de-identifying health information

by Michael Werneburg
on 2017.07.19

You are here:
Risk topics
» Risk topics blog
July, 2017
· de-identifying health information
· that's a lot of tracking!

June, 2017
· gaming Google news
· privacy in this day and age
· another record breach
· writing an industry standard
· ISACA article accepted

May, 2017
· Covey time-management quadrants
· safe harbor de-identification of health data
· an ISACA article

April, 2017
· my guide on managing third party risk
· PMP for five years
· metrics that matter
· 720 reads in 48 hours
· I lost my job

March, 2017
· farewell, SIRA board
· the message and the medium
· an interesting take on consulting

February, 2017
· the ever-expanding sh*tlist
· claiming professional expenses in Canada
· get cyber safe
· the flight of the wealthy

January, 2017
· virtual kidnapping
· financial industry vendor management

November, 2016
· securing your life
· yet another reason to patch

October, 2016
· DNS subdomain discovery
· fintech and information risk

September, 2016
· on failed persons

July, 2016
· how to sabotage innovative projects

June, 2016
· no fix for cyber security in our lifetime


more...

I currently have a contract with a firm that "de-identifies" health information prior to it being shared with third parties such as marketers, drug manufacturers, and researchers. De-identification is the process of ensuring that the payload information (about a series of hospital visits, or about drug prescriptions) cannot be tracked back to the individual patients.

It's a tricky business, because it's not about the direct identifiers that you simply blot out of the information prior to its sharing: the names, birth dates, and patient ID's. It's about handling the rest of the information in a way that no journalist or prosecutor is going to be able to piece things together from the evidence remaining. This involves things like introducing subtle changes to the data that allow the data to still retain value. Several of the tools used involve statistical processes.

It's very interesting, and has opened a new dimension in my understanding of information risk.

current
next
big list
first