Top

BMC Medical Informatics and Decision Making

Published in:

Open Access 01-12-2015 | Technical advance

A generic solution for web-based management of pseudonymized data

Authors: Ronald Lautenschläger, Florian Kohlmayer, Fabian Prasser, Klaus A. Kuhn

Published in: BMC Medical Informatics and Decision Making | Issue 1/2015

Abstract

Background

Collaborative collection and sharing of data have become a core element of biomedical research. Typical applications are multi-site registries which collect sensitive person-related data prospectively, often together with biospecimens. To secure these sensitive data, national and international data protection laws and regulations demand the separation of identifying data from biomedical data and to introduce pseudonyms. Neither the formulation in laws and regulations nor existing pseudonymization concepts, however, are precise enough to directly provide an implementation guideline. We therefore describe core requirements as well as implementation options for registries and study databases with sensitive biomedical data.

Methods

We first analyze existing concepts and compile a set of fundamental requirements for pseudonymized data management. Then we derive a system architecture that fulfills these requirements. Next, we provide a comprehensive overview and a comparison of different technical options for an implementation. Finally, we develop a generic software solution for managing pseudonymized data and show its feasibility by describing how we have used it to realize two research networks.

Results

We have found that pseudonymization models are highly heterogeneous, already on a conceptual level. We have compiled a set of requirements from different pseudonymization schemes. We propose an architecture and present an overview of technical options. Based on a selection of technical elements, we suggest a generic solution. It supports the multi-site collection and management of biomedical data. Security measures are multi-tier pseudonymity and physical separation of data over independent backend servers. Integrated views are provided by a web-based user interface. Our approach has been successfully used to implement a national and an international rare disease network.

Conclusions

We were able to identify a set of core requirements out of several pseudonymization models. Considering various implementation options, we realized a generic solution which was implemented and deployed in research networks. Still, further conceptual work on pseudonymity is needed. Specifically, it remains unclear how exactly data is to be separated into distributed subsets. Moreover, a thorough risk and threat analysis is needed.

Available only for authorised users

HBGRDs. Guidelines for human biobanks and genetic research databases. 2008. http://www.oecd.org/science/biotech/guidelinesforhumanbiobanksandgeneticresearchdatabaseshbgrds.htm. Accessed 28 September 2015.

P3G. Public population project in genomics and society. 2015. http://p3g.org. Accessed 28 September 2015.

Wichmann HE, Kuhn KA, Waldenberger M, Schmelcher D, Schuffenhauer S, Meitinger T, et al. Comprehensive catalog of european biobanks. Nat Biotechnol. 2011;29:795–7. doi:10.1038/nbt.1958.CrossRefPubMed

BioMedBridges. Building data bridges from biology to medicine in Europe. 2015. http://www.biomedbridges.eu. Accessed 28 September 2015.

Appari A, Johnson ME. Information security and privacy in healthcare: current state of research. Int J Internet Enterp Manag. 2010;6(4):279–314. doi:10.1504/IJIEM.2010.035624.CrossRef

Malin B. An evaluation of the current state of genomic data privacy protection technology and a roadmap for the future. J Am Med Inform Assoc. 2005;12:28–34.CrossRefPubMedPubMedCentral

Ayday E, De Cristofaro E, Hubaux J-P, Tsudik, G. The chills and thrills of whole genome sequencing. IEEE Computer. 2013;99:1. doi:10.1109/MC.2013.333.

European Parliament and Council of the European Union: European Parliament and council directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 1995;281:31–50.

European Commission. Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General data protection regulation). Outcome of the European Parliament’s first reading (Strasbourg, 10 to 13 March 2014). Brussels. 2014.

10.

Council of Europe: Recommendation Rec(2006) 4 of the Committee of Ministers to member states on research on biological materials of human origin. 958^th meeting. 15 March 2006.

11.

U.S. Department of Health and Human Services Office for Civil Rights. HIPAA administrative simplification regulation, 45 CFR Parts 160, 162, and 164. 2013.

12.

UK Biobank. UK biobank ethics and governance framework (version 3.0). 2007. https://www.ukbiobank.ac.uk/wp-content/uploads/2011/05/EGF20082.pdf. Accessed 28 September 2015.

13.

