08 June 2020
Enabling Trust and Preserving Privacy When Sharing Medical Data
The medical data exchange demonstrator is the second of the seven pieces that complete the CyberSec4Europe jigsaw puzzle. This post continues the series started with Composing a Picture from the Puzzle Pieces, and is also closely linked with How Sharing Information and Data Contributes to Hinder the Spread of COVID-19 and Its Economic Impacts which is related to the COVID-19 Data Exchange initiative launched by Dawex, one of the partners participating in the medical data exchange demonstrator.
The main challenges to be addressed when sensitive data is shared between different actors are how to:
- preserve the privacy of data owners;
- increase trustworthiness to ensure the willingness of the different actors to share sensitive data;
- ease the use of the data exchange platforms;
- comply with the current regulations.
The different services that are planned to be offered by the data exchange platforms are:
- preserving user privacy techniques, such as anonymization and encryption tools;
- increasing trust in the data exchange platform by providing strong user authentication by using an eID-based eIDAS network, and decentralized user access to the platform based on self-sovereign identity;
- improving user experience including data assessment and data sampling tools.
During the development of the demonstration, the regulatory aspects of the GDPR and eIDAS will be considered and the object of research.
With these aims in mind, three different use cases were identified to address these challenges and demonstrate the use of the services described.
- Sharing sensitive health data through an API: Analytics are performed on the aggregated personal and health data collected by the data providers from different sources. The data is protected by using privacy preserving techniques.
- Sharing sensitive health data through files: Anonymisation and privacy-enhancing technologies are used to anonymise the files uploaded to the data exchange platform by the data providers who have receive personal and health data from a data source, preserving data subject privacy. The data providers upload the files on the data exchange platform, including a set of related metadata.
- Enhancing the security of on-boarding and accessing the data exchange platform: Increasing the security of the on-boarding process and facilitate secure access to the platform is envisaged by the provision of a secure mechanism for the online registration process, using eIDs issued by Member State authorised organisations. Decentralized access using a verifiable credential based on eIDAS authentication, and the validation of this verifiable credential by the data exchange platform is to be attempted using distributed ledger technology.
The lessons learnt during the development of the medical data exchange demonstrator and the use of the indicated privacy-preserving technologies will help address the oncoming challenges, not only in the health domain but also in other business domains.
Juan Carlos Pérez Baún
Researcher at Blockchain, Privacy and Identity Unit, Atos Research and Innovation.