AI in Health and Social Care: A Methodology for Privacy Risk Modeling and Simulation
Pages 1150 - 1153
Abstract
As health and social care data networks evolve and adapt to greater digitalization and datafication of health, data and analytics systems are developing and bringing forward new ways to share, access and analyze data. Organizations and individuals making data sharing decisions for AI-enabled health and social care services need to be able to balance the benefits of such uses with the possible risks that may ensue - including those related to issues of privacy and security. In this paper, we provide an overview of our approach to privacy risk assessment for cross-domain access and re-use of sensitive data for research purposes using Spyderisk - an automated risk assessment tool. We apply Spyderisk to a real AI research scenario and consider the ways in which such techniques could support multiple stakeholders to assess privacy and security risks.
Supplemental Material
MP4 File
Presentation video
- Download
- 1438.56 MB
MP4 File
Supplemental video
- Download
- 48.93 MB
References
[1]
Ada Lovelace Institute. 2020. The data will see you now: Datafication and the boundaries of health. (2020). Retrieved February 4, 2024 from https://www.adalovelaceinstitute.org/wp-content/uploads/2020/11/The-data-will-see-you-now-Ada-Lovelace-Institute-Oct-2020.pdf
[2]
Zoe Braiterman, Adam Shostack, Jonathan Marcil, Stephen de Vries, Irene Michlin, Kim Wuyts, Robert Hurlbut, Brook S.E. Schoenfield, Fraser Scott, Matthew Coles, Chris Romeo, Alyssa Miller, Izar Tarandach, Avi Douglen and Marc French. Threat Modeling Manifesto. Retrieved February 4, 2024 from https://www.threatmodelingmanifesto.org/
[3]
Michael Boniface, Laura Carmichael, Wendy Hall, James McMahon, J. Brian Pickering, Mike Surridge, Steve Taylor, Ugur Ilker Atmaca, Gregory Epiphaniou, Carsten Maple, Sasi Murakonda and Suzanne Weller. 2022. DARE UK PRiAM Project D1 Report: Privacy Risk Assessment Requirements for Safe Collaborative Research: Exploring Emerging Data Patterns and Needs of Advanced Analytics in Cross Council Research Networks through Use Case Analysis (2.0). Zenodo. https://doi.org/10.5281/zenodo.7107154
[4]
Michael Boniface, Laura Carmichael, Wendy Hall, James McMahon, J. Brian Pickering, Mike Surridge, Steve Taylor, Ugur Ilker Atmaca, Gregory Epiphaniou, Carsten Maple, Sasi Murakonda and Suzanne Weller. 2022. DARE UK PRiAM Project D3 Report: Privacy Risk Framework Application Guide (1.1). Zenodo. https://doi.org/10.5281/zenodo.7107466
[5]
Laura Carmichael, Ugur Ilker Atmaca, Carsten Maple, Steve Taylor, Brian Pickering, Mike Surridge, Gregory Epiphaniou, Anh Tuan Le, Sasi Murakonda, Suzanne Weller, James McMahon, Wendy Hall and Michael Boniface. 2022. Towards a socio-technical approach for privacy requirements analysis for next-generation trusted research environments. Competitive Advantage in the Digital Economy (CADE 2022), Hybrid Conference, Venice, Italy, 2022, pp. 169--180. https://doi.org/10.1049/icp.2022.2061
[6]
Laura Carmichael, Wendy Hall and Michael Boniface, Forthcoming. Personal Data Store Ecosystems in Health and Social Care. Front. Public Health, 12. https://doi.org/10.3389/fpubh.2024.1348044
[7]
Yana Dimova, Mrunmayee Kode, Shirin Kalantari, Kim Wuyts, Wouter Joosen and Jan Tobias Mühlberg. 2023. From Privacy Policies to Privacy Threats: A Case Study in Policy-Based Threat Modeling. In Proceedings of the 22nd Workshop on Privacy in the Electronic Society (WPES '23). Association for Computing Machinery, New York, NY, USA, 17--29. https://doi.org/10.1145/3603216.3624962
