

2. M O T I VAT I O N : P

   R I VA C Y I N C L I N I C A L D O M A I N Emergency Unit Pharmacy Health Insurance Company Laboratory Patient Medical Data Doctor Nurse Front Desk ✦ patients' personal medical data ✦ different healthcare providers S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 2

3. M O T I VAT I N G E X

   A M P L E : N E W B O R N S C R E E N I N G S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 3

4. M O T I VAT I N G E X

   A M P L E : N E W B O R N S C R E E N I N G S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 3 Lab sensitive blood data Pediatrician medical data Desk demographic data

5. P R I VA C Y B Y D E

   S I G N V I A C L I N I C A L W O R K F L O W S Clinical Workflow includes a series of tasks for clinical services S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 4 also how tasks are performed, in what order, and by whom

6. R E S E A R C H P R

   O B L E M • Transforming non-privacy-aware clinical WFs into privacy-aware ones • Privacy-aware WF is compliant with: 1. privacy principles based on the EU General Data Protection Regulation (GDPR) 2. privacy policies by healthcare providers 3. privacy preferences of data subjects (patients) S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 5

7. S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19,

   ’19 / 30 6

8. ( 1 ) I N T E G R AT

   E C O N C E P T S semantically represent privacy concepts and BPMN-based clinical workflows Privacy-aware Clinical Workflow (PaCW) Ontology S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 7

9. P R I VA C Y P R I N

   C I P L E S B A S E D O N G D P R S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 8

10. P R I VA C Y P R I N

    C I P L E S B A S E D O N G D P R • Purpose Specification: Personal data be collected for specified purposes • Consent Check: Data processing is lawful with an explicit consent of a data subject. (e.g. optional procedures like newborn screening) • Limited Retention Period: Personal data be kept for no longer than is necessary • Data Minimization: Personal data be limited to what is necessary S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 8

11. Privacy-aware Clinical Workflow (PaCW) Ontology S.I. Besik, Building Privacy Awareness

    into Clinical Workflows, June 19, ’19 / 30 9

12. Privacy-aware Clinical Workflow (PaCW) Ontology S.I. Besik, Building Privacy Awareness

    into Clinical Workflows, June 19, ’19 / 30 9

13. Privacy-aware Clinical Workflow (PaCW) Ontology Clinical Workflow Domain Privacy Domain

    S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 9

14. PA C W O N T O L O G

    Y PrivacyRule + ruleId: int + user: User + data: Data + purpose: String User + userId: int + userRole: String Data + dataId: int + dataCategory: String + retention: String PrivacyPolicy + condition: bool PrivacyPreference + consentStatus: bool Privacy Domain S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 10

15. PA C W O N T O L O G

    Y PrivacyRule + ruleId: int + user: User + data: Data + purpose: String User + userId: int + userRole: String Data + dataId: int + dataCategory: String + retention: String PrivacyPolicy + condition: bool PrivacyPreference + consentStatus: bool Privacy Domain Data Object Data Store User Pool Lane Mapping Data Text Annotation Purpose S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 10

16. ( 2 ) F O R M A L I

    Z E P R I VA C Y R U L E S Policy Preference Privacy Rule Consent Data Minimization Retention S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 11

17. S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19,

    ’19 / 30 12 P R I VA C Y P O L I C Y

18. • what data is collected • who can use it

    for what purposes • the modality of data processing, whether it is obligatory or voluntary • how long it is retained S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 12 P R I VA C Y P O L I C Y

19. • what data is collected • who can use it

    for what purposes • the modality of data processing, whether it is obligatory or voluntary • how long it is retained Retention Consent Data Minimization S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 12 P R I VA C Y P O L I C Y

20. Definition 1 [Consent Privacy Policy] A consent privacy policy PC

    consists of rules represented as 2-tuple pc = (purpose, requiresConsent), where: •purpose is the reason for which data is accessed; •requiresConsent ∈ {true, false} P1: An explicit consent is required for newborn hearing screening. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 13

