Serum (Major)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

The SERUMS tool-chain: Ensuring Security and Privacy of Medical Data in Smart

Patient-Centric Healthcare Systems

V. Janjic, J.K.F. Bowles, A.F. Vermeulen, A. Silvina M. Belk, C. Fidas, A. Pitsillides


School of Computer Science, University of St Andrews Department of Computer Science, University of Cyprus
St Andrews, United Kingdom Nicosia, Cyprus
{vj32,jkfb,afv,as362}@st-andrews.ac.uk {belk,fidas,andreas.pitsillides}@cs.ucy.ac.cy

M. Kumar, M. Rossbory M. Vinov T. Given-Wilson, A. Legay


Data Analysis Systems IBM Research Laboratory Universite Catholique de Louvain
Software Competence Center Hagenberg Haifa, Israel Louvain-la-Neuve, Belgium
Hagenberg, Austria [email protected] {thomas.given-wilson,axel.legay}@uclouvain.be
{mohit.kumar,michael.rossbory}@scch.at

E. Blackledge R. Arredouani, G. Stylianou and W. Huang


Sopra Steria Accenture B. V.
Edinburgh, United Kingdom Amsterdam, Netherlands
[email protected] {r.arredouani,georgios.stylianou,wanting.huang}@accenture.com

Abstract—Future-generation healthcare systems will be need to be collected from a variety of sources and exchanged
highly distributed, combining centralised hospital systems with in a variety of ways, including over public networks that
decentralised home-, work- and environment-based monitoring cannot be implicitly trusted. At the same time, however,
and diagnostics systems. These will reduce costs and injury-
related risks whilst both improving quality of service, and we have stricter regulations on ownership and handling of
reducing the response time for diagnostics and treatments personal data. Transnational standards for data protection,
made available to patients. To make this vision possible, such as the EU General Data Protection Regulation1 , will
medical data must be accessed and shared over a variety need to be combined with local regulations, giving very
of mediums including untrusted networks. In this paper, we strict rules about who is allowed to access (parts of) patient
present the design and initial implementation of the SERUMS
tool-chain for accessing, storing, communicating and analysing data. Complying with data protection regulations whilst
highly confidential medical data in a safe, secure and privacy- facilitating data exchange and analytics in a decentralised
preserving way. In addition, we describe a data fabrication way is a key challenge for future healthcare systems.
framework for generating large volumes of synthetic but In this paper, we describe a methodology and complete
realistic data, that is used in the design and evaluation of
the tool-chain. We demonstrate the present version of our
tool-chain that will be developed over the course of the on-
technique on a use case derived from the Edinburgh Cancer going EU H2020 project SERUMS2 to address safe, secure
Centre, NHS Lothian, where information about the effects and privacy-preserving storage, access, communication and
of chemotherapy treatments on cancer patients is collected analysis of the medical data in future-generation smart health
from different distributed databases, analysed and adapted to centres. Our main goal is to put patients at the centre of
improve ongoing treatments.
the future healthcare provision in Europe, enhancing their
Keywords-Medical data, Smart Healthcare, Data Sharing, personal care and maximising the quality of treatment that
Privacy, Security, Personalised Medicine they will receive, whilst ensuring trust in the security and
privacy of their confidential medical data.
I. I NTRODUCTION
To reduce the scope of the paper, we restrict our attention
The healthcare systems of the future will be highly decen- to a subset of the SERUMS technologies. We propose a
tralised, integrating home-, work- and environment-based universal format for patient records, to allow a uniform
monitoring systems with existing hospital diagnostic sys- representation of patient data across different use cases
tems. The benefits of integrating such a variety of systems and describe its implementation. We describe FlexiPass, an
and information on patients include a reduction of costs and
travel-associated risks while allowing patients to get faster 1 Information
on GDPR can be found at https://gdpr-info.eu/
diagnostics and better medical treatments that more accu- 2 Securing
Medical Data in Smart Patient-Centric Healthcare Systems
rately suit their needs. As a consequence, medical data will (SERUMS): https://serums-h2020.weebly.com
authentication mechanisms to access these records, together mechanisms that will ensure that only properly authorised
with the application of blockchain technology to control staff have access to (parts of) personal and medical data. At
permissions, ensuring that only allowed staff have access to the same time, we consider world-leading levels of compli-
required parts of patient records, and to save the access his- ance to existing and emerging legal and ethical standards.
tory of all records. We describe a novel, privacy-preserving
data analytics mechanism which ensures that the analytics III. SERUMS T OOL -C HAIN
model itself does not accidentally leak sensitive information. Figure 1 gives an overview of the SERUMS tool chain and