Hakonarson H, Gulcher JR, Stefansson K. deCODE genetics, Inc. Pharmacogenomics. 2003;4:209–15.CrossRefPubMed

14.

The German National Cohort: http://nationale-kohorte.de/informationen-auf-englisch/ (2015). Accessed 30 November 2015.

15.

Federal Data Protection Act in the version promulgated on 14 January 2003 (Federal Law Gazette I p. 66), as most recently amended by Article 1 of the Act of 14 August 2009 (Federal Law Gazette I p. 2814). 2009.

16.

Republic of Italy. Personal data protection code. legislative decree No. 196, (196), 1–186. 2003.

17.

Lowrance W. Learning from experience: privacy and the secondary use of data in health research. J Health Serv Res Policy. 2003;8 Suppl 1:2–7. doi:10.1258/135581903766468800.CrossRef

18.

Kalra D, Gertz R, Singleton P, Inskip HM. Confidentiality of personal health information used for research. BMJ. 2006;333(7650):196–8. doi:10.1136/bmj.333.7560.196.CrossRefPubMedPubMedCentral

19.

International Organization for Standardization (ISO). Health informatics - pseudonymization. ISO/TS 25237:2008(E). 2008.

20.

Pommerening K, Drepper J, Helbing K, Ganslandt T. Leitfaden zum Datenschutz in medizinischen Forschungsprojekten. 1st ed. Berlin: MWV; 2014. ISBN-10: 3954661233.

21.

Winter A, Funkat G, Haeber A, Mauz-Koerholz C, Pommerening K, Smers S, et al. Integrated information systems for translational medicine. Methods Inf Med. 2007;46:601–7.PubMed

22.

Pommerening K, Sax U, Müller T, Speer R, Ganslandt T, Drepper J, et al. Integrating eHealth and medical research: The TMF data protection scheme. In: Blobel B, Pharow P, Zvarova J, Lopez D, editors. eHealth: Combining health telematics, telemedicine, biomedical engineering and bioinformatics to the edge. Berlin: Akademische Verlagsgesellschaft Aka GmbH; 2008. p. 5–10.

23.

Helbing K, Demiroglu SY, Rakebrandt F, Pommerening K, Rienhoff O, Sax U. A data protection scheme for medical research networks. Methods Inf Med. 2010;49(6):601–7. doi:10.3414/ME09-02-0058.CrossRefPubMed

24.

Brinkmann L, Klein A, Ganslandt T, Ückert F. Implementing a data safety and protection concept for a web-based exchange of variable medical image data. Int Congr Ser. 2005;1281:191–5. doi:10.1016/j.ics.2005.03.185.CrossRef

25.

Spitzer M, Ullrich T, Ueckert F. Securing a web-based teleradiology platform according to German law and “Best Practices”. Stud Health Technol Inform. 2009;150:730–4.PubMed

26.

Lablans M, Borg A, Ückert F. A RESTful interface to pseudonymization services in modern web applications. BMC Med Inform Decis Mak. 2015;15(1):2. doi:10.1186/s12911-014-0123-5.CrossRefPubMedPubMedCentral

27.

Kalman B, Lautenschlaeger R, Kohlmayer F, Büchner B, Kmiec T, Klopstock T, et al. An international registry for neurodegeneration with brain iron accumulation. Orphanet J Rare Dis. 2012;7:66. doi:10.1186/1750-1172-7-66.CrossRefPubMedPubMedCentral

28.

m4 Leading-Egde Cluster: m4 data integration systems. http://www.m4.de/en/leading-edge-cluster/m4-data-integrationsystem.html (2015). Accessed 30 November 2015.

29.

Büchner B, Gallenmüller C, Lautenschläger R, Kuhn KA, Wittig I, Schöls L, et al. Das deutsche Netzwerk für mitochondriale Erkrankungen (mitoNET). Med Genet. 2012;24(3):193–9. doi:10.1007/s11825-012-0338-8.

30.

Sommerville I: Software engineering. 9th ed. Addison-Wesley; 2010:792. ISBN-10: 0137035152.

31.

Demiroglu SY, Skrowny D, Quade M, Schwanke J, Budde M, Gullatz V, et al. Managing sensitive phenotypic data and biomaterial in large-scale collaborative psychiatric genetic research projects: practical considerations. Mol Psychiatry. 2012;17(12):1180–5. doi:10.1038/mp.2012.11.CrossRefPubMed

32.

