The challenge
The Internet's rapid expansion has accelerated the move toward digitizing a vast trove of personal information, resulting in a growing body of regulations aimed at protecting that data from unauthorized access. Businesses and healthcare organizations, under the jurisdiction of the Health Insurance Portability & Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act in the U.S., as well as the Japanese Privacy Act and the Australian Privacy Act, are responsible for safeguarding customers' privacy and protecting the security and confidentiality of that data.
In the U.S., the current push toward electronic health records (EHR) has put a spotlight on this important issue. Under pressure from the Department of Health and Human Services, which in 2004 outlined a 10-year plan for developing a national health information infrastructure, healthcare providers are working to digitize patients' information so that it can be shared among physicians and healthcare facilities, and can be accessed in case of medical emergency. The government has estimated that adopting EHR systems nationally could reduce the nation's $1.7 trillion health bill by 10 percent, while at the same time improving privacy and reducing medical errors. That trend, however, has brought with it the need for privacy controls to prevent unlawful access and disclosure of patient data, as well as an auditing system to verify compliance with privacy regulations and respond to requests for disclosure tracking.
The approach In response to these concerns, researchers at IBM's Almaden Research Center, working in partnership with IBM Global Business Services, have developed the Hippocratic database technology. IBM Fellow Rakesh Agrawal says the Hippocratic database technology design is based on the Hippocratic oath that frames doctor-patient relationships: "… whatever I may see or hear … in the life of human beings … I will remain silent, holding such things to be unutterable." With that concept in mind, Agrawal and his colleagues have created a database-agnostic disclosure control and compliance auditing middleware solution designed to allow current business operations to proceed with minimal or no changes to existing systems. Agrawal says his vision for the Hippocratic database technology encompasses 10 guiding principles: purpose specification, consent, limited collection, limited use, limited disclosure, limited retention, accuracy, safety, openness and compliance.
The Hippocratic database technology set includes active enforcement, a cell-level disclosure management system that helps limit data access to authorized persons. It also features compliance auditing designed to help facilitate determination of who accessed designated data, when and for what purpose. The flexible system can help simplify the installation and enforcement of a corporate privacy policy and allows dynamic policy updates. Additional data protection components such as sovereign information sharing, data de-identification, order preserving encryption, watermarking, privacy preserving data mining and k-anonymization are available as options.
Next steps IBM anticipates that the growth in on demand businesses, coupled with rising privacy concerns and massive expansion in corporate data, will fuel additional applications for this technology. This innovative privacy solution could help provide a strong competitive advantage for clients in an era when privacy is an increasingly important concern. In addition to helping safeguard patients’ healthcare records, the Hippocratic database technology can help offer privacy protection to financial institutions and government agencies.
For more information on how the Hippocratic database technology can help a company face the challenges of privacy on the Internet, contact contact ODIS today.
| |