Finally, we present a data fabrication approach that allows the overall process of accessing data across a distributed
the generation of synthetic but realistic data, given a strict healthcare system. The core of it is a centralised data lake
format of patient records and dependency rules between that holds the smart patient records (see Section IV-A).
its elements. In the context of the SERUMS project, we Note that, while the patient records are centralised, the
only use generated synthetic data for the development and data in them may refer to databases distributed inside and
verification of our technologies, but we will furthermore outside of the hospital environment. These records contain
prove formally the closeness of the synthetic and real data. all information about the patients, from static information
For illustration, we present one of SERUMS real-world use such as date of birth, gender and contact information, to
cases on predicting toxicity levels of cancer treatments. vital information such as weight, body mass index, allergies,
to dynamic information about treatments and examinations.
II. BACKGROUND
Some of the data for the records will be collected from
The emergence of Internet-of-Things (IoT) technology is within the healthcare system over trusted networks, while
having a profound effect on the development of modern other may be collected from personal health monitoring
healthcare systems. Traditionally healthcare systems were devices, etc. Data sent over untrusted networks must be
highly centralised with data relevant to a patient, as well secured using data encryption mechanisms.
as the devices used to obtain this data (e.g., blood pressure When staff needs to access patient data, they first log in
monitors, CT scanners), residing in a central location, for to the central healthcare system using secure authentication
example within a hospital. From a security and privacy mechanisms. In the SERUMS project, our aim is to develop
point of view, collecting, storing and processing such data personalised and adaptive multi-factor user authentication
was relatively simple, since the data only needed to be schemes (see Section IV-D). Once the user logs in, their
communicated over trusted networks. However, as personal access rights are checked using the blockchain backend
medical devices become cheaper and more prevalent, and which is linked to a distributed blockchain database. Differ-
there is an increased realisation of the benefits of integrating ent classes of users (e.g. patients, GPs, specialists, insurers)
a variety of health data sources for improved healthcare will have different levels of permissions, according to GDPR
provision, new significant challenges emerge with sharing and other legal and ethical regulations. For example, the
private and confidential data across public networks. In patient has full access to their record, while a specialist can
particular, we need to be able to ensure: only access parts of the record that are relevant to them. The
• Trust: Patients must be able to trust that systems operate blockchain ensures that only authorised agents can access the
as intended and that their data is fully protected. data, and depending on permissions, possibly only be part
• Security, Privacy and Anonymity: Systems must operate of the data. The blockchain contains all access rules and
efficiently and guarantee the best possible quality of transitions, and keeps a record the data access history. Note,
healthcare, whilst simultaneously providing high lev- however, that no actual data is stored in the blockchain.
els of security and expectations on data privacy and Once the user is authenticated and the access rights are
anonymity. checked, the requested data from the smart patient records
• Data Control: Patients must have full control of their data lake is sent back to the user. If the user does not have
data according to expectation and law, whilst allowing full access rights to the record, the data transfer may involve
medical staff data access as required. masking parts of the data, i.e., hiding parts of the record that
• Regulation Compliance: The smart healthcare system the user has no access right to see. The access transaction
must comply with regulations at various levels, includ- itself is stored in the blockchain database.
ing GDPR, local legislation and policy that may at Finally, different kinds of analysis will need to performed
times conflict with the above goals or other legislation. on patient data. In the SERUMS project, we focus on
SERUMS tackles the above problems by (1) addressing se- deep learning analytics to drive diagnostics and prediction
curity and protection of shared medical data across untrusted of treatment outcomes (see the use case in Section V-A).
networks; (2) integrating personal medical data, coming Since the data referred to from the smart patient records is
from various sources, into coherent and structured smart distributed, and we assume that some of this data cannot
patient records; (3) enabling data analytics techniques over leave the place where it is stored, the analytics will also
distributed data; and (4) developing authentication and trust need to be performed in a distributed way. We need to
Blockchain
Patient Home Environment

