Limits...
Pseudonymization of patient identifiers for translational research.

Aamot H, Kohl CD, Richter D, Knaup-Gregori P - BMC Med Inform Decis Mak (2013)

Bottom Line: If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual.The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead.Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

View Article: PubMed Central - HTML - PubMed

Affiliation: NCT Trial Center, German Cancer Research Center, Heidelberg, Germany. harald.aamot@nct-heidelberg.de

ABSTRACT

Background: The usage of patient data for research poses risks concerning the patients' privacy and informational self-determination. Next-generation-sequencing technologies and various other methods gain data from biospecimen, both for translational research and personalized medicine. If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual. This raises an ethical concern and challenges the legitimacy of anonymized patient samples. In this paper we present a new approach which supports both data privacy and the possibility to give feedback to patients about their individual research results.

Methods: We examined previously published privacy concepts regarding a streamlined de-pseudonymization process and a patient-based pseudonym as applicable to research with genomic data and warehousing approaches. All concepts identified in the literature review were compared to each other and analyzed for their applicability to translational research projects. We evaluated how these concepts cope with challenges implicated by personalized medicine. Therefore, both person-centricity issues and a separation of pseudonymization and de-pseudonymization stood out as a central theme in our examination. This motivated us to enhance an existing pseudonymization method regarding a separation of duties.

Results: The existing concepts rely on external trusted third parties, making de-pseudonymization a multistage process involving additional interpersonal communication, which might cause critical delays in patient care. Therefore we propose an enhanced method with an asymmetric encryption scheme separating the duties of pseudonymization and de-pseudonymization. The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead. To solve person-centricity issues, a collision-resistant function is incorporated into the method. These two facts combined enable us to address essential challenges in translational research. A productive software prototype was implemented to prove the functionality of the suggested translational, data privacy-preserving method. Eventually, we performed a threat analysis to evaluate potential hazards connected with this pseudonymization method.

Conclusions: The proposed method offers sustainable organizational simplification regarding an ethically indicated, but secure and controlled process of de-pseudonymizing patients. A pseudonym is patient-centered to allow correlating separate datasets from one patient. Therefore, this method bridges the gap between bench and bedside in translational research while preserving patient privacy. Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

Show MeSH

Related in: MedlinePlus

The software prototype – single sample pseudonymization request. The PID is the only input to create or retrieve a pseudonym. Selection of a research project controls which ombudsmen are able to de-pseudonymize a patient. Other inputs are used to generate a comprehensive barcode for sample storage management within a “Laboratory Information Management System” (LIMS). The CAPTCHA and the authentication screen are also visible on the screenshot.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
getmorefigures.php?uid=PMC3733629&req=5

Figure 6: The software prototype – single sample pseudonymization request. The PID is the only input to create or retrieve a pseudonym. Selection of a research project controls which ombudsmen are able to de-pseudonymize a patient. Other inputs are used to generate a comprehensive barcode for sample storage management within a “Laboratory Information Management System” (LIMS). The CAPTCHA and the authentication screen are also visible on the screenshot.

Mentions: The service is used for translational research projects in Heidelberg. Loss of an ombudsman’s key or PIN renders de-pseudonymization virtually impossible. As our method enables us to have more than one cryptographic public key, we appointed an institutional review board as a “backup ombudsman” in addition to various project-specific ombudsmen. Typically, the principal investigator (PI) of a project serves as an ombudsman. After institutional authentication, authorized users access the pseudonymization service through a web-based interface. Either single sample pseudonymization (see Figure 6) or batch pseudonymization with a spreadsheet upload function are available. Batch sizes are limited to minimize the risk of security issues with malicious service abuse. The service’s authentication mechanism relies on the “Lightweight Directory Access Protocol” (LDAP) querying the institutional domain server. Against service abuse, a “Reverse Turing Test” RTT is performed by the “Completely Automated Public Turing test to tell Computers and Humans Apart” (CAPTCHA), developed by Ahn, Blum and Langford [36]. In our specific prototype it displays random characters in a graphic that can’t be interpreted by a machine. The simplest way of pseudonymization in our prototype is to generate an accompanying ticket with a barcode containing the patient’s pseudonym (see Figure 7). This ticket can be printed out and sent to the sample processing lab with a biospecimen. Batch-pseudonymization with spreadsheets is available for pseudonymization of several biospecimen gained at once, e.g. from the NCT tissue bank for a specific research project.


Pseudonymization of patient identifiers for translational research.

