Impact of big data technologies

Open information in healthcare is becoming increasingly popular. Healthcare providers such as hospitals, pharmacies, physicians and pharmaceutical companies among others, have already made much progress in digitizing medical records. Universities are introducing and providing students of Medicine with the opportunity to familiarise with the ongoing research and development of data in electronic databases by creating part-time job opportunities. The Dutch Ministry of Health, Welfare and Sport (VWS) together with healthcare service providers, introduced the move towards transparency by creating a national infrastructure for the exchange of data between healthcare providers. This step toward digitalization of the medical sector allows decades of data that have been previously stored in paper based records, to be accessed, searched and used by others in the healthcare sector. These new threads of knowledge can be seen as a form of big data because of its volume, complexity, diversity and timeliness (Groves, Kayyali, Knott, & Van Kuiken, 2013). Although the efforts to obtain more insights from the increasing stream of data could help to provide answers to the outdated and cumbersome process of gaining information about a patient’s medical history, a clear and transparent infrastructure is needed to realize an adequate continuity of care without the technologies leading to privacy infringements.

Technology in Dutch healthcare

In 2002 an infrastructure for the digital exchange of patient’s medical data in the Netherlands was developed. This programme was given the name AORTA, which is an abbreviation of the terms Architecture, Ontwerp (design), Realisation, Toetsen van kwaliteit (Quality testing), and

Acceptation. In sum, the AORTA infrastructure provides a description of the aspects: technology, organization, and implementation. By doing so, the infrastructure allows for the secure, reliable and confidential exchange of medical data and communication between patients, healthcare professionals and healthcare insurers, in a standardised fashion. It consists of three main components.

1) The LSP (Landelijk Schakel Punt) 2) The ZSP’s (Zorg service providers) 3) GBZ (Goed beheerd zorgsystemen)

The LSP, which stands for the National Switch Point, is the central hub where the digital exchange of medical data takes place. With this platform, healthcare providers are able to quickly request patient’s medical information from databases of other healthcare providers such as hospitals, pharmacies or physician practices. In order for healthcare providers to be able to connect to the LSP, they need to meet strict security standards. Once they meet the organizational and technical requirements, they qualify for the so called “GBZ” which is the Dutch acronym for a Qualified Healthcare Information System or QHIS. When a healthcare provider meets all the necessary demands, they can apply to be connected to the central component or core of the LSP called the ZIM (zorginformatie-makelaar) also known as the central reference index. The exchange from the healthcare provider to the LSP network takes place via the standardized HL7v3 (Health Level 7 version 3 standard) methodology (Hutink, 2012). The HL7v3 enables the exchange, integration, sharing and retrieval of electronic health data between systems within the network and thus ensures the interoperability of healthcare information technology. A key component that distinguishes the HL7v3 from earlier versions is the Reference Information Model (RIM). With this model the structure of the data, the concepts, the data types and the vocabulary is secured in order to assure the interoperability of the affiliated systems.

All the medical data that comes in is, thus, stored in various different ICT systems. The ZIM coordinates the communication between those systems and keeps track in which of these systems certain information about a patient can be found (Spronk, 2008). This way, the ZIM functions as a search machine for medical data but does, however, verify the authenticity and authorisation of the healthcare providers involved. In order to be able to keep the system transparent, the ZIM also keeps track and supervises the logging of messages between the users. By doing so, the LSP can manage and control requests to peruse medical information/files in case of unlawful or deviating insight. In order for a healthcare provider to consult medical information in the LSP database, he needs to have an authorised electronic passport called the UZI-pas. UZI (Unieke Zorgverlener Identificatienummer) is an identification number unique to each healthcare provider and the UZI-pas is only given to persons authorized to perform healthcare services in the Netherlands. The UZI registration is managed by the CIBG (Centraal Informatiepunt Beroepen Gezondheidszorg) which, as a branch of the Ministry of Health, Welfare and Sport, is the organisation that executes government policy in fields such as healthcare by implementing standards in registers. In order to verify the authenticity of medical files in the database, an authorized link between patients and their medical files is required. This verification is done by registering all persons living in the

Netherlands by their BSN (Burger Service Nummer) or Citizen Service Number. Within the LSP- network, the SBV-Z (Sectorale BerichtenVoorziening-Zorg) verifies the BSN based on several identifying characteristics (Spronk, 2008). In order for healthcare providers to identify themselves, the UZI registry makes use of the PKI (Public Key Infrastructure). This infrastructure allows for confidential and secure, via VPN’s (Virtual Private Networks), electronic communication by applying a lawful electronic signature. For an electronic signature to be considered “lawful”, it must be issued to UZI card holders by the CIBG. In practice, the LSP-network is set up as the following figure will illustrate.