Blockchain Database

n
tio

Data Access
ryp
nc

Data Access

Granted
E

Request
ta
Da

Out-of-hospital Environment

Scans Database
Authentication

Login National Healthcare


Secure

Database
Data Encryption

Central Patient Oncology Database


Database

Data Se cryp Hospital Environment


En
m tio
an n

Data Masking
tic

Data Analytics
Framework

Figure 1. The overview of SERUMS tool-chain

make sure that no unsafe information is revealed by the the distributed nature of health systems means that we cannot
learning models, as well as to ensure security of the data assume that data is stored in one central location. Secure
communicated between the central patient record database communication of data across untrusted networks might
and the analytics model (which may reside in the cloud). be required at any point the patient record is accessed.
In this context, our aim is to develop privacy-preserving To develop a generic infrastructure for safe and secure
distributed deep-learning analytics models for data analysis communication of distributed medical data, it is highly
(see Section IV-C). desirable for the patient data (including pointers to any data
For the purposes of developing, verifying, and testing the that resides on remote systems) to be stored in a precise and
complete SERUMS infrastructure, the SERUMS project will machine-readable format.
use synthetic instead of real patient data, to avoid any privacy In the SERUMS technology tool-chain, the Smart Patient
and security concerns. Data fabrication (See Section IV-B) Record represents a central information source for informa-
technology allows us to rapidly generate large volumes of tion about patients registered in Europe. These records ag-
data that is the same in terms of structure as real data, but gregate a complete patient medical history across approved
which was synthetically generated. The strict format of the healthcare providers. The information in a single record in-
smart patient records, the formally defined rules on possible cludes both relatively static information (such as name, age,
values for each field, the relationships between different address, type of insurance, allergies) and highly dynamic
fields and the well-formulated data interaction rules, makes information (such as undergoing treatments, results of scans
it possible to automate this process. and hospital admissions). For each healthcare institution,
smart patient records will reside in a Smart Healthcare Data
IV. SERUMS T ECHNOLOGIES
Lake. The Smart Patient Record Format represents metadata
A. Smart Patient Records that describes the data in the records. We propose a universal
Good organisation of patient data is essential to the smooth format for patient records that can be used for describing
and correct operation of any health system. Furthermore, different use cases within SERUMS and is applicable to
new legislation for privacy and ownership of the data (such future healthcare systems.
as GDPR) together with a highly-decentralised organisation Our universal format is based on the concept of data
of modern health providers impose additional requirements vault [16], which consists of hubs (unique business keys),
for health data. Ideally, patient data should be owned by links (that represent associations between hubs) and satellites
the patient, and only they have full access to their data. (where attributes of the hubs and links are stored). The
Other system users, such as specialists, general practitioners general data vault has unlimited types of hubs, links and
and insurers, are expected to have access to parts of the satellites to model real-world data. The SERUMS project has
data relevant to the services they provide (e.g. diagnostics, introduced a more limited type of hub, link and satellite clas-
treatment, insurance etc.). In addition to access restrictions, sification [19] to force a more generalised view of all data
sources. This will support scaling [20] of the data vault. We
propose a Time-Person-Object-Location-Event (T-P-O-L-E)
data vault as a universal smart patient record format, such
that:
• Time: the dates and times of events are stored in
Coordinated Universal Time.
• Person: information about patients is stored using the
concept of ”Golden Nominal”. This type of record is
a single person record with a unique reference to that
person.
• Object: other referable entities that are stored, including
organisations (hospital, bank, medicine suppliers etc.),
physical objects (medicine, bank cards, vehicles, hos-
pital beds), buildings etc. Figure 2. Flow of Generating Fabricated Data
• Location: described by latitude, longitude and altitude
[18].
• Event: an abstraction of any event or action in the real-
world, including scans, home visits by a doctor and production data. The platform provides a comprehensive and
treatments. hybrid solution that can create a mixture of synthetic and real
The T-P-O-L-E data vault supports a future-proof design data according to user requirements.
of the healthcare solution by enabling adding data at any
point with full history capabilities. This model is the basis To overcome the shortcomings of existing data gener-
for the single-truth records data sharing and processing ation techniques, DFP generates data using a proprietary
engine of the SERUMS project. The solution then uses Constraint Satisfaction Problem (CPS) solver (See Figure 2).
advanced security to protect the information in a cross- This methodology is generic and does not require access to
country configuration respecting patient consent. This health real data, making it very safe to use in our setting. Data
record system will be able to support evolving coordinated fabrication consists of the following steps.
services [25]
1) The user defines a data project which contains the
B. Data Fabrication structure of the data, the constraint rules and the fabri-
IBMs Data Fabrication Platform (DFP) is a web based cen- cation configuration. In order to construct a constraint
tral platform that provides a consistent and organisational- satisfaction problem for the solver, the platform anal-
wide methodology (rule-guided fabrication) for generating yses the table metadata to get the desired properties
high-quality data for testing, development, and training. (columns data types, referential integrity constraints
Fabrication of synthetic data consists of two stages - data etc.).
modelling and data generation. Furthermore, data modelling 2) The platform then selects a subset of the relevant
comprises resources and structure definitions, constraint rules and tables using the fabrication configuration,
rules definitions and fabrication configuration definitions. with possible addition of relevant parent tables and
Input and output resources are standard relational databases some default rules (e.g. PK and Unique Column). This
(e.g., DB2, Oracle, PostgreSQL, SQLite), standard file for- information is used for the construction of a database
mats (e.g., Flat file, XLS, CSV, XML, JSON) and streaming table dependency graph. For each table in that graph,
via MQTT protocol. starting at root nodes, structural record dependencies
