04 A Biomedical - Data.security - Privacy.and - Confidentiality

4.
BIOMEDICAL DATA SECURITY,

PRIVACY AND CONFIDENTIALITY
Biomedical Informatics
Assoc. Prof. Tomaž Vrtovec, Ph.D.
University of Ljubljana, Faculty of Electrical Engineering Electrical Engineering, level 2

Laboratory of Imaging Technologies International course
4. Biomedical data security, privacy and confidentiality 2 / 29
SECURITY, PRIVACY, CONFIDENTIALITY

What do they represent?
Definition of data security, privacy and confidentiality:
- data security represents the protection of data from

destructive forces and unwanted actions of unauthorized
users
- data privacy represents the relationship between the

collection and dissemination of data against the public
expectation of privacy, legal and political aspects
- data confidentiality represents the ethical principle of

restrictions and privileges in communication between a
client and a professional (e.g. between a patient and a
medical professional)
There is no unique division among these topics, but the mechanisms of ensuring
data security, privacy and confidentiality are intertwined.
University of Ljubljana, Faculty of Electrical Engineering BIOMEDICAL INFORMATICS Electrical Engineering, level 2
Laboratory of Imaging Technologies Assoc. Prof. Tomaž Vrtovec, Ph.D. International course
DATA SECURITY
What is data security?
Data security represents the protection of data from destructive forces

and from the unwanted actions of unauthorized users.
The key concepts of data security must provide:

- data integrity, meaning that the data cannot be
modified without the change being noticed
- data accessibility, meaning that the data can be
accessed whenever they are required
- data authenticity, meaning that the data actually
represent the expected content
These concepts are enforced through the data security

mechanisms, combined with risk management and
access control.
DATA SECURITY
Data security mechanisms
According to the application time we can divide the data

security mechanisms into:
- mechanisms for threat prevention
- mechanisms for event disclosure
- mechanisms for operation recovery
According to the usage we can divide the data security

mechanisms into:
- physical mechanisms (e.g. doors, locks, …)
- process mechanisms (e.g. control, notifications, …)
- technical mechanisms (e.g. passwords, software, …)
- legal mechanisms (e.g. laws, regulations, …)
DATA SECURITY
Risk management
Risk management is the process of identifying, evaluating and prioritizing

vulnerabilities and threats that endanger the data and data sources. We can also
choose what kind of countermeasures we will apply to reduce the uncertainty to an
acceptable level, defined according to the value of data and data sources.
- Uncertainty is the probability that destructive forces
or unwanted actions will occur.
- A vulnerability is a disadvantage that can be exploited
to apply destructive forces or unwanted actions.
- A threat is something that can potentially cause destructive
forces or unwanted actions.
Risk management is a constant and repeating process, while the

resulting countermeasures are often a compromise between their
productivity, cost and efficiency.
DATA SECURITY
Risk management (2)
The ISO 31000 standard – “Risk management: Principles and guidelines”

describes the following steps in the risk management process:
Communication and consultation Establishing the context
Risk assessment
Monitoring and review

Risk identification
Risk analysis
Risk evaluation
Risk treatment
Source: ISO 31000 – Risk Management: Principles and Guidelines, International Organization for Standardization, 2009
DATA SECURITY
Access control
Access control has two levels:

- authentication refers to the determination whether a user should be
allowed access to a particular data, and is based on confirming the
identity of the user
- authorization refers to the establishment of restrictions on the
actions of authenticated users
By applying access control, a user that has not

successfully passed authentication and/or
authorization should not be able to retrieve any
information about the data in question.
This should be also true when this user has additional
knowledge, obtained from other sources.
Source: M. Stamp: Information Security – Principles and Practice. Wiley, 2006

DATA SECURITY
Access control: authentication
Authentication is based on any combination of the following:

- something that the user knows (e.g. password)
- something that the user has (e.g. smart card)
- something that the user is (e.g. fingerprint)

DATA SECURITY
Access control: authentication (2)
Biometric authentication should:

- be applied to everyone (universal)
- distinguish with certainty among users (distinguishing)
- measure physical characteristic that never change (permanent)
- measure the physical characteristic that is easy to collect (collectable)
- work under real-world conditions (reliable and robust)
- useful in everyday life (user-friendly)
Examples:
- fingerprint
- hand geometry
- face recognition
- iris scan
- speech recognition
DATA SECURITY
Access control: authorization
Authorization usually works according to rules that are defined in

the access control matrix (ACM).
ACMs can be divided into:
- access control lists (ACLs)
- capability lists (C-lists) ACL
Operating Data writing Patient Patient Patient

