When 2+2 Equals a Privacy Question
By NATASHA SINGER
Published: October 17, 2009
TIME to revisit the always compelling — and often disconcerting — debate over digital privacy. So, what might your movie picks and your medical records have in common?
How about a potentially false sense of control over who can see your user history?
While Netflix and some health care concerns say they have been able to offer study data to researchers stripped of specific personal details like your name, phone number and e-mail address, in some cases researchers may be able to re-identify you by correlating anonymous information with the digital trail that you’ve left on blogs, chat rooms and Twitter.
Of course, you may be fine with that. On the other hand, you may not want complete strangers rummaging around in your history of movie selections or medical needs.
For example, contestants in Netflix’s competition to improve its recommendation software received a training data set containing the movie preferences of more than 480,000 customers who had, as they say in the trade, been “de-identified.” But as part of a privacy experiment, a pair of computer scientists at the University of Texas at Austin decided to see if it was possible to re-identify those unnamed movie fans.
By comparing the film preferences of some anonymous Netflix customers with personal profiles on imdb.com, the Internet movie database, the researchers said they easily re-identified some people because they had posted their e-mail addresses or other distinguishing information online.
Vitaly Shmatikov, an associate professor of computer science at the University of Texas at Austin and a co-author of the “de-anonymization” study, says the researchers were able to analyze users’ public postings and connect that to their Netflix preferences — including how a person may have rated films with controversial themes. Those are choices a person may or may not want to make public, Mr. Shmatikov said.
Steve Swasey, a Netflix spokesman, disputed the study’s conclusions, saying the customers were not re-identifiable because Netflix had altered the data set before sending it to contestants.
“There is no way with certainty that anyone could link a Netflix member with the data Netflix has disclosed by linking it with any publicly available data,” he said. “The anonymity of the information is comparable to the strictest federal standards for anonymizing personal health information.”
Nevertheless, the Texas researchers say they were indeed able to positively identify Netflix customers, and some privacy advocates say their study raises questions about whether newly strengthened laws governing the security of electronic health records — which contain information on diagnoses and treatments entered by health care providers — may offer incomplete privacy protection. Leaked movie preferences might embarrass or stereotype you, they said. But information extracted from medical records and then linked back to you, they said, has the potential to cause social, professional and financial harm.
“Movie records can be sensitive in some cases; it could be embarrassing for someone to find out I like romantic comedies,” Mr. Shmatikov, the computer scientist, said in a recent phone interview. “But definitely for health records, this is a huge issue.”
And you don’t need records containing a person’s name and address to figure out to whom the records belong, he said, “As our research shows, pretty much any information that distinguishes one person from another can be used to re-identify records.”
The idea of an entirely paperless medical system holds the promise of more efficient and cost-effective care. And, with the incentive of stimulus package money, many companies are rushing to sell clinical information systems to streamline services like patient scheduling, sample tracking, and billing at hospitals and clinics.
In some cases, the same companies that sell data management systems to hospitals and physicians also store that information and then repackage it to make money on other services.
The clinical information systems market in the United States has sales of $8 billion to $10 billion annually, and about 5 percent of that comes from data and analysis, according to estimates by George Hill, an analyst at Leerink Swann, a health care investment bank.
But by 2020, when a vast majority of American health providers are expected to have electronic health systems, the data mining component alone could generate sales of up to $5 billion, Mr. Hill said. Demand for the data is likely to be robust. Policy makers and hospitals will want to dig into it to analyze physician practices and glean information about patient health trends.
Big players like the Cerner Corporation, which maintains electronic health systems for 8,000 clients, including large hospitals and retail clinics, and smaller players like Practice Fusion, which offers its Web-based health record systems free to health care providers, say they make use of patient data collected from their clients.
A spokeswoman for Cerner, whose Web site promotes its “data mining of our vast warehouse of electronic health records,” said the company shares de-identified patient data with researchers or drug companies looking for patients to participate in clinical trials. The patient records are “double scrubbed,” she said, explaining that the company removes personal data like names and addresses before it runs a search using a numbered code for each patient.
Other sensitive information, like mental health records, might be removed before the patient data is sent out, she said.
The Web site of Practice Fusion, meanwhile, quotes Ryan Howard, the chief executive, as saying that the company subsidizes its free record-keeping systems by selling de-identified data to insurance groups, clinical researchers and pharmaceutical companies. In an interview, however, Mr. Howard said Practice Fusion had not yet started selling patient information but that it intended to do so.
NEW regulations require notifying patients if their personally identifiable medical information gets loose, and they prohibit selling protected health records. But privacy advocates said electronic health records remain vulnerable because no federal law now forbids the sale of de-identified health care data.
In 1997, for example, a researcher identified the medical records of William Weld, then the governor of Massachusetts, by correlating birthdays, ZIP codes and gender in voter registration rolls and information published by the state’s government insurance commission.