In rule guided fabrication, the database logic is extracted are built recursively.
automatically and is augmented by application logic and 3) Based on the dependency graph, the fabrication pattern
testing logic modelled by the user. The application logic is computed where each target table record is assigned
and the testing logic can be modelled using rules that the to one of the following fabrication modes: New, Reuse
platform provides, but the users can also add new rules. or Other. Given the patterns, the graph and the rules,
Once the user requests the generation of a certain amount a CSP problem can be created. The problem consists
of data into a set of test databases, the platform internally of variables and rules, and a solution is an assignment
ensures that the generated data satisfies the modelled rules of values to variables that satisfies the rules.
as well as the internal databases consistency requirements. 4) Finally, the CSP problem is submitted to the solver,
The platform can generate data from scratch, inflate existing which produces a desired number of solutions to the
databases, move existing data, and transform data from pre- problem and stores them in the appropriate places
viously existing resources, such as old test databases or even (e.g. database, file or stream).
C. Distributed Privacy-Preserving Data Analytics Definition 3 ((, δ)−Differential Privacy for A+ ): The
Machine learning methods such as deep neural networks algorithm A+ (Y) is (, δ)−differentially private if
have delivered remarkable results in data-analytics for a P r{A+ (Y) ∈ O} ≤ exp()P r{A+ (Y0 )) ∈ O} + δ (2)
wide range of application domains, including healthcare.
However, their training requires large data-sets which might for any measurable set O ⊆ Range(A+ ) and for d−adjacent
be containing sensitive information that need to be be pro- matrices pair (Y, Y0 ). Here, P r{·} is the probability taken
tected from model inversion attack [13] and adversaries with over the randomness used by algorithm.
access to model parameters and knowledge of the training Result 1 (An Optimal (, δ)−Differentially Private Noise):
procedure. This problem is addressed within the framework The probability density function of noise that minimise
of differential privacy [2], [24]. Machine learning algorithms the expected noise magnitude together with satisfying the
typically operate on data in the form of a matrix where sufficient conditions for (, δ)−differential privacy of A+
e.g. rows correspond to features and columns correspond to is given as
samples. The particular problem in the context of matrix- 
δDiracδ(v), v=0
valued data is to protect a machine learning algorithm, fv∗i (v) =   (3)
j (1 − δ) exp(− |v|), v ∈ R \ {0}
under differential privacy framework, from an adversary 2d d
who seeks to gain an information about the data from an where Diracδ(v) is Dirac delta function satisfying
R∞
algorithm’s output by perturbing the value in an element Diracδ(v) dv = 1. The optimal value of expected
−∞
of the training data matrix. Despite the fact that random noise magnitude is given as
noise adding mechanism has been widely studied in privacy-
d
preserving machine learning, there remains the challenge Ef ∗i [|v|] = (1 − δ) . (4)
of studying privacy-utility trade-off for matrix-valued query
v
j 
functions. Our recent work [17] has suggested a novel Proof: The proof follows from [17].
entropy based approach for resolving the privacy-utility 2) Differentially Private Distributed Deep Learning: The
trade-off for real-valued data matrices. The study in [17] post-processing invariant property [10] of differential privacy
mathematically derives the probability density function of allows one to compose a global private deep model from
noise that minimizes the expected noise magnitude together local private deep models.
with satisfying sufficient conditions for (, δ)−differential
privacy.
1) An Optimal (, δ)−Differentially Private Noise for
Real-Valued Matrices: Consider a data-set consisting of N
number of samples with each sample having p number of
attributes represented by a matrix Y ∈ Rp×N . A given ma-
chine learning algorithm, training a model using data matrix
Y, can be represented by a mapping, A : Rp×N → M, Figure 3. A structural representation of the differentially private distributed
where M is the model space. learning for deep models.
Definition 1 (A Private Algorithm): Let A+ : Rp×N →
Range(A+ ) be a mapping defined as The distributed form of differentially private deep learning
is represented in Fig. 3 where a privacy wall is inserted
A+ (Y) = A (Y + V) , V ∈ Rp×N (1)
between training data and the globally shared data. The
where V is a random noise matrix with fvji (v) being the privacy wall uses noise adding mechanisms to attain dif-
probability density function of its (j, i)−th element vji ; vji ferential privacy for each participant’s private training data.
0
and vji are independent from each other for i 6= i0 ; and Therefore, the adversaries have no direct access to the
A(·) is a given mapping representing a machine learning training data.
algorithm.
D. Flexible User Authentication
Definition 2 (d−Adjacency for Data Matrices): Two
matrices Y, Y0 ∈ Rp×N are d−adjacent if for a given d ∈ The SERUMS user authentication scheme will go beyond
R+ , there exist i0 ∈ {1, 2, · · · , N } and j0 ∈ {1, 2, · · · , p} traditional ”one-size-fits-all” practices towards adopting a
such that ∀i ∈ {1, 2, · · · , N }, j ∈ {1, 2, · · · , p}, personalised and adaptable multi-factor user authentication
 scheme which will be based on a flexible authentication
d, if i = i0 , j = j0
yji − yj0i ≤ paradigm, coined FlexPass [5], [8], [14]. A first conceptual
0, otherwise
design of the proposed flexible user authentication paradigm
where yji and yj0i denote the (j, i)−th element of Y and Y0 is depicted in Figure 4. Our approach attempts to provide
respectively. Thus, Y and Y0 differ by only one element and a new user authentication paradigm that leverages upon
the magnitude of the difference is upper bounded by d. theories in Cognitive Psychology (dual coding, episodic and
semantic memory), which suggest that humans’ episodic and that is realised as an SMS notification including an OTP,
semantic memories, represented as verbal and visual infor- and a mobile application notification. After verifying their
mation, can be transformed into memorable and personal identity, users will login through their preferred user authen-
authentication secrets. Such secrets can be semantically tication type based on the FlexPass paradigm. Furthermore,
similarly reflected on both textual and graphical password the open-ended nature of the paradigm might affect users
keys, and accordingly used complimentary based on user towards misuse strategies. To assure that users will not
preference (Figure 4) [5]. The paradigm relies on a single, create semantically insecure (predictable) grids of images,
open-ended, user-selected secret that can be reflected as a automated image tagging technologies and policies need to
textual key and a graphical key. be investigated to prevent users unsafe coping strategies.