ACM system process ID name diagnosis
C-list Andrew r – x r – x r – –
Bruce r – x r – x r r – w r – w
Samuel r – w – x r – w – x r r – w r – w
Data writing r – x r – x r – w r – w r
process
r … read; w … write; x … execute

DATA SECURITY
Access control: authorization (2)
Multi-level authorization is Multi-categorical authorization

based on the principle of level defines additional categories on each
“height”. Authorization on a access level.
higher level means the ability to
access data on all lower levels.
2{A} 2{A,B} 2{B}
3
2
2
1{A} 1{A,B} 1{B}

1
0 1

DATA SECURITY
Access control: authorization (3)
Completely automated public Turing test to tell computers and

humans apart (CAPTCHA) is simple enough so that most people
successfully pass it, but also challenging enough so that computers fail.
DATA SECURITY
Data encryption
Cryptography or cryptology is the practice and study of

techniques for secure communication in the presence of third
parties called adversaries.
More about cryptography during

Laboratory Work Preparation!
DATA PRIVACY
What is data privacy?
Data privacy represents the relationship between the collection and

dissemination of data against the public expectation of privacy, legal
and political aspects.
This relationship is defined mostly by:

- the data holder, who publishes the data
but wishes to retain privacy
- the data user, who wants to analyze
the data
- if having bad intentions and wanting to
obtain an unjustified access to data, such
user is labeled as an adversary to the data
holder privacy
Source: B.C.M. Fung et al.: Introduction to Privacy-Preserving Data Publishing: Concepts and Techniques. CRC, 2010
DATA PRIVACY
Data structure
The data that is communicated between the data holder and user is composed of:
- explicit identifiers (EID) are attributes that explicitly identify the data holder
and are usually removed from private data
- quasi-identifiers (QID) are attributes that could potentially identify the data
holder or limit the selection to a relatively small number of data holders when
combined together
data directory data links directory

John Doe John Doe
B1xGj7 B1xGj7
Data Data
B1xGj7 qR29Uf
B1xGj7
qR29Uf
DATA PRIVACY
Attack models
The adversary executes an attack to the data holder privacy by obtaining

knowledge of the data published by the data holder and the quasi-description
through observation.
Attack models are based on the:
- informative principle, when the adversary has the knowledge of some
data attributes:
- record linkage
- attribute linkage
- table linkage
- uninformative principle, when the adversary does
not have knowledge about any data attributes:
- probabilistic linkage
DATA PRIVACY
Attack model: record linkage
In the attack of “record linkage” some value identifies a group of

records in the published data. In the case the size of this group is small,
there is a chance that the adversary could uniquely identify the record
from the group with the help of additional knowledge.
Patient data Published data

Job Gender Age Disease Ime Poklic Spol Starost
Engineer Male 35 Hepatitis Alice Writer Female 30
Engineer Male 38 Hepatitis Bob Engineer Male 35
Lawyer Male 38 Angina Cathy Writer Female 30
Writer Female 30 Flu Doug Lawyer Male 38
Writer Female 30 Angina Emily Dancer Female 30
Dancer Female 30 Angina Fred Engineer Male 38
Dancer Female 30 Angina Gladys Dancer Female 30
Henry Lawyer Male 39
Irene Dancer Female 32
DATA PRIVACY
Privacy model: k-anonymity
The privacy model k-anonymity is one of the models that prevent the record
linkage attacks.
A system is k-anonymous, each record is indistinguishable from at least k – 1
other records. If one record has therefore a specific attribute, then at least k – 1
other records also have the same attribute and the probability of linking to a data
holder is at most 1/k.
3-anonymous patient data 4-anonymous published data
Job Gender Age Disease Name Job Gender Age
Professional Male [35-40) Hepatitis Alice Artist Female [30-35)
Professional Male [35-40) Hepatitis Bob Professional Male [35-40)
Professional Male [35-40) Angina Cathy Artist Female [30-35)
Artist Female [30-35) Flu Doug Professional Male [35-40)
Artist Female [30-35) Angina Emily Artist Female [30-35)
Artist Female [30-35) Angina Fred Professional Male [35-40)
Artist Female [30-35) Angina Gladys Artist Female [30-35)
Henry Professional Male [35-40)
Irene Artist Female [30-35)
DATA PRIVACY
Attack model: attribute linkage
In the attack of “attribute linkage” the adversary may not precisely identify
the target record, but could infer sensitive information from the published data
based on the set of attributes associated to the group that the data holder
belongs to.