There are no current federal laws against re-identification, said Dr. Deborah Peel, a psychiatrist who is a director of Patient Privacy Rights, a nonprofit watchdog group in Austin, Tex.
“Once personal health data gets out there, it’s like the Paris Hilton sex tape,” Dr. Peel said. “It is going to be out there forever.”
Subscribe to:
Post Comments (Atom)
I was reading this article and two things came to my mind. First one - I'm sure many heard the story about Gary McKinnon who was able to make his way and hack into the Pentagon and NASA computers from his home. I'm not sure how much computer knowledge McKinnon has, if he has any legal/illegal programs that assisted him, but I'm sure that there are many people out in the world who has the same or even further skills and ability to do the same. I think that computerized health records is a great idea to cut cost and improve quality of care so that if a patient seeks care at a different hospital, the new doctor/physician will have substantial information about the patient, what procedures were done, and any notes by the previous doctor. However, I think that there's no way to definitely keep all information private online. As technology improves, people's ability to hack into computer systems will also improve.
ReplyDeleteThe second thing that came to my mind when I saw the world Netflix is the movie called "Boondock Saints". In the movie, two brothers believe that it is their duty from God to go and kill "bad guys", such as mob leaders. In one sense, the two brothers are heroes for trying to get rid of so-called evil, but in another sense, is it really right for them to have the power to kill who they think should be eliminated?
The availability of personal information on the internet seems to be growing exponentially. With social networking sites and blogs, people post intimate information about themselves on a daily basis. People like to feel that their information is restricted to who they allow to see it, but essentially anything put out on the internet can be found and traced back to the author with enough research. This Netflix experiment shows that even de-identified information can be traced back to the author, which seems a clear indication of the limitless possibilities there are to track anyone's behavior through the internet.
ReplyDeleteIt would be a great advancement in the medical field if medical records could be kept electronically and shared over a lifespan between one's doctors and one's specialists. But, this innovation has the potential to be a dangerous one. If anonymized health information about someone's history of emotional instability and depression was traced back to them, it could hurt potentially hurt their employment opportunities. If someone's participation in a research study got traced back to them, their insurance company might use it against them in some way to deny future coverage.
The benefits of using electronic information to track a patient's history, must outweigh the consequences to be effective. This may require that restrictions and laws be implemented about the release of information, even de-identified, to assure the patient's protection.
I believe that in this day and age of technological advancement, it is important to separate and understand what is safe to put online and what is not. Many social networking sites such as Facebook and Twitter allow individuals to track other individuals and look at their profiles. However, at the same time, these sites allow individuals to set up their own privacy functions to block potential intruders from seeing their pictures or information.
ReplyDeleteI believe that this should and needs to be a part of the medical information stored in databases. I believe that files should be encrypted and limited data should be released to researchers if they need the data for studies. Furthermore, I believe that institutions should ask individuals before releasing their data to these researchers to problems such as "de-indentifying" and others do not occur. It is the patients own information and they should decide how much of it they want released to outsiders they do not know. I believe it is a clear violation on autonomy if they just release the information without notifying the patients. It is unethical.
~ Tully Cheng
Although technology is exponentially improving and the healthcare industry should increase its technological advancements at a similar rate, in order for medical records to be perfectly secure, they should not be on the computer. In computer science class we learned that although social networking sites such as facebook do promise to keep some aspects of your profile private, someone, besides yourself, can still see all aspects of your profile. Every action performed, every page visited, every picture posted and viewed is recorded in a database. Someone, with high access, still has access to this information.
ReplyDeleteI do agree with the above posts that if medical records do become electronic then some sort of privacy, similar to facebook and social networking sites needs to be enacted. However, it is important to keep in mind that although certain aspects are private to the public, someone other than yourself, insurers, and doctors will know your medical information. Once records are leaked onto the internet it is not completely private anymore.
The technological advancement of electronic medical records may lead to lower the extremely high administrative costs in health care in the United States. This method of handling patient health records will potentially make it easier to schedule appointments, find information on a patient, and bill the patient or insurance company. I have had personal experience of the benefits of electronic medical records, since I have had experience working in a doctor’s office. It devotes more time to caring for the patient instead of wasting time dealing with paperwork and searching for a patient’s medical records. However, the disadvantage of having electronic medical records is it “has the potential to cause social, professional and financial harm.” This is because there is the possibility that someone’s identity can be discovered and linked to their medical records; their medical information would then be available to the public’s access.
ReplyDeleteAlthough electronic medical records contributes to the advancement of health care, there exists a risk of the patient’s medical information being released without the patient’s consent, and that is unethical. To prevent this unethical problem from occurring the medical records should only be released by requiring consent from the patient. If the patient is not competent, such as a minor or an individual with dementia, there needs to be required consent obtained from the surrogate. The electronic medical records should only have limited access to certain medical professionals, to prevent the public gaining access to the information.