Bialke M, Bahls T, Havemann C, Piegsa J, Weitmann K, Wegner T, et al. MOSAIC – a modular approach to data management in epidemiological studies. Methods Inf Med. 2015;54:364–71. doi:10.3414/ME14-01-0133.CrossRefPubMed

33.

Meyer J, Ostrzinski S, Fredrich D, Havemann C, Krafczyk J, Hoffmann W. Efficient data management in a large-scale epidemiology research project. Comput Methods Programs Biomed. 2012;107(3):425–35. doi:10.1016/j.cmpb.2010.12.016.CrossRefPubMed

34.

Ohmann C, Kuchinke W, Canham S, Lauritsen J, Salas N, Schade-Brittinger C, et al. Standard requirements for GCP-compliant data management in multinational clinical trials. Trials. 2011;12:85. doi:10.1186/1745-6215-12-85.CrossRefPubMedPubMedCentral

35.

Kohlmayer F, Lautenschläger R, Wurst SHR, Klopstock T, Prokisch H, Meitinger T, et al. Konzept für ein deutschlandweites Krankheitsnetz am Beispiel von mitoREGISTER. GI Jahrestagung. 2010:746–751.

36.

Eggert K, Wüllner U, Antony G, Gasser T, Janetzky B, Klein C, et al. Data protection in biomaterial banks for parkinson’s disease research: the model of GEPARD (gene bank parkinson’s disease germany). Mov Disord. 2007;22(5):611–318. doi:10.1002/mds.21331.CrossRefPubMed

37.

Dangl A, Demiroglu SY, Gaedcke J, Helbing K, Jo P, Rakebrandt F, et al. The IT-infrastructure of a biobank for an academic medical center. Stud Health Technol Inform. 2010;160(Pt 2):1334–8. doi:10.3233/978-1-60750-588-4-1334.PubMed

38.

Jin J, Ahn G-J, Hu H, Covington MJ, Zhang X. Patient-centric authorization framework for sharing electronic health records. In Proc 14th ACM Symp Access Control Model Technol. 2009; 125–134; doi 10.1145/1542207.1542228.

39.

Alonso G, Casati F, Kuno H, Machiraju V. Web services: Concepts, architectures and applications (Data-centric systems and applications). Berlin Heidelberg: Springer; 2004. p. 123–49. ISBN 3642078885.

40.

Dadam P, Reichert M, Kuhn KA. Clinical workflows-the killer application for process-oriented information systems? In: Abramowicz W, Orlowska ME, editors. BIS 2000, 4th Int Conf on Bus Inf Syst. London: Springer; 2000. p. 36–59.

41.

Bevan N. Usability issues in web site design. 1999. http://experiencelab.typepad.com/files/usability-issues-in-website-design-1.pdf. Accessed 28 September 2015.

42.

Goldberg SI, Niemierko A, Turchin A. Analysis of data errors in clinical research databases. AMIA Annu Symp Proc. 2008:242–246.

43.

The HL7 CCOW Standard: http://www.hl7.com.au/CCOW.htm (2006). Accessed 28 September 2015.

44.

Demiroglu SY, Skrowny D, Schulze TG. Adaption of the identity management regarding new requirements of a long-term psychosis biobank. In: Moen A, Andersen SK, Aarts J, Hurlen P, editors. In Proc 23rd Int Conf European Federation Med Inform. Oslo. MIE 2011. 2011:1–3.

45.

Bialke M, Penndorf P, Wegner T, Bahls T, Havemann C, Piegsa J, et al. A workflow-driven approach to integrate generic software modules in a trusted third party. J Transl Med. 2015;13:176. doi:10.1186/s12967-015-0545-6.CrossRefPubMedPubMedCentral

46.

AngularJS: https://angularjs.org (2015). Accessed 28 September 2015.

47.

BACKBONE.JS: http://backbonejs.org (2015). Accessed 28 September 2015.

48.

Jackson C, Bortz A, Boneh D, Mitchell JC. Protecting browser state from web privacy attacks. Proc Int Conf World Wide Web. 2006:737–744; doi:10.1145/1135777.1135884.

49.