The probability that Emily has angina is 3/4 = 75%. Irene Artist Female [30-35)
The probability that Emily has flu is 1/4 = 25%.
DATA PRIVACY
Privacy model: l-diversity
The privacy model l-diversity is one of the models that prevent the attribute
linkage attacks.
A system is l-diverse when each group of records contains at least l different
values. The data table is entropy l-diverse if for every group holds:
− 𝑝 𝐺, 𝑠 𝑙𝑜𝑔 𝑝 𝐺, 𝑠 ≥ 𝑙𝑜𝑔 𝑙 ,
𝑠∈𝑆
where 𝑆 is a group of attributes, and 𝑝 𝐺, 𝑠 is the probability that the selected

attribute has the value 𝑠 in the group of records 𝐺.
Group {Professional, Male, [35-40)}: Group {Artist, Female, [30-35)}:

2 2 1 1 3 3 1 1
− 𝑙𝑜𝑔 − 𝑙𝑜𝑔 ≈ log 1.9 − 𝑙𝑜𝑔 − 𝑙𝑜𝑔 ≈ 𝑙𝑜𝑔 1.8
3 3 3 3 4 4 4 4
The table therefore satisfies entropy 1.8-diversity.
DATA PRIVACY
Attack model: table linkage
In the attack of “table linkage” the adversary may, with a high confidence,
infer the presence or the absence of a selected record in the published data,
and consequently infer about the presence or the absence of the selected
record in the private data.

The probability that Emily is present in Irene Artist Female [30-35)
the patient data is 4/5 = 80%.
DATA PRIVACY
Privacy model: δ-presence
The privacy model δ-presence is one of the models that prevent the table
linkage attacks.
A system is δ-present when the probability of inferring the presence of any
record in the published data is bound within a specified range δ = (δmin, δmax):
𝛿min ≤ 𝑝 𝑠 ∈ 𝑆 ≤ 𝛿max ,
where 𝑆 is a group of attributes, and 𝑠 is the value of the selected attribute.
If the adversary has at most δ% confidence that the target record is

present in the published data, then the probability of a successful
linkage to the record in the private data is also at most δ %.
DATA PRIVACY
Attack model: probabilistic linkage
In the attack of “probabilistic linkage” it is assumed that the adversary has

no prior knowledge about the data holder, therefore the attacks are not
based on data records, attributes or tables that could potentially link the data
to their holders.
For uninformative principles it is important to ensure that the difference
between the deductive (prior) and empirical (posterior) information and
beliefs is as small as possible.
DATA PRIVACY
Privacy model: ε-differential privacy
The privacy model ε-differential privacy is one of the models that prevent the
probabilistic linkage attacks.
A system is ε-differential when the addition or removal of a single record in the
published data does not significantly affect or increases the risk of disclosing the
data:
𝑝 𝐹 𝑇1 = 𝑠
𝑙𝑛 ≤ 𝜀 ; ∀𝑠 ∈ 𝑆 ,
𝑝 𝐹 𝑇2 = 𝑠
where 𝑆 is a group of attributes, 𝑠 is the value of the selected attribute, 𝑇1 and 𝑇2

are data sets that differ on at most one records, and 𝐹 is a random function.
The data holder can, with ε-certainty, assume that the decision of
publishing the selected record will not result in a disclosure of
sensitive data in comparison to the decision of not publishing the
record.
DATA CONFIDENTIALITY
What is data confidentiality?
Data confidentiality represents the ethical principle of restrictions and

privileges in communication between a client and a professional (e.g.
between a patient and a medical professional).
Every disclosure of confident or sensitive data may cause a loss or

damage, such as:
- identity theft
- legal suits
- loss of business
- criminal prosecution
DATA CONFIDENTIALITY
The Hippocratic oath and the Declaration of Geneva
The Hippocratic oath is an oath taken by physicians at the end

of their studies. Among other things, the oath contains:1
… “And whatsoever I shall see or hear in the course of my
profession, as well as outside my profession in my intercourse
with men, if it be what should not be published abroad, I will
never divulge, holding such things to be holy secrets.”
The Declaration of Geneva that was drafted by the World