[8]
Department of Health and Social Care (UK). 2022. Data saves lives: reshaping health and social care with data. Policy paper. Retrieved February 4, 2024 from https://www.gov.uk/government/publications/data-saves-lives-reshaping-health-and-social-care-with-data/data-saves-lives-reshaping-health-and-social-care-with-data
[9]
European Parliament, Directorate-General for Parliamentary Research Services, Karim Lekadir, Gianluca Quaglio, Anna Tselioudis Garmendia and Catherine Gallin. 2022. Artificial intelligence in healthcare: applications, risks, and ethical and societal impacts. European Parliament. https://doi.org/10.2861/568473
[10]
General Data Protection Regulation (GDPR). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). Retrieved February 4, 2024 from http://data.europa.eu/eli/reg/2016/679/oj
[11]
Daniele Granata, Massimiliano Rak, Giovanni Salzillo, Giacomo Di Guida and Salvatore Petrillo, 2023. Automated threat modelling and risk analysis in e-Government using BPMN. Connection Science, 35:1. https://doi.org/10.1080/09540091.2023.2284645
[12]
Health Data Research UK (HDR UK). 2021. What is a TRE? Retrieved February 4, 2024 from https://www.hdruk.ac.uk/wp-content/uploads/2021/09/HDRUK_TRE-One-Pager.pdf
[13]
Information Commissioner's Office (ICO). Data protection by design and default. Retrieved February 4, 2024 from https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-by-design-and-default/
[14]
International Organization for Standardization (ISO). ISO 27005 standard for information security, cybersecurity and privacy protection. Retrieved February 4, 2024 from https://www.iso.org/standard/80585.html
[15]
Sanaz Kavianpour, James Sutherland, Esma Mansouri-Benssassi, Natalie Coull and Emily Jefferson, 2022. Next-Generation Capabilities in Trusted Research Environments: Interview Study. J Med Internet Res, 24(9):e33720. https://doi.org/10.2196/33720.
[16]
Stephen Phillips, Steve Taylor, J. Brian Pickering, Stefano Modafferi, Michael Boniface and Mike Surridge. 2022, June 20. System Security Modeller [overview document]. (Spyderisk). Zenodo. https://doi.org/10.5281/zenodo.6656063
[17]
Stephen Phillips, Steve Taylor, Michael Boniface and Mike Surridge. 2023. Automated Knowledge-Based Cybersecurity Risk Assessment of Cyber-Physical Systems. TechRxiv. Preprint. https://doi.org/10.36227/techrxiv.24061590
[18]
Brian Pickering, 2021. Trust, but Verify: Informed Consent, AI Technologies, and Public Health Emergencies. Future Internet, 13, no. 5: 132. https://doi.org/10.3390/fi13050132
[19]
Microsoft. Microsoft Threat Modelling Tool threats. Retrieved February 4, 2024 from https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model
[20]
Mike Surridge, Gianluca Correndo, Ken Meacham, Juri Papay, Stephen Phillips, Stefanie Wiegand and Toby Wilkinson. 2018. Trust Modelling in 5G mobile networks. In Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges, (SecSoN '18) 2018. https://doi.org/10.1145/3229616.3229621
[21]
National Health Service Artificial Intelligence Laboratory (NHS AI Lab). Retrieved February 4, 2024 from https://transform.england.nhs.uk/ai-lab/
[22]
NHS England, 2023. Interoperability. Retrieved February 4, 2024 from https://www.england.nhs.uk/long-read/interoperability/
[23]
Katherine O'Sullivan and Katie Wilde, 2023. A profile of the Grampian Data Safe Haven, a regional Scottish safe haven for health and population data research. International Journal of Population Data Science, 4(2). https://doi.org/10.23889/ijpds.v4i2.1817.