Figure 4. LSP network as provided by NICTIZ

Assessment

In order to assess which of the technology that is used in the realization of the LSP network could lead to privacy infringement, we need to look at four critical issues. In 2006, the Privacy Technology Focus Group of the US Department of Justice identified what they considered to be the most important issues in privacy policy and technology. As a result, they divided the issues into four main categories.

1) Access and Authentication

2) Data Aggregation and Dissemination 3) Identity Theft

4) Personal Safety and Protection

The Focus Group was created to examine the use and exchange of personally identifiable information (PPI) in the context of justice information systems and in the dissemination and aggregation of justice and public safety data (U.S. Department of Justice, 2006). The similarities between the goals of the US department of Justice and the emphasis on the effects of Big Data in Dutch healthcare (i.e. PPI) in this thesis, allows for the analysis of the Focus Group to be considered in this assessment. The potential privacy related issues due to Big Data

in the Dutch healthcare system will be assessed by the two of the four main categories provided by the Privacy Technology Focus Group report.

Access and Authentication

The LSP network promotes the effective sharing of information to improve the interoperability between healthcare providers which can lead to better and more effective healthcare. For this to happen, the LSP must ensure that only authorized people have access to this “sensitive information”. In order for healthcare providers to be able to access and exchange medical information about a patient, they need to be registered as a Qualified Healthcare Information System or QHIF (GBZ). In order to meet the QHIF requirements, they need make sure that their medical data is safely exchanged via a healthcare information system also known as a XIS. In order to electronically exchange medical data, the XIS-systems of the healthcare providers need to be connected to a well-managed care system also known as a GZN which emphasizes several procedures regarding the management and maintenance of the system. Once registered to a GZN, the Qualified Healthcare Information System can then be connected to the LSP.

“The EPD is partially centralized. Patient records are stored decentrally, while a central component takes care of the authentication and authorization of health professionals and of the mechanics required for exchanging patient records.” (Van ‘t Noordende, 2010).

The identification of the multitude of persons and organisations that will make use of the healthcare infrastructure of the LSP, is done be the BSN for patients and the UZI-pass for the responsible physician.

The access and authentication mechanisms used in the LSP can create some vulnerabilities which can be linked to the concept of big data. The LSP makes use of a mechanism that is applied by healthcare providers to allow employees to access the digital patient records (EPD) on their behalf. This mechanism is referred to as a token.

Figure 5. Indication of token data structure.

“A token is a data structure, separate from the HL7v3 request message, which contains information required by the LSP to verify the authenticity of the request.” (Van ‘t Noordende, 2010).

The token contains several important aspects of authenticity such as:

Token contains: BSN, Info Cat. & Anti-replay info.

Figure 6. Visualization of an XIS. - The BSN of the patient for whom the request is made

- The information category that the request is concerned with - Information that prevents replay of the request

Before the request is sent to the LSP, the healthcare professional approves the request by signing the token using his or her UZI pass. The combination of a token signed by the healthcare professional’s UZI pass, allows the LSP to verify which health professional made the request. However, mandated employees can also sign requests using the healthcare professional’s UZI pass. One main risk of using a token based authentication mechanism, is that the information systems that store the patient records are not able to verify incoming authentication requests separately. This form of end-to-end authentication protocol can therefore not determine if a request is made legitimately by a healthcare professional or some intruder, using malicious software, who sends requests directly from their unauthorized computer. This would mean that an intruder, who can successfully position a malicious code in the LSP, is able to obtain any patient records from any decentralized information system connected to the EPD without being questioned (Van ‘t Noordende, 2010).