E. Blockchain

Blockchain is a programmable, distributed ledger with


an immutable history of transactions. For every transaction
consensus has to be reached among the participating organ-
isations (or commonly denoted as nodes) before it can be
written on the ledger. Blockchain is programmable via the
notion of a smart contract that is simply a piece of code, that
is installed and executed within the Blockchain network; the
execution of a smart contract’s function creates a transaction.
Note that the transaction is written on the ledger of each
Figure 4. Conceptual design of the Flexible User Authentication Paradigm node concurrently. Consequently, the ledgers are always
synchronised. If a node has some downtime, when it restarts,
The FlexPass paradigm extends existing works in it automatically synchronises its ledger to the ledgers of the
knowledge-based user authentication based on theories of rest of the nodes. In addition, a single ledger (of a single
human cognition with the aim: a) to enhance memorability node) cannot be tampered unless the attacker can manage to
through ownership, and prior experience and knowledge concurrently infiltrate at least the majority (if not all) of the
of each single user; and b) to support user authentication nodes, depending on the consensus protocol used.
adaptability since users can choose their preferred way to In the proposed architecture a blockchain network is
login based on their needs and context of use. For example, created where every relevant organisation (e.g a hospital)
users that are on the move and interact on their smartphone participates. The user’s permissions that control access for
might prefer to login with a graphical password, instead of the SPHR are programmed using smart contracts. This
entering text on a virtual keyboard which is considered a allows versatility as the rules used to form the permissions
demanding and time-consuming task [26]. The same user can be updated whenever required. However, due to the
however, in a different context, e.g., while at home working Blockchain’s nature, a single organisation cannot force an
on the desktop computer, can choose to login through his update of these rules as transactions will not be able to
textual password key. Note that in both cases, the user is reach consensus and inevitably will not be written on the
only required to recall the same single secret, which can be ledger. The process flow for setting up access control is
reflected differently based on the users preference. Similarly, shown in Figure 5. The medical organisation (e.g. hospital)
older adults might prefer to always login with a graphical creates generic smart contracts (access rules) and stores them
password since they find it easier than textual passwords, in the blockchain (step 1). The Patient also creates custom
as opposed to younger adults that instead, prefer traditional smart contracts about their data, which are also stored in
textual passwords [22]. the blockchain (step 2). The patient’s ID is shared with
Nevertheless, the dual nature of FlexPass embraces new the doctor (step 3), who then authenticate themselves to
security vulnerabilities that need to be addressed, i.e., it the system (step 4). The Doctor requests access to data
introduces a new observational attack since adversaries can about a patient (step 5). The IDs of the doctor and the
see the set of pictures (user-selected and decoy images) patient are checked against the access rules in the blockchain
during login. A brute-force algorithm could use such infor- (check/audit trail). This results in a request for an access
mation from the graphical representation to guess the secret. token from the data vault (step 6). The data vault provides
Aiming to add an additional layer of security, we use a the access token (step 7) and the response with this token is
second factor for authentication through push notifications as sent to the doctor (step 8). The doctor requests data about
a first step before proceeding to login. In particular, at a first the patient from the data vault using the token (step 9) and
stage users will be required to approve a push notification the data is afterwards fetched from the vault (step 10).
Figure 5. Process flow for access request