Jackson C, Wang HJ. Subspace: Secure cross-domain communication for web mashups. Proc Int Conf World Wide Web. 2007:611–620; doi:10.1145/1242572.1242655.

50.

De Ryck P, Decat M, Desmet L, Piessens F, Joosen W. Security of web mashups: a survey. Proc Nord Conf Sec IT Syst. 2012:223–238; doi:10.1007/978-3-642-27937-9_16.

51.

Son S, Shmatikov V. The postman always rings twice: attacking and defending postMessage in HTML5 websites. In: ISOC Network and Distributed System Security Symposium, NDSS 2013. 2013.

52.

JGroups: http://www.jgroups.org (2015). Accessed 28 September 2015.

53.

Neuman C, Kohl J. RFC 4120: the Kerberos network authentication service (V5). 2005. http://www.ietf.org/rfc/rfc4120.txt. Accessed 28 September 2015.

54.

Shibboleth 3: a new identity platform. 2013. https://shibboleth.net/documents/business-case.pdf. Accessed 28 September 2015.

55.

Anderson A, Lockhart H. SAML 2.0 profile of XACML. OASIS Open 2004. http://docs.oasis-open.org/xacml/access_control-xacml-2.0-saml_profile-spec-cd-01.pdf. Accessed 28 September 2015.

56.

University of Southern California. RFC 791: Darpa internet program protocol specification. 1981. https://tools.ietf.org/html/rfc791. Accessed 28 September 2015.

57.

Jones MB. The emerging JSON-based identity protocol suite. W3C workshop on identity in the browser. 2011:1–3.

58.

European Commission. FP7-HEALTH - FP7 specific programme ‘cooperation’ - research theme: ‘health’. 2007. http://cordis.europa.eu/programme/rcn/852_en.html. Accessed 28 September 2015.

59.

OATH Standard: http://www.openauthentication.org (2015). Accessed 28 September 2015.

60.

Robinson PN, Köhler S, Bauer S, Seelow D, Horn D, Mundlos S. The human phenotype ontology: a tool for annotating and analyzing human hereditary disease. Am J Hum Genet. 2008;83(5):610–5. doi:10.1016/j.ajhg.2008.09.017.CrossRefPubMedPubMedCentral

61.

Schaefer AM, Phoenix C, Elson JL. Mitochondrial disease in adults: a scale to monitor progression and treatment mitochondrial disease in adults. Neurology. 2012;66(12):1932–4.CrossRef

62.

Barry MJ, VanSwearingen JM, Albright AL. Reliability and responsiveness of the barry-albright dystonia scale. Dev Med Child Neurol. 1999;41(6):404–11.CrossRefPubMed

63.

Schmitz-Hübsch T, Du Montcel ST, Baliko L, Berciano J, Boesch S, Depondt C, et al. Scale for the assessment and rating of ataxia: development of a new clinical scale. Neurology. 2006;66(11):1717–20.CrossRefPubMed

64.

Aamot H, Kohl CD, Richter D, Knaup-Gregori P. Pseudonymization of patient identifiers for translational research. BMC Med Inform Decis Mak. 2013;13(1):75. doi:10.1186/1472-6947-13-75.CrossRefPubMedPubMedCentral

65.

Neubauer T, Kolb M. An evaluation of technologies for the pseudonymization of medical data. In: Computer and Information Science. Berlin: Springer; 2009. p. 47–60. doi:10.1007/978-3-642-01209-9_5.

66.

Kalra D, Singleton P, Milan J, MacKay J, Detmer D, Rector A, et al. Security and confidentiality approach for the clinical e-science framework (CLEF). Methods Inf Med. 2005. doi:10.1267/METH05020193.PubMed

67.

Loukides G, Denny JC, Malin B. The disclosure of diagnosis codes can breach research participants’ privacy. J Am Med Inform Assoc. 2010;17(3):322–7. doi:10.1136/jamia.2009.002725.CrossRefPubMedPubMedCentral

68.

M. Howard und S. Lipner. The security development lifecycle: SDL, a process for developing demonstrably more secure software. Microsoft Press; 2006. ISBN-10: 0735622140

69.

International Organization for Standardization (ISO): Information technology - security techniques - information security management systems - overview and vocabulary. ISO/IEC 27000:2009(E). 2009.

70.

Shirey R. RFC4949: Internet security glossary (V2). 2007. https://tools.ietf.org/html/rfc4949 Accessed 28 September 2015.

