On privacy-preserving access to distributed heterogeneous healthcare information

Regional healthcare initiatives seek to improve the quality of healthcare by collecting, analyzing, and disseminating information about chronic diseases such as diabetes. The data required to support such initiatives comes from several organizations such as insurers, physicians, hospitals, pharmacies and labs each of which gather and maintain data for the purpose of healthcare delivery. Accessing data in this distributed and heterogeneous environment is difficult and has to deal with well-documented issues such as resolving semantic conflicts, multiple query languages etc. Data warehousing and mediator-based architectures are often proposed and used in these settings. In this paper, we focus on mediator-based architectures and the privacy problems that arise in the healthcare context owing to the linkage of information about patients, physicians, and diseases enabled by the mediator. Current proposals for security-conscious mediators do not address inferential disclosure resulting from record linkage. In particular, we study the problem of interval inference, a specific kind of disclosure that arises when participants are able to compute tight bounds on sensitive values of other participants, based on the aggregate information published by the mediator. We illustrate our approach with a real world example and propose an "audit and aggregate" methodology that chooses the optimal level of aggregation of the data taking into account both the risk of disclosure as well as the utility of the released data to legitimate users.