What threats to businesses might this data present

[JohnMoehrke]

as requested by Keith, the Security Considerations should include a description of some of the threats to a business with respect to public release of the data in the IG. How is the information Business Sensitive? How might it be used maliciously? These threats might drive for more strict release of the data only for Public Health reporting, vs a modification of the data such that public release has less threat.

[JohnMoehrke]

example news: Coronavirus fallout: Massachusetts won’t release town-specific COVID-19 data, citing ‘stigma’ and privacy; some towns doing it on their own https://www.masslive.com/coronavirus/2020/04/coronavirus-fallout-massachusetts-wont-release-town-specific-covid-19-data-citing-stigma-and-privacy-some-towns-doing-it-on-their-own.html

[JohnMoehrke]

Risks identified from that news and general musings

• Risk to re-identification when the Location (region reporting on) is small enough -- example of how k-anonymity is important even on GEO locations. One must do risk assessment of re-identification given the location specificity.
• • see EFF article on such https://www.eff.org/deeplinks/2020/04/how-protect-privacy-when-aggregating-location-data-fight-covid-19

[JohnMoehrke]

• Risk to reputation of a healthcare facility -- there is note that some facilities are worried that poor numbers will make them look bad.
• • Not sure how to deal with this one.
• • It might justify an access control rule that is specific to Public Health agencies... aka not the Press or Public...

[JohnMoehrke]

• Risk to a community reputation -- if a community is harder hit, it may be perceived negatively on that community. People in that community may be targeted and bullied (cyberbullying). (I read targeted as in by scams, advertising, or ambulance-chasing-lawyers) Noted as well that if a region is small enough and reports a death, then outsiders can possibly re-identify the individual
• • Roll up results publicly available that are larger regions. The Location size may be too small
• • Mitigation indicated is some policy/action against re-identification

[JohnMoehrke]

• Need to know details by neighborhood, age, and gender
• • as Boston is shown, these vectors could be reported independent summaries to limit the correlation. Reporting then in a combined report would enable the three vectors to be used in re-identification. https://bphc.org/whatwedo/infectious-diseases/Documents/COVID19_2019to2020_report_Week13_final_ADA.pdf
• • often technical solutions desire to report one spreadsheet with all the vectors and details so that it enables many views. However this leaves the vectors as methods of correlating. For example someone who is 55 years old, Male, in a specific zipcode... If three independent summary reports are given for each vector, then the correlation can't be made. Important that the results are summarized and independent.

[JohnMoehrke]

• How small is too small? a question that must always be asked in De-Identification. Too small and one increases the risk of re-identification to unacceptable level (only the null data set has zero risk).
• • K-anonymity tends to use the value 3. But that would mean that reporting regions (Locations) would need to be big enough to include 3 or more incidents.
• • for a Location with less than 3 incidents they could report "N/A" which means 'less than 10'.
• • Can they report zero?
• • some evidence that k can be 2.

[JohnMoehrke]

IG Design Mitigation

• Design the reports such that they separate vectors that might be used to re-identify
• Design the reports such that they can be rolled up to larger regions to lower overall risk
• All elements added to a report should be evaluated as to their value to the use-case vs their sensitivity risk exposure
• • any elements determined to be sensitive yet essential should be identified as such

[JohnMoehrke]

Operational Mitigation

• Note that sensitivity is both to the healthcare facility reputation, regions reputation, and to re-identification of individuals
• Data authors need to determine their risk tolerance
• reporting region defines their region (Location) as big as they need to in order to limit exposure of re-identification
• Results are rolled up from more fine-grain regions (Locations) only by authorized intermediaries
• More sensitive results are more restricted. That is to say that only trusted authorities (Public Health officials) and trusted intermediaries get access to information with the above sensitivity risks.
• Mechanisms to report on large enough regions to the public.

[JohnMoehrke]

See IHE Handbook on De-Identification that includes element analysis and mitigation methods https://wiki.ihe.net/index.php/Healthcare_De-Identification_Handbook

[JohnMoehrke]

Provided text in commit to fhir-saner https://github.com/HL7/fhir-saner/commit/e5b2b39a8d0c0a6b2492d855ecf682dae51a9cb3#diff-4e396ddf4872ae6d43c86dbd3400ff19