V. E VALUATION
We present an initial evaluation of the SERUMS technolo-
gies presented in Section IV on a use case based on the Figure 6. Toxicity Predictor for Breast Cancer Treatment
Edinburgh Cancer Data Gateway (ECDG).
A. Use Case - Edinburgh Cancer Data Gateway
We are developing a dashboard to help oncologists observe,
monitor, and analyse the condition of their patients over
time. It can also be used to analyse the effect of different
chemotherapy treatments when given to patients with similar
characteristics, and consequently influence future decisions
to improve the well-being and survival rate of patients. Our
ultimate aim is to build a toxicity predictor (Figure 6) to
predict the toxicity of chemotherapy treatments based on
history and feedback from patients. Figure 7 shows the
data structure we use for training the toxicity predictor. We
Figure 7. Database Structure for Training the Toxicity Predictor Model
extracted data for training the machine learning models from
three main databases (i.e., Chemocare, Trak, and Oncology
Table name # vars # num # categorical # bool
DB) within the Edinburgh Cancer Centre (ECC). The data
NDC SMR01 17 3 13 1
contains the information on treatment cycles, recorded side NDC SMR06 9 2 7 0
effects (here, toxicity level), comorbidities, and various ob- NDC Charlson 20 9 5 6
servations concerning breast cancer patients for three years Chemocare Toxicity 17 14 3 0
Chemocare Treatment 19 8 11 0
(from 2014 to 2016). The extraction has data for 51,661
treatments, of which 13,030 are breast cancer treatments. Table I
DATABASE TABLES S TRUCTURE FROM THE E DINBURGH C ANCER
There are 933 unique patients, and some patients may have G ATEWAY U SE C ASE .
two or three different treatments/regimes. Each regime has
several cycles ranging from one to more than 50 cycles.
B. Smart Patient Records
The data from the Edinburgh Cancer Gateway (see Table I), • Object: main operation a, main operation b,
is abstracted out into their data vault structure. For example, main condition, other condition 1, other condition 2,
the original form of NDC SMR01 is given in Figure 8. Each other condition 3, other condition 4.
of the columns is examined and classified under one of the These are then broken up into smaller subcategories which
hubs of the TPOLE data vault: will form the satellites of the data vault. In this example,
• Time: admission date, discharge date, length of stay; the Object category can be seen to be made up of two sets:
• Person: sex, age in years, ethnic group, one containing details about the operations, and the other
marital status, postcode; or containing details about the conditions.
can choose their preferred way to authenticate; either by
entering the textual password or the graphical password that
represents their single secret. Consider a password creation
scenario in which a user chooses a secret derived from his
episodic memory, e.g., Places that we visited in Europe.
In this scenario, the textual password key is based on the
articulation of the secret, e.g., the system will generate a
textual password key PlacesThatWeVisitedInEurope. For the
creation of the graphical password key, the user chooses
pictures illustrating relevant images through search in Web
engines. Other related images from the image search default
to decoy images (in the case of recognition-based graphical
authentication). Both user-selected and decoy images are
finally assigned to the users profile to be used for login.
Users will also be able to choose a single background image
Figure 8. Example of source table and then draw secret gestures on the image that will be based
on the chosen single secret.
C. Data Fabrication A preliminary evaluation study with 32 volunteers (age
ranging 20-49 (m=33.84; sd=9.43) has been conducted to
In order to synthesise data, we must pass database table investigate likeability aspects and user acceptance of the
definitions and metadata to the DFP. The metadata itself proposed paradigm. More details on the prototype designs of
contains high level information about the data, describing FlexPass and evaluation results are reported in [5]. Partici-
details about its nature, without revealing any of the actual pants interacted with initial prototypes of FlexPass and rated
values that make up the source data. In addition, we need to their experience using a 5-point Likert scale (1: Not at all
define the rules that the data conforms to, in order to keep the 5: Absolutely). Example statements included: I would adopt
synthetic data as accurate as possible. This might include, FlexPass as my main authentication method, FlexPass login
for example, the range of values that the data takes and is fast to use, ”Long registration time is bad”, etc. Initial
the distribution of these values, as well as any relationships evaluation results are promising for further development
between different data elements. For instance, we might have of the proposed paradigm since most of the participants
a column with the appointment date. The metadata would are positive to adopt FlexPass as their main authentica-
contain the information that it is a date type, the format the tion method and they particularly like the flexibility of
date should be stored in, whether it can be null, etc. The switching between textual and pictorial passwords (81.25%).
rules for it might include that it must be greater than the Furthermore, participants rated FlexPass login process as
date of birth for the patient. memorable (87.5%), easy to use (84.37%), and efficient to
For the Edinburgh Cancer Gateway use case, we have use (68.75%). Nevertheless, given that the new paradigm
collected many aspects of the metadata including common, adds an additional amount of time in the secret creation
maximum, minimum, and extreme values for each reading. process compared to the current state-of-the-art approach,
In addition, we derived the distribution of the data value participants had mixed opinions with regards to the higher
measurements and the correlations between the different password creation times (during registration). In particular,
values. This profiling can be seen to work to derive the 53.13% participants stated that the higher registration times
required rules to fabricate new data. These rules were then might negatively affect their opinion about FlexPass, and
used to synthesise data to be used in the development and 21.87% rated that long registration times might prevent them
evaluation of the SERUMS tool chain. from using FlexPass.
D. Blockchain