71.

Majchrzak T, Schmitt O. Improving epidemiology research with patient registries based on advanced web technology. In: Proc Int Conf Info Sys Crisis Response Management. 2012:1–5.

72.

De Moor GJE, Claerhout B, De Meyer F. Privacy enhancing techniques: the key to secure communication and management of clinical and genomic data. Methods Inf Med. 2003;42(2):148–53. doi:10.1267/METH03020148.PubMed

73.

Claerhout B, De Moor GJE, De Meyer F. Secure communication and management of clinical and genomic data: the use of pseudonymisation as privacy enhancing technique. Stud Health Technol Inform. 2002;95:170–5. doi:10.3233/978-1-60750-939-4-170.

74.

Iversen K, Grøtan T. Socio-technical aspects of the use of health related personal information for management and research. Int J Biomed Comput. 1996;43(1):83–91.CrossRefPubMed

75.

Wylie JE, Mineau GP. Biomedical databases: protecting privacy and promoting research. Trends Biotechnol. 2003;21(3):113–6. doi:10.1016/S0167-7799(02)00039-2.CrossRefPubMed

76.

Noumeir R, Lemay A, Lina JM. Pseudonymization of radiology data for research purposes. J Digit Imaging. 2007;20(3):284–95. doi:10.1007/s10278-006-1051-4.CrossRefPubMed

77.

Lo IL. Multi-centric universal pseudonymisation for secondary use of the EHR. Stud Health Technol Inform. 2007;126:239–47.

78.

Heurix J, Karlinger M, Neubauer T. Pseudonymization with metadata encryption for privacy-preserving searchable documents. In: Proc Annu Hawaii Int Conf Syst Sci. HICSS 2012. 2012:3011–3020; doi:10.1109/HICSS.2012.491.

79.

Neubauer T, Heurix J. A methodology for the pseudonymization of medical data. Int J Med Inform. 2011;80(3):190–204. doi:10.1016/j.ijmedinf.2010.10.016.CrossRefPubMed

80.

Riedl B, Grascher V, Neubauer T. A secure e-health architecture based on the appliance of pseudonymization. J Software. 2008;3(2):23–32. doi:10.4304/jsw.3.2.23-32.CrossRef

81.

Starlims: http://www.starlims.com/de-de/home (2015). Accessed 28 September 2015.

82.

secuTrial: http://www.secutrial.com (2015). Accessed 28 September 2015.

83.

DSLib: http://www.unimedizin-mainz.de/imbei/informatik/opensource/dslib.html (2015). Accessed 28 September 2015.

84.

Muscholl M, Lablans M, Ückert F. OSSE: open source registry system for rare diseases in the EU (executive summary). 2014. http://download.osse-register.de/OSSE_Executive_Summary.pdf. Accessed 30 November 2015.

85.

Muscholl M, Lablans M, Wagner TO, Ückert F. OSSE: open source registry software solution. Orphanet J Rare Dis. 2014; 9 Suppl 1; doi:10.1186/1750-1172-9-S1-O9.

Title: A generic solution for web-based management of pseudonymized data
Authors: Ronald Lautenschläger
Florian Kohlmayer
Fabian Prasser
Klaus A. Kuhn
Publication date: 01-12-2015
Publisher: BioMed Central
Published in: BMC Medical Informatics and Decision Making / Issue 1/2015
Electronic ISSN: 1472-6947
DOI: https://doi.org/10.1186/s12911-015-0222-y

Keynote webinar | Spotlight on medication adherence

Springer Medicine

A generic solution for web-based management of pseudonymized data

Abstract

Background

Methods

Results

Conclusions

Keynote webinar | Spotlight on medication adherence

Springer Medicine

Abstract

Background

Methods

Results

Conclusions

Please log in to get access to this content

Other articles of this Issue 1/2015

Evaluation of electronic patient-reported outcome assessment with cancer patients in the hospital and at home

Design and evaluation of a software for the objective and easy-to-read presentation of new drug properties to physicians

A systematic review of predictive models for asthma development in children

SEND: a system for electronic notification and documentation of vital sign observations

Conditions potentially sensitive to a Personal Health Record (PHR) intervention, a systematic review

A scoping review of cloud computing in healthcare