21. Definition 1 [Consent Privacy Policy] A consent privacy policy PC

    consists of rules represented as 2-tuple pc = (purpose, requiresConsent), where: •purpose is the reason for which data is accessed; •requiresConsent ∈ {true, false} P1: An explicit consent is required for newborn hearing screening. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 13

22. Definition 1 [Consent Privacy Policy] A consent privacy policy PC

    consists of rules represented as 2-tuple pc = (purpose, requiresConsent), where: •purpose is the reason for which data is accessed; •requiresConsent ∈ {true, false} (newborn-hearing-screening, true) P1: An explicit consent is required for newborn hearing screening. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 13

23. Definition 2 [Data Minimization Privacy Policy] A data minimization privacy

    policy PD consists of rules represented as 4-tuple pd = (user, purpose, data, condition), where: •user is the set of individuals who access the personal data; •data is a set of data objects; •condition indicates additional conditions. P2: A pediatrician can access the result of the lab examination only if the result is abnormal for blood screening. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 14

24. Definition 2 [Data Minimization Privacy Policy] A data minimization privacy

    policy PD consists of rules represented as 4-tuple pd = (user, purpose, data, condition), where: •user is the set of individuals who access the personal data; •data is a set of data objects; •condition indicates additional conditions. P2: A pediatrician can access the result of the lab examination only if the result is abnormal for blood screening. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 14

25. Definition 2 [Data Minimization Privacy Policy] A data minimization privacy

    policy PD consists of rules represented as 4-tuple pd = (user, purpose, data, condition), where: •user is the set of individuals who access the personal data; •data is a set of data objects; •condition indicates additional conditions. (pediatrician, blood-screening, examination-result, examination-result.isAbnormal) P2: A pediatrician can access the result of the lab examination only if the result is abnormal for blood screening. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 14

26. Definition 3 [Retention Privacy Policy] A retention privacy policy PR

    consists of rules represented as 4-tuple r = (user, purpose, data, retention), where: •retention is the period of time the data is stored. P3: A hospital can save results for the purpose of hearing screening with a retention limit by 3 years. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 15

27. Definition 3 [Retention Privacy Policy] A retention privacy policy PR

    consists of rules represented as 4-tuple r = (user, purpose, data, retention), where: •retention is the period of time the data is stored. P3: A hospital can save results for the purpose of hearing screening with a retention limit by 3 years. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 15

28. Definition 3 [Retention Privacy Policy] A retention privacy policy PR

    consists of rules represented as 4-tuple r = (user, purpose, data, retention), where: •retention is the period of time the data is stored. (hospital, hearing-screening, result, 3 years) P3: A hospital can save results for the purpose of hearing screening with a retention limit by 3 years. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 15

29. Privacy Preference: expresses a data subject’s (patients) preferences on sharing

    / processing their personal data S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 16

30. Definition 4 [Privacy Preference] A privacy preference R consists of

    rules represented as 6-tuple r = (dataSubject, user, purpose, data, duration, entryDate), where: •dataSubject is the individual whom personal data is about; •duration is the duration of preference; •entryDate is the entry date of preference. R1: Alice gives consent that only pediatrician Bob can perform hearing screening for 6 months on June 19, 2019. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 17

31. Definition 4 [Privacy Preference] A privacy preference R consists of

    rules represented as 6-tuple r = (dataSubject, user, purpose, data, duration, entryDate), where: •dataSubject is the individual whom personal data is about; •duration is the duration of preference; •entryDate is the entry date of preference. R1: Alice gives consent that only pediatrician Bob can perform hearing screening for 6 months on June 19, 2019. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 17

32. Definition 4 [Privacy Preference] A privacy preference R consists of

    rules represented as 6-tuple r = (dataSubject, user, purpose, data, duration, entryDate), where: •dataSubject is the individual whom personal data is about; •duration is the duration of preference; •entryDate is the entry date of preference. (Alice, only Bob, hearing-screening, any, 6months, 2019-06-19) R1: Alice gives consent that only pediatrician Bob can perform hearing screening for 6 months on June 19, 2019. formal representation ? Example: S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 17