F. Noise Adding Mechanism for Differential Privacy
The blockchain smart contracts will use the hyper-ledger
The optimal noise adding mechanism to attain differential
format and will enable the storage of the preference contract
privacy is compared with the classical Gaussian mechanism
of the patient, the vault of the current active data transport
via quantify the gain (over Gaussian mechanism) achieved
contracts and the valid user contracts of the SERUMS data
by optimal (, δ)-differentially private noise in term of
exchange process.
reduction in expected noise magnitude. The ratio of expected
E. Authentication noise magnitude of classical Gaussian mechanism to that of
The dual nature of the proposed user authentication optimal mechanism is calculated as
scheme allows us to move from ”one-size-fits-all” authenti- 2 p
R(δ) = √ log (1.25/δ). (5)
cation schemes to flexible authentication schemes since users (1 − δ) π
It is observed in Fig. 9 that noise magnitude reduction factor VII. C ONCLUSION
is increasingly more pronounced in the high privacy regime In this paper, we have outlined the problems that the
(i.e. low δ), however, also shoots up in the low privacy distributed health systems of the future will face in terms
regime as δ → 1. The optimal mechanism reduces the noise of safe storing and sharing of confidential patient data. We
magnitude by more than 4 times in the high privacy regime have also proposed the SERUMS methodology for managing
over the Gaussian mechanism. confidential, distributed medical data, covering all the phases
VI. R ELATED W ORK in its lifetime, from retrieval and storing to end-point data
analytics. Furthermore, we have described the initial versions
Smart Patient Records: Unified Medical Language Sys- of the tools from the SERUMS tool-chain, including new
tem (UMLS [7]) proposes key terminology, classification universal smart patient record format, blockchain for control-
and coding standards, and associated resources to promote ling access to the health records and recording lineage of the
creation of more effective and interoperable biomedical data, authentication mechanisms for logging in to healthcare
information systems and services, including electronic health systems and privacy-preserving data analytics techniques.
records. OpenEHR Specification Program [1] provides spec- We have also described Data Fabrication Platform (DFP),
ifications and their computable expressions to enable devel- a platform for generating large volumes of synthetic but
opment and deployment of open, interoperable and com- realistic medical data that will be used for development
putable patient-centric health information systems. and evaluation of the SERUMS tool-chain. Finally, we have
Generating Synthetic Data: Several studies address described its proposed use in the Edinburgh Cancer Gateway
generating data for given queries. Most of these approaches use case that collects and analyses information about effects
(e.g. QAGen [6], De La Riva et al. [9] and Emmi et al. [11]) of chemotherapy treatments on breast cancer patients, to
address only subsets of the SQL language as well as a predict the outcome of the treatment and improve treatment.
simple subset of the possible data types of databases. Many
of these works have performance and scalability issues as ACKNOWLEDGEMENT
well. Adorf and Varendorff [3] propose a scalable solution This research was funded by the EU H2020 project Serums:
that generates data for form-centric applications using an Securing Medical Data in Smart Patient-Centric Healthcare
SMT solver. However, constraint solvers cannot deal with Systems (grant code: 826278).
the variety of data types, such as decimal numbers, calendar
types, and strings, this is also not an ideal solution and R EFERENCES
requires workarounds that increase complexity of the overall [1] OpenEHR Specification Program. https://www.openehr.org/
system and affect perfromance and quality of results. programs/specification/.
Authentication: Recent works have investigated the in-
[2] M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan,
fluence of specific human, technology and design factors af- I. Mironov, K. Talwar, and L. Zhang. Deep learning with
fecting user authentication preference and task performance, differential privacy. In Proc. CCS ’16, pages 308–318. ACM,
aiming to apply that knowledge in designing usable and 2016.
personalised authentication schemes. Nicholson et al. [22]
suggested personalizing the user authentication type based [3] H.-M. Adorf and M. Varendorff. Constraint-based automated
generation of test data. In D. Winkler, S. Biffl, and J. Bergs-
on age differences; Belk et al. [4] proposed an extensible mann, editors, Software Quality. Model-Based Approaches
authentication framework for personalizing authentication for Advanced Software and Systems Engineering, pages 199–
tasks based on the users’ cognitive processing styles and 213, Cham, 2014. Springer International Publishing.
abilities; Ma et al. [21] suggested personalizing user authen-
tication types by considering users’ cognitive disabilities; [4] M. Belk, C. Fidas, P. Germanakos, and G. Samaras. The in-
terplay between humans, technology and user authentication.
and Forget et al. [12] proposed an authentication scheme Comput. Hum. Behav., 76(C):184–200, Nov. 2017.
for enabling users to choose the preferred user authentication
mechanism instead of providing a single authentication type. [5] M. Belk, C. Fidas, and A. Pitsillides. Flexpass: Symbiosis
Privacy of Medical Analytics: Shade [15], a framework of seamless user authentication schemes in iot. In Extended
for Apache Spark that provides strong privacy guarantees Abstracts of the CHI 2019.
for users, includes two mechanisms - SparkLAP, which [6] C. Binnig, D. Kossmann, E. Lo, and M. T. Özsu. Qagen: Gen-
provides Laplacian perturbation based on a user’s query erating query-aware test databases. In Proceedings of the 2007
and SparkSAM, which uses the contents of the database ACM SIGMOD International Conference on Management of
itself in order to calculate the perturbation. Palanisami et Data, SIGMOD ’07, pages 341–352, New York, NY, USA,
al. [23] present a privacy-aware data disclosure scheme 2007. ACM.
that considers group privacy requirements of individuals in [7] O. Bodenreider. The Unified Medical Language System
bipartite association graph datasets where even aggregate (UMLS): Integrating Biomedical Terminology. Nucleic Acids
information about groups of individuals may be sensitive. Res. 2004 Jan 1;32(Database issue), 2004.
7 60

