Ensuring the security of medical data, including image data, is paramount for any healthcare IT project, let alone a national one. As part of its upcoming eSanté (e-Health) national project, Luxembourg has settled on a "de-identification" concept to tackle that critical concern.
Luxembourg is in the midst of developing a national e-Health platform for the exchange of medical data and the management of electronic patient records. It will include a national electronic medical imaging record (eSanté CARA) and LABO, an initiative for electronic exchange of laboratory results.
While the Luxembourgish e-Health Agency (Agence eSanté) tasked with the planning and installation of the e-Health platform is currently in the process of being created, initial activities are well underway. The Centre de Recherche Public Henri Tudor (CR SANTEC) is contributing advisory support to the project, including generating feasibility studies (eSanté EFES), use-case definitions, a proposed platform, functional requirement specifications, and gap analysis, said Dr. Uwe Roth of CR SANTEC.
One of the main concepts already accepted for the e-Health project is the use of a de-identification protocol to ensure data security. In a presentation at the Med-e-Tel meeting in April, Roth described the de-identification concept, which will also be an integral part for the storage of medical images.
In a national context, medical data must be protected against unauthorized access and misuse. Encryption of medical data ensures confidentiality, but additional metadata is needed to support queries for documents by criteria such as document type, circumstances of creation, and the creator of the data, Roth said.
In addition, more detailed and fine-grained queries require access to more metadata, which adds risk for disclosure of sensitive information. As a result, de-identification of metadata needs to be performed, replacing patient demographical information with pseudonyms.
With the planned de-identification concept for Luxembourg, all data sets with the same pseudonym will belong to the same person, he said.
A trusted third-party will be the only place where demographics and their pseudonyms will be known. This third party will be organizationally and legally independent from data sources, data users, the data registry, and data repositories.
No medical data will pass through the trusted third-party, and the medical data itself will not be de-identified or modified to protect the integrity of digitally signed documents, Roth noted. The de-identification service can also be made available on the Internet, with users of the service staying behind firewalls.
Since patients will be identified by their given demographics, a normalization step of the demographics is needed to correct typographical errors, to account for phonetic reduction of names, and to align to official addresses.
After performing an identity matching process, the trusted third-party will make a matching decision. If a definitive positive match with an existing patient has been made, the existing pseudonym will be used. If a match has definitely not been made, a new pseudonym will be created. In cases where there's an unclear match, a new pseudonym will be created for the time being, with manual intervention required to make the final matching decision, according to Roth.
In addition, the creation of source-dependent pseudonyms enables later correction of incorrect matching decisions. The trusted third-party will also provide all pseudonyms of the same people on request.
Authentication and access control ensures that de-identification requests are only allowed for data sources and data users, and pseudonyms can only be retrieved by the data registry and data repositories, Roth stated. This role-based access is provided via a security token service that provides security tokens after authentication.
With Luxembourg's de-identification concept, the users and sources of data never get in touch with the pseudonym, and the data repositories and data storage never get in touch with the demographics, Roth said. Identity vigilance is undertaken to monitor matching decisions, he said.
"A trusted third-party provides data privacy for unencrypted meta data and statistical extracts," Roth said.