Medical Association (WMA) is a revision of the Hippocratic
oath. The declaration among other things contains:
… “I will respect the secrets that are confided in me, even after
the patient has died.”
1 Translation: James Loeb

CONCLUSION
Literature
- M. Stamp: Information Security – Principles and Practice. Wiley, 2006

- B.C.M. Fung et al.: Introduction to Privacy-Preserving Data Publishing:
Concepts and Techniques. CRC, 2010
- W. Trappe and L.C. Washington: Introduction to Cryptography with
Coding Theory. Pearson, 2nd Edition, 2005
CONCLUSION
Enabling security, privacy, confidentiality…
CONCLUSION
Discussion, comments, questions…
- What is data security, data privacy and data confidentiality?

- Which are the key concepts and mechanisms of data security?
- Describe the process of risk management.
- Define the difference between authentication and authorization
from the access control perspective.
- What kind of authentication approaches exist?
- Describe the properties of biometric authentication.
- What kind of authorization approaches exist?
- Describe the multi-level and the multi-categorical authorization.
- List and describe some of the attack models to the data privacy.
- List and describe some data privacy models.

04 A Biomedical - Data.security - Privacy.and - Confidentiality

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

04 A Biomedical - Data.security - Privacy.and - Confidentiality

Hochgeladen von

Copyright:

Verfügbare Formate

4.

BIOMEDICAL DATA SECURITY,

University of Ljubljana, Faculty of Electrical Engineering Electrical Engineering, level 2

SECURITY, PRIVACY, CONFIDENTIALITY

Definition of data security, privacy and confidentiality:

- data security represents the protection of data from

- data privacy represents the relationship between the

- data confidentiality represents the ethical principle of

Data security represents the protection of data from destructive forces

The key concepts of data security must provide:

These concepts are enforced through the data security

According to the application time we can divide the data

According to the usage we can divide the data security

Risk management is the process of identifying, evaluating and prioritizing

Risk management is a constant and repeating process, while the

The ISO 31000 standard – “Risk management: Principles and guidelines”

Communication and consultation Establishing the context

Monitoring and review

Access control has two levels:

By applying access control, a user that has not

Source: M. Stamp: Information Security – Principles and Practice. Wiley, 2006

Authentication is based on any combination of the following:

Source: M. Stamp: Information Security – Principles and Practice. Wiley, 2006

Biometric authentication should:

Authorization usually works according to rules that are defined in

Operating Data writing Patient Patient Patient

Source: M. Stamp: Information Security – Principles and Practice. Wiley, 2006

Multi-level authorization is Multi-categorical authorization

1{A} 1{A,B} 1{B}

Source: M. Stamp: Information Security – Principles and Practice. Wiley, 2006

Completely automated public Turing test to tell computers and

Cryptography or cryptology is the practice and study of

More about cryptography during

Data privacy represents the relationship between the collection and

This relationship is defined mostly by:

data directory data links directory

The adversary executes an attack to the data holder privacy by obtaining

In the attack of “record linkage” some value identifies a group of

Patient data Published data

3-anonymous patient data 4-anonymous published data

where 𝑆 is a group of attributes, and 𝑝 𝐺, 𝑠 is the probability that the selected

Group {Professional, Male, [35-40)}: Group {Artist, Female, [30-35)}:

3-anonymous patient data 4-anonymous published data

where 𝑆 is a group of attributes, and 𝑠 is the value of the selected attribute.

If the adversary has at most δ% confidence that the target record is

In the attack of “probabilistic linkage” it is assumed that the adversary has

where 𝑆 is a group of attributes, 𝑠 is the value of the selected attribute, 𝑇1 and 𝑇2

Data confidentiality represents the ethical principle of restrictions and

Every disclosure of confident or sensitive data may cause a loss or

The Hippocratic oath is an oath taken by physicians at the end

The Declaration of Geneva that was drafted by the World

1 Translation: James Loeb

- M. Stamp: Information Security – Principles and Practice. Wiley, 2006

- What is data security, data privacy and data confidentiality?

Das könnte Ihnen auch gefallen