6
50

5
40

4
R( )

R( )
30

20
2

10
1

0 0
10 -6 10 -5 10 -4 10 -3 10 -2 10 -1 0.5 0.55 0.6 0.65 0.7 0.75 0.8 0.85 0.9 0.95

(a) High privacy regime. (b) Low privacy regime.

Figure 9. Ratio of expected noise magnitude of the classical Gaussian mechanism to that of optimal mechanism for (, δ)-differential privacy.

[8] A. Constantinides, M. Belk, C. Fidas, and A. Pitsillides. [18] S. Li, S. Dragicevic, F. A. Castro, M. Sester, S. Winter,
On the accuracy of eye gaze-driven classifiers for predicting A. Coltekin, C. Pettit, B. Jiang, J. Haworth, A. Stein, and
image content familiarity in graphical passwords. In Proc. T. Cheng. Geospatial big data handling theory and methods:
UMAP 2019, pages 201–205. ACM, 2019. A review and research challenges, 2016.

[9] C. de la Riva, M. J. Suárez-Cabal, and J. Tuya. Constraint- [19] D. Linstedt. Data Vault 2.0 Being Announced, 2012.
based test database generation for sql queries. In Proceedings
of the 5th Workshop on Automation of Software Test, AST [20] D. Linstedt and M. Olschimke. Scalable Data Warehouse
’10, pages 67–74, New York, NY, USA, 2010. ACM. Architecture. In Data Vault 2.0. 2016.

[10] C. Dwork and A. Roth. The algorithmic foundations of [21] Y. Ma, J. Feng, L. Kumin, and J. Lazar. Investigating user
differential privacy. Foundations and Trends in Theoretical behavior for authentication methods: A comparison between
Computer Science, 9(3-4):211–407, 2014. individuals with down syndrome and neurotypical users.
ACM Trans. Access. Comput., 4(4):15:1–15:27, July 2013.
[11] M. Emmi, R. Majumdar, and K. Sen. Dynamic test input
generation for database applications. In Proc. ISSTA ’07, [22] J. Nicholson, L. Coventry, and P. Briggs. Age-related perfor-
pages 151–162. ACM, 2007. mance issues for pin and face-based authentication systems.
In Proc. CHI ’13, pages 323–332. ACM, 2013.
[12] A. Forget, S. Chiasson, and R. Biddle. [paper] choose your
own authentication. In New Security Paradigm Workshop [23] B. Palanisamy, C. Li, and P. Krishnamurthy. In Proc. IEEE
(NSPW). ACM, 2015. Conference Papers. Big Data 2017, pages 1043–1052, 2017.
[13] M. Fredrikson, S. Jha, and T. Ristenpart. Model inversion [24] N. Phan, Y. Wang, X. Wu, and D. Dou. Differential privacy
attacks that exploit confidence information and basic counter- preservation for deep auto-encoders: An application of human
measures. In Proc. CCS ’15, pages 1322–1333. ACM, 2015. behavior prediction. In Proc. AAAI ’16, pages 1309–1316.
AAAI Press, 2016.
[14] G. Hadjidemetriou, M. Belk, C. Fidas, and A. Pitsillides.
Picture passwords in mixed reality: Implementation and eval- [25] S. Silow-Carroll, J. N. Edwards, and D. Rodin. Using
uation. In Extended Abstracts of the CHI 2019, 2019. electronic health records to improve quality and efficiency: the
experiences of leading hospitals. Issue brief (Commonwealth
[15] A. Heifetz, V. Mugunthan, and L. Kagal. Shade: A Fund), 2012.
differentially-private wrapper for enterprise big data. In Proc.
IEEE Big Data 2017, pages 1033–1042, 2017. [26] E. von Zezschwitz, A. De Luca, and H. Hussmann. Honey,
i shrunk the keys: Influences of mobile devices on pass-
[16] W. Inmon and D. Linstedt. Introduction to Data Vault. In word composition and authentication performance. In Proc.
Data Architecture: a Primer for the Data Scientist. 2015. NordiCHI ’14, pages 461–470. ACM, 2014.
[17] M. Kumar, M. Rossbory, B. A. Moser, and B. Freudenthaler.
Deriving an optimal noise adding mechanism for privacy-
preserving machine learning. In G. Anderst-Kotsis, A. M.
Tjoa, and I. Khalil, editors, Database and Expert Systems
Applications, pages 108–118. Springer International Publish-
ing, 2019.

You might also like