[24]
Arianna Rossi and Gabriele Lenzini, 2020. Transparency by design in data-informed research: A collection of information design patterns. Computer Law & Security Review, 37, 105402, ISSN 0267--3649. https://doi.org/10.1016/j.clsr.2020.105402
[25]
Scottish Government 2015. Charter for Safe Havens in Scotland: Handling Unconsented Data from National Health Service Patient Records to Support Research and Statistics. Retrieved February 4, 2024 from https://www.gov.scot/publications/charter-safe-havens-scotland-handling-unconsented-data-national-health-service-patient-records-support-research-statistics/
[26]
Tamar Sharon and Federica Lucivero, 2019. Introduction to the special theme: the expansion of the health data ecosystem - rethinking data ethics and governance. Big Data Soc, 6:205395171985296. https://doi.org/10.1177/2053951719852969
[27]
Laurens Sion, Pierre Dewitte, Dimitri Van Landuyt, Kim Wuyts, Ivo Emanuilov, Peggy Valcke and Wouter Joosen. 2019. An Architectural View for Data Protection by Design. IEEE International Conference on Software Architecture (ICSA), Hamburg, Germany, 2019, pp. 11--20. https://doi.org/10.1109/ICSA.2019.00010.
[28]
Julia Slupska, Scarlet Dawson Duckworth, Linda Ma and Gina Neff. 2021. Participatory Threat Modelling: Exploring Paths to Reconfigure Cybersecurity. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems (CHI EA '21). Association for Computing Machinery, New York, NY, USA, Article 329, 1--6. https://doi.org/10.1145/3411763.3451731
[29]
Spyderisk Open Project on GitHub. https://doi.org/10.5281/zenodo.10797721
[30]
Spyderisk. 2023. Spyderisk System Modeller Documentation. Retrieved February 4, 2024 from https://spyderisk.org/documentation/modeller/latest/
[31]
Meike A. C. van den Eijnden, Jonna A. van der Stam, R. Arthur Bouwman, Eveline H. J. Mestrom, Wim F. J. Verhaegh, Natal A. W. van Riel and Lieke G. E. Cox, 2023. Machine Learning for Postoperative Continuous Recovery Scores of Oncology Patients in Perioperative Care with Data from Wearables. Sensors 23, no. 9: 4455. https://doi.org/10.3390/s23094455
[32]
Kim Wuyts, Laurens Sion and Wouter Joosen. 2020. LINDDUN GO: A Lightweight Approach to Privacy Threat Modeling. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Genoa, Italy, 2020, pp. 302--309. https://doi.org/10.1109/EuroSPW51379.2020.00047
Index Terms
- AI in Health and Social Care: A Methodology for Privacy Risk Modeling and Simulation
Recommendations
Predicting and Explaining Privacy Risk Exposure in Mobility Data
Discovery ScienceAbstractMobility data is a proxy of different social dynamics and its analysis enables a wide range of user services. Unfortunately, mobility data are very sensitive because the sharing of people’s whereabouts may arise serious privacy concerns. Existing ...
Fuzzy-based approach to assess and prioritize privacy risks
AbstractThe new general data protection regulation requires organizations to conduct a data protection impact assessment (DPIA) when the processing of personal information may result in high risk to individual rights and freedoms. DPIA allows ...
Does a Privacy Risk Impose a Real Threat in Collaborative Environments?
PICICT '13: Proceedings of the 2013 Palestinian International Conference on Information and Communication TechnologyThe designing and building of collaborative environments through inter-organizational information systems are faced by many challenges. One of these challenges is the privacy risk that might occur because of the lack of the protection while sharing ...
Comments
Information & Contributors
Information
Published In
May 2024
1928 pages
ISBN:9798400701726
DOI:10.1145/3589335
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw,
- Roy Ka-Wei Lee
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Badges
Author Tags
Qualifiers
- Short-paper
Funding Sources
- NIHR Southampton Biomedical Research Centre (Data, Health and Society Theme)
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 65Total Downloads
- Downloads (Last 12 months)65
- Downloads (Last 6 weeks)25
Reflects downloads up to 27 Jul 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in