Aamot H, Kohl CD, Richter D, Knaup-Gregori P - BMC Med Inform Decis Mak (2013)

The software prototype – single sample pseudonymization request. The PID is the only input to create or retrieve a pseudonym. Selection of a research project controls which ombudsmen are able to de-pseudonymize a patient. Other inputs are used to generate a comprehensive barcode for sample storage management within a “Laboratory Information Management System” (LIMS). The CAPTCHA and the authentication screen are also visible on the screenshot.
© Copyright Policy - open-access
Related In: Results  -  Collection

License
Show All Figures
getmorefigures.php?uid=PMC3733629&req=5

Figure 6: The software prototype – single sample pseudonymization request. The PID is the only input to create or retrieve a pseudonym. Selection of a research project controls which ombudsmen are able to de-pseudonymize a patient. Other inputs are used to generate a comprehensive barcode for sample storage management within a “Laboratory Information Management System” (LIMS). The CAPTCHA and the authentication screen are also visible on the screenshot.
Mentions: The service is used for translational research projects in Heidelberg. Loss of an ombudsman’s key or PIN renders de-pseudonymization virtually impossible. As our method enables us to have more than one cryptographic public key, we appointed an institutional review board as a “backup ombudsman” in addition to various project-specific ombudsmen. Typically, the principal investigator (PI) of a project serves as an ombudsman. After institutional authentication, authorized users access the pseudonymization service through a web-based interface. Either single sample pseudonymization (see Figure 6) or batch pseudonymization with a spreadsheet upload function are available. Batch sizes are limited to minimize the risk of security issues with malicious service abuse. The service’s authentication mechanism relies on the “Lightweight Directory Access Protocol” (LDAP) querying the institutional domain server. Against service abuse, a “Reverse Turing Test” RTT is performed by the “Completely Automated Public Turing test to tell Computers and Humans Apart” (CAPTCHA), developed by Ahn, Blum and Langford [36]. In our specific prototype it displays random characters in a graphic that can’t be interpreted by a machine. The simplest way of pseudonymization in our prototype is to generate an accompanying ticket with a barcode containing the patient’s pseudonym (see Figure 7). This ticket can be printed out and sent to the sample processing lab with a biospecimen. Batch-pseudonymization with spreadsheets is available for pseudonymization of several biospecimen gained at once, e.g. from the NCT tissue bank for a specific research project.

Bottom Line: If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual.The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead.Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

View Article: PubMed Central - HTML - PubMed

Affiliation: NCT Trial Center, German Cancer Research Center, Heidelberg, Germany. harald.aamot@nct-heidelberg.de

ABSTRACT

Background: The usage of patient data for research poses risks concerning the patients' privacy and informational self-determination. Next-generation-sequencing technologies and various other methods gain data from biospecimen, both for translational research and personalized medicine. If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual. This raises an ethical concern and challenges the legitimacy of anonymized patient samples. In this paper we present a new approach which supports both data privacy and the possibility to give feedback to patients about their individual research results.

Methods: We examined previously published privacy concepts regarding a streamlined de-pseudonymization process and a patient-based pseudonym as applicable to research with genomic data and warehousing approaches. All concepts identified in the literature review were compared to each other and analyzed for their applicability to translational research projects. We evaluated how these concepts cope with challenges implicated by personalized medicine. Therefore, both person-centricity issues and a separation of pseudonymization and de-pseudonymization stood out as a central theme in our examination. This motivated us to enhance an existing pseudonymization method regarding a separation of duties.

Results: The existing concepts rely on external trusted third parties, making de-pseudonymization a multistage process involving additional interpersonal communication, which might cause critical delays in patient care. Therefore we propose an enhanced method with an asymmetric encryption scheme separating the duties of pseudonymization and de-pseudonymization. The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead. To solve person-centricity issues, a collision-resistant function is incorporated into the method. These two facts combined enable us to address essential challenges in translational research. A productive software prototype was implemented to prove the functionality of the suggested translational, data privacy-preserving method. Eventually, we performed a threat analysis to evaluate potential hazards connected with this pseudonymization method.

Conclusions: The proposed method offers sustainable organizational simplification regarding an ethically indicated, but secure and controlled process of de-pseudonymizing patients. A pseudonym is patient-centered to allow correlating separate datasets from one patient. Therefore, this method bridges the gap between bench and bedside in translational research while preserving patient privacy. Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

Show MeSH
Related in: MedlinePlus