k-Anonymity in Context of Digitally Signed CDA Documents

If medical data are provided to third parties for secondary use, the protection of the patients privacy is an essential issue. In general this is accomplished by removing identifying and quasi-identifying information to provide k-anonymity for a given data set. This means, that one patient cannot be distinguished from at least k−1 other individuals. However, if the single records of the data set are digitally signed, the modification of the respective records destroys their integrity as well as their authenticity. Hence, digital signatures, which are an invaluable tool for verifying the integrity and authenticity of digital medical data, seem to be inadequate in this scenario. But, especially in context of secondary use, malicious manipulations and processing errors may lead to serious failures in a subsequent medical (treatment) process. In this paper we propose a novel approach based on generalized redactable signatures that realizes k-anonymity for sets of digitally signed records. To the best of our knowledge this is the first work that combines these seemingly contradictory topics very efficiently. In particular, the proposed solution allows any party to verify the original digital signatures for medical data, although these data are modified during the process of achieving k-anonymity. The main advantage of this approach is that all parties involved in the aforementioned process are able to verify the integrity and authenticity based on the original digital signatures.

[1]  Pierangela Samarati,et al.  Generalizing Data to Provide Anonymity when Disclosing Information , 1998, PODS 1998.

[2]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[3]  Gene Tsudik,et al.  Sanitizable Signatures , 2005, ESORICS.

[4]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[5]  Ashwin Machanavajjhala,et al.  l-Diversity: Privacy Beyond k-Anonymity , 2006, ICDE.

[6]  Pierangela Samarati,et al.  Protecting Respondents' Identities in Microdata Release , 2001, IEEE Trans. Knowl. Data Eng..

[7]  Douglas M. Blough,et al.  Data obfuscation: anonymity and desensitization of usable data sets , 2004, IEEE Security & Privacy Magazine.

[8]  Ron Steinfeld,et al.  Content Extraction Signatures , 2001, ICISC.

[9]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[10]  P. V. Biron,et al.  The HL7 Clinical Document Architecture. , 2001, Journal of the American Medical Informatics Association : JAMIA.

[11]  Ninghui Li,et al.  t-Closeness: Privacy Beyond k-Anonymity and l-Diversity , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[12]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[13]  Daniel Slamanig,et al.  Disclosing verifiable partial information of signed CDA documents using generalized redactable signatures , 2009, 2009 11th International Conference on e-Health Networking, Applications and Services (Healthcom).

[14]  Noboru Sonehara,et al.  A privacy management architecture for patient-controlled personal health record system , 2009 .

[15]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[16]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[17]  Hideki Imai,et al.  Digitally signed document sanitizing scheme based on bilinear maps , 2006, ASIACCS '06.

[18]  Khaled El Emam,et al.  Heuristics for De-identifying Health Data , 2008, IEEE Secur. Priv..

[19]  Thomas Neubauer,et al.  A Secure e-Health Architecture based on the Appliance of Pseudonymization , 2008, J. Softw..