33. ( 3 ) C H E C K P R

    I VA C Y C O M P L I A N C E & T R A N S F O R M I N T O P R I VA C Y- AWA R E C L I N I C A L W O R K F L O W ( PA C W ) S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 18

34. Clinical Workflow BPMN Core Elements S.I. Besik, Building Privacy Awareness

    into Clinical Workflows, June 19, ’19 / 30 19 Data Store Data Object Text Annotation Pool Lane Task Start Event End Event Exclusive Gateway Inclusive Gateway Parallel Gateway Sequence Flow Message Flow Data Association Association

35. Clinical Workflow BPMN Core Elements S.I. Besik, Building Privacy Awareness

    into Clinical Workflows, June 19, ’19 / 30 19 Data Store Data Object Text Annotation Pool Lane Task Start Event End Event Exclusive Gateway Inclusive Gateway Parallel Gateway Sequence Flow Message Flow Data Association Association + => Data Aware Workflow

36. Case Data-Aware WF Policy Preference Data Subject + + +

    S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 20

37. Case Data-Aware WF Policy Preference Data Subject + + +

    Privacy-Aware Case ? S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 20

38. Privacy-Aware Case Data-Aware WF compliant with Purpose Specification Principle compliant

    with Data Minimization Principle Data-Aware WF Policy Preference Data Subject + + + compliant with Consent Check Principle compliant with Limited Retention Principle S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 21

39. Privacy-Aware Case Data-Aware WF compliant with Purpose Specification Principle Data-Aware

    WF Policy Preference Data Subject + + + compliant with Consent Check Principle compliant with Limited Retention Principle compliant with Data Minimization Principle S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 21

40. λ: F →(D, p) λ1 (F) = D, λ2 (F)

    = p ∀f ∈ F, λ2 (f) ≠ ∅ F → a set of data associations D → a set of data objects p → a purpose P U R P O S E S P E C I F I C AT I O N C O M P L I A N C E C H E C K S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 22

41. λ: F →(D, p) λ1 (F) = D, λ2 (F)

    = p ∀f ∈ F, λ2 (f) ≠ ∅ F → a set of data associations D → a set of data objects p → a purpose P U R P O S E S P E C I F I C AT I O N C O M P L I A N C E C H E C K S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 22

42. P U R P O S E S P E

    C I F I C AT I O N C O M P L I A N C E C H E C K purpose ! = ∅ S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 22

43. P U R P O S E S P E

    C I F I C AT I O N C O M P L I A N C E C H E C K purpose ! = ∅ S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 22

44. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 1 ) A <<Precedes>> B means that B can occur only if A occurred before. During design time: Consent Check Pattern S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 23

45. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 1 ) Consent privacy policy includes: (purpose, requiresConsent = true) Given a Data-aware WF, check Consent Check Pattern predeces Data Operation Task S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 24

46. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 1 ) Consent privacy policy includes: (purpose, requiresConsent = true) Given a Data-aware WF, check Consent Check Pattern predeces Data Operation Task ∀f ∈ F, (λ2 (f), true) ∈ PC => SCAN (t) = true S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 24

47. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 1 ) Consent privacy policy includes: (purpose, requiresConsent = true) Given a Data-aware WF, check Consent Check Pattern predeces Data Operation Task ∀f ∈ F, (λ2 (f), true) ∈ PC => SCAN (t) = true S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 24

48. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 1 ) Consent privacy policy includes: (purpose, requiresConsent = true) Given a Data-aware WF, check Consent Check Pattern predeces Data Operation Task created a function traversing all sequence flows reaching Data Operation Task S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 24

49. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) Consent privacy policy includes: (purpose, requiresConsent = true) S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

50. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

51. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

52. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) r = (DataSubject, user, purpose, data, duration, entryDate) ? S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

53. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) user r = (DataSubject, user, purpose, data, duration, entryDate) ? S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

54. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) user r = (DataSubject, user, purpose, data, duration, entryDate) ? S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

55. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) user r = (DataSubject, user, purpose, data, duration, entryDate) ? today - entryDate >= duration S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

56. C O M P L I A N C E

    W I T H C O N S E N T C H E C K ( 2 ) During run time: Check Privacy Preferences Preference DataSubject + Consent privacy policy includes: (purpose, requiresConsent = true) user r = (DataSubject, user, purpose, data, duration, entryDate) today - entryDate >= duration valid S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 25

57. T R A N S F O R M AT

    I O N predefined transformation actions for the privacy violations captured during compliance check Purpose Specification: at least one specific purpose for each data operation S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 26

58. When no purpose specified privacy violation T R A N

    S F O R M AT I O N predefined transformation actions for the privacy violations captured during compliance check Purpose Specification: at least one specific purpose for each data operation transformation action return message as a warning S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 26

59. T R A N S F O R M AT

    I O N - C O N S E N T C H E C K Some tasks are legitimate only with an explicit consent of a data subject. consent required, but no consent privacy violation S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 27

60. T R A N S F O R M AT

    I O N - C O N S E N T C H E C K Some tasks are legitimate only with an explicit consent of a data subject. consent required, but no consent privacy violation transformation action adding consent check pattern beforehand S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 27

61. T R A N S F O R M AT

    I O N - C O N S E N T C H E C K Some tasks are legitimate only with an explicit consent of a data subject. consent required, but no consent privacy violation transformation action adding consent check pattern beforehand S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 27

62. E X A M P L E : H E

    A R I N G P R O C E D U R E - B E F O R E T R A N S F O R M AT I O N maternity clinic pediatrician HIS d:result, p:hear screening d:hear screening medical data, p:hear screening perform hearing screening newborn arrives S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 28

63. E X A M P L E : H E

    A R I N G P R O C E D U R E - B E F O R E T R A N S F O R M AT I O N P1: An explicit consent is required for newborn hearing screening procedure. maternity clinic pediatrician HIS d:result, p:hear screening d:hear screening medical data, p:hear screening perform hearing screening newborn arrives (hearing-screening, true) ∈ Consent Policy purpose S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 28

64. E X A M P L E : H E

    A R I N G P R O C E D U R E - B E F O R E T R A N S F O R M AT I O N P1: An explicit consent is required for newborn hearing screening procedure. maternity clinic pediatrician HIS d:result, p:hear screening d:hear screening medical data, p:hear screening perform hearing screening newborn arrives (hearing-screening, true) ∈ Consent Policy purpose ? check Consent Check Pattern predeces “perform hearing screening” S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 28

65. E X A M P L E : H E

    A R I N G P R O C E D U R E - B E F O R E T R A N S F O R M AT I O N P1: An explicit consent is required for newborn hearing screening procedure. maternity clinic pediatrician HIS d:result, p:hear screening d:hear screening medical data, p:hear screening perform hearing screening newborn arrives (hearing-screening, true) ∈ Consent Policy X purpose check Consent Check Pattern predeces “perform hearing screening” S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 28

66. H E A R I N G P R O

    C E D U R E - A F T E R T R A N S F O R M AT I O N maternity clinic pediatrician newborn arrives check consent inform parents and ask for consent d:result, p:hear screening HIS d:hear screening medical data, p:hear screening perform hearing screening yes no consent d:consent, p:hear screening parent corrective action: add consent check pattern beforehand rule triggered due to performing hearing screening without consent check S.I. Besik, Building Privacy Awareness into Clinical Workflows, June 19, ’19 / 30 29

67. S U M M A RY S.I. Besik, Building Privacy

    Awareness into Clinical Workflows, June 19, ’19 / 30 30

68. S U M M A RY S.I. Besik, Building Privacy

    Awareness into Clinical Workflows, June 19, ’19 / 30 30 ?

69. THANK YOU! QUESTIONS??