Data Aggregation and Dissemination

The process of data aggregation in the healthcare sector is aimed at gathering and expressing information in a summary form for purposes such as statistical analysis. The LSP provides this process of data aggregation by coupling the decentrally stored patient records. By doing so, Dutch healthcare professionals are able to find and retrieve these electronic patient records that are relevant for the treatment of their patients. References to all patient records that are accessible through the EPD are registered in the central reference index also known as the ZIM in Dutch (Van ‘t Noordende, 2010). These index lines provide the available patient records to health professionals but also create the possibility to find patient records in databases of other health professionals. It is also possible, for physicians, to request a search in the LSP to find a set of patient records that match the components (such as a patient’s BSN) of the information stored in the ZIM. Some of the systems (such as the GBZ) connected to the LSP must meet some general security requirements but these do not guarantee the correctness of all the systems.

“The connections between (decentral) GBZ systems and the LSP are cryptographically protected to avoid that outside attackers can listen in on the communication channels between GBZ and LSP.” (Van ‘t Noordende, 2010).

The problem is, however, that when the information is stored in these systems, it remains unprotected while inside the system. With the help of

the right analytical tools, a successful attack on the LSP system would mean a big risk of privacy infringement since large amounts of sensitive information would then be accessible.

According to Dutch regulations, the information that a healthcare professional gathers in the EPD may not be stored in a central infrastructure due to legal, security, and privacy concerns. This is in direct contrast with the regulations on handling over control of the management of an EPD to a third party. The LSP infrastructure does, therefore, not store information in a single central system. However, the reference index ZIM is a central component that is required for the functioning of the LSP. In order to connect search references from GBZ’s to the LSP, the ZIM provides information about the hospital or organization that a patient visited, as well as information concerning the physician who registered the reference and the record type (Van ‘t Noordende, 2010). This is an immanent risk because the LSP is required to keep historical information regarding the transport of messages and the access of records for a period of 15 years, according to the Wgbo. The ZIM is therefore designed to be restored to a previous state in which it can provide historically used and even removed data. Complete removal of information is therefore almost impossible, making the LSP, and its data, a large and vulnerable database of sensitive information.

Impact

Due to the current set up of the Dutch regulations, regarding a national infrastructure for aggregating and disseminating large volumes of medical data, the abovementioned technologies create an inherent risk to individual’s privacy.

The research concluded that, although the LSP does not allow/provide for the storage of large quantities of medical data in a national database, key components of the LSP do and must, however, have the possibility to keep historical information, and are able to reconstruct traffic and access information to a previous state. This inherently increases the risk to a privacy breach on very sensitive medical information. When this data is combined with other data, which is available in other systems (such as a GBZ) connected to the LSP, you can apply various algorithms to discover certain patterns which can lead to the re-identification of patient’s. “With big data the intent is to gather as much data as possible in order to discover patterns and apply algorithms with which you can make certain conclusions.” (Bohre, 2014, Q3) In the field of medicine, the use of big data could reveal patterns about individuals which neither their physician nor they themselves would know about. If this very sensitive data would fall in the wrong hands, it could lead to disastrous consequences. The research concluded that there is no end-to-end supervision protocol in the current set-up of the LSP. When a physician transfers his paper files into the EPD, the data in the records is based on his findings. The annotation of these findings is done in a personalized manner. The International Classification of Primary Care (ICPC) standard, codes and classifies complaints, symptoms and ailments of the patient recorded by the physician. When this data is incorporated into the EPD, using the ICPC standard, and then requested by other healthcare providers, the interpretation of these files can be erroneous because there is no control of interpretation of data. Adequate data analytics, and translation into ICPC codes, is thus very important in this stage of the EPD/LSP. Faulty diagnoses of the data in the EPD can therefore significantly increase the risk of errors.

The proposed infrastructure mentioned in this sub-chapter, makes use of the current legislation on the exchange of medical data. This legislation has, thus, a direct impact on a patient’s medical privacy. Therefore, the following sub-chapter will take into consideration which effects the current policy has on medical privacy and, as a result, allows for the creation of disputed technological infrastructures.