PIPE - Pseudonymization of Information for Privacy in e-Health

Project duration: August 2008 - January 2010
Funded by: Bundesministerium für Verkehr, Innovation und Technologie (FIT-IT Trust in IT Systems)

Project partners
Vienna University of Technology Secure Business Austria GenoSense Diagnostics GmbH Braincon Technologies GmbH

Project team: Michael Schrefl (DKE)
Michael Karlinger (DKE)
Katharina Grün (DKE)
Georg Nitsche (DKE)

Motivation The discussion of privacy is one of the fundamental issues in health care today and a trade-off between the patients' requirement for privacy as well as the society's needs for improving efficiency and reducing costs of the health care system. Today, highly sensitive data is managed in medical systems that are however hardly protected. As a result of the high sensitivity of medical data and due to an endless list of security breaches revealing patients' data, there is an increasing social and political pressure to prevent the misuse of health data. Approach Project PIPE (Pseudonymization of Information for Privacy in e-Health) aims at developing techniques that make it technically impossible to violate the privacy of health care consumers. The objective of the project is to develop a secure, configurable pseudonymization service that can be employed for and customized to different e-health applications. Its main idea is to disassociate personal identification data from electronic health records and to control access to sensitive identification data via a layered encryption model. By pseudonymizing electronic health records, PIPE provides secondary use of medical data without revealing the patients' identity. All sensitive data is encrypted. To search in encrypted data, PIPE makes use of the concepts developed in the SemCrypt project. Contributions PIPE encrypts sensitive data to ensure data confidentiality and employs a layered encryption model to cryptographically control access to sensitive data. It provides traceable and fraud-prove access to medical data, which ensures the integrity of data and enables the detection of unauthorized manipulations. PIPE employs specific storage and access structures that provide for efficient access to and queries on medical data for authorized users. In particular, PIPE extends SemCrypt in that it not only enables to store and query encrypted data, but also provides access and integrity control in outsourced, encrypted databases. Relevance Electronic health records improve communication between health care providers and access to medical data and documentation, leading to better clinical and service quality. As the disclosure of medical data may cause serious problems for patients, health care consumers and legal acts demand the protection of medical data. PIPE provides the necessary privacy in the context of electronic health records, which does not only promise a higher level of service quality for the patients, but also reduces costs for social insurance sytems and therefore for the society.