380 likes | 541 Views
Global Disclosure Risk for Microdata with Continuous Attributes. Traian Marius Truta Northern Kentucky University. HIPAA Privacy Rule. The Health Insurance Portability and Accountability Act (1996)
E N D
Global Disclosure Risk for Microdata with Continuous Attributes Traian Marius Truta Northern Kentucky University
HIPAA Privacy Rule • The Health Insurance Portability and Accountability Act (1996) • The Privacy Rule protects the privacy of the individually identifiable health information by establishing conditions for its use and disclosure • Privacy Rule effective date: 14 April 2003 • Define 18 identifiers that must be removed in order to de-identify the data Traian Truta - Northern Kentucky University
Names Telephone # Fax # E-mail address Social Security # Medical record, prescription # Health Plan beneficiary # Account # Certificates/license # VIN and serial #, license plate # Device identifiers, serial #, Web URLs IP address Biometric identifiers (finger prints) Full face photo images Unique identifying # The Identifiers in the Privacy Rule Traian Truta - Northern Kentucky University
Names Telephone # Fax # E-mail address Social Security # Medical record, prescription # Health Plan beneficiary # Account # Certificates/license # VIN and serial #, license plate # Device identifiers, serial #, Web URLs IP address Biometric identifiers (finger prints) Full face photo images Unique identifying # The Identifiers in the Privacy Rule • Geographic info (including city, state, and zip) • Elements of dates Traian Truta - Northern Kentucky University
De-identification Process • Remove all 18 defined identifiers and no knowledge that remaining information can identify the individual (Safe Harbor) • Statistically “de-identified” information where a statistician certifies that there is a “very small” risk that the information could be used to identify the individual Traian Truta - Northern Kentucky University
Disclosure Control Problem Individuals Submit Collect Data Masking Process Data Owner Release Receive Masked Data Researcher Intruder Traian Truta - Northern Kentucky University
Disclosure Control Problem Individuals Submit Collect Data Confidentiality of Individuals Measures of Disclosure Risk Masking Process Data Owner Preserve Data Utility Measures of Information Loss Release Receive Masked Data Researcher Intruder Traian Truta - Northern Kentucky University
Disclosure Control Problem Individuals Submit Collect Data Confidentiality of Individuals Measures of Disclosure Risk Masking Process Data Owner Preserve Data Utility Measures of Information Loss Release Receive Masked Data Researcher Intruder Use Masked Data for Statistical Analysis Use Masked Data and External Data to disclose confidential information External Data Traian Truta - Northern Kentucky University
Disclosure Control Problem Individuals This Presentation Submit Collect Data Confidentiality of Individuals Measures of Disclosure Risk Masking Process Data Owner Preserve Data Utility Measures of Information Loss Release Receive Masked Data Researcher Intruder Use Masked Data for Statistical Analysis Use Masked Data and External Data to disclose confidential information External Data Traian Truta - Northern Kentucky University
General Framework for Microdata • I – Identifier Attributes (Name, SSN, etc. ) • K – Key Attributes (Zip Code, Age, Race, etc.) • S– Confidential Attributes (Income, Diagnosis, etc.) Traian Truta - Northern Kentucky University
Disclosure Control Techniques • Different disclosure control techniques are applied to the following initial microdata: Traian Truta - Northern Kentucky University
Remove Identifiers • Identifiers such as Names, SSN etc. are removed Traian Truta - Northern Kentucky University
Sampling • Sampling is the disclosure control method in which only a subset of records is released • If n is the number of elements in initial microdata and t the released number of elements we call sf = t / n the sampling factor • Simple random sampling is more frequently used. In this technique, each individual is chosen entirely by chance and each member of the population has an equal chance of being included in the sample Traian Truta - Northern Kentucky University
Microaggregation • Order records from the initial microdata by an attribute, create groups of consecutive values, replace those values by the group average • Microaggregation for attribute Income and minimum size 3 • The total sum for all Income values remains the same. Traian Truta - Northern Kentucky University
Global Disclosure Risk Measures Assumptions • The intruder does not know any confidential information • The intruder knows all the key and identifier values for population Objectives • DR Measures for specific DC methods (Remove Identifiers, Sampling, Microaggregation, etc.) • DR Measures for any combinations of DC methods Proposed measures DRmin DRW DRmax Traian Truta - Northern Kentucky University
Notations for IM and IMM • n – the number of entities in the population. • F – the number of clusters with the same values for key attributes. • Ak – the set of elements from the k-th cluster for all k, 1k F. • Fi= |{Ak | |Ak| = i, for all k = 1, .., F } | for all i, 1i n. Fi represents the number of clusters with the same length. • ni=|{x Ak | |Ak| = i, for all k = 1, .., F } | for all i, 1i n. ni represents the number of records in clusters of length i. Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Remove Identifiers Method • {1, 2, 4} • {3, 5, 9} • {6, 10} • {7} • {8} Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Remove Identifiers Method - considers probabilistic linkage - percentage of unique records - weights defined by data owner w = (w1, w2, …, wN) disclosure risk weight vector. Properties a) wiR+for all i = 1, .. , n; b) wiwjfor all i j, i,j = 1, .. , n; Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Remove Identifiers Method • w1= (5, 5, 0, 0, ..., 0) • w2= (4, 3, 3, 0, ..., 0) Traian Truta - Northern Kentucky University
Disclosure Risk Measures for RI Method with Continuous Attribute • What if the intruder has only approximations of income? • w1= (5, 5, 0, 0, ..., 0) • w2= (4, 3, 3, 0, ..., 0) Traian Truta - Northern Kentucky University
Disclosure Risk Measures for RI Method with Continuous Attribute • We consider vicinity sets! • w1= (5, 5, 0, 0, ..., 0) • w2= (4, 3, 3, 0, ..., 0) Traian Truta - Northern Kentucky University
Notations for Masked Microdata • f – the number of clusters with the same values for key attributes in M. • We cluster all records from M based on their key values. Bk– the set of elements from the k-th cluster for all k, 1k f. • fi= |{Bk | |Bk| = i, for all k = 1, .., f } | for all i, 1i n. fi represents the number of clusters with the same length. • ti=|{x Bk | |Bk| = i, for all k = 1, .., f } | for all i, 1i n. ti represents the number of records in clusters of length i. • C – the classification matrix. For all i,j = 1, .., n; cij ==|{x Bkand x Ap | |Bk| = i, for all k = 1, .., f and |Ap| = j, for all p = 1, .., F }|. Each element of C, cij, represents the number of records that appears in clusters of size i in the masked microdata and appeared in clusters of size j in the initial masked microdata. Traian Truta - Northern Kentucky University
Algorithm for Creating Classification Matrix Initialize each element from C with 0. For each element s from masked microdata MM do Count the number of occurrences of key values of s in masked microdata MM.Let ibe this number. Count the number of occurrences of key values of s in initial microdata IM.Let j be this number. Increment cij by 1. End for. Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Microaggregation Method • What if data is continuous ? Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Microaggregation Method Initial Microdata Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Microaggregation Method Univariate microaggregation for attribute Age and size = 2,4,8; Masked Microdata 2 Masked Microdata 3 Masked Microdata 1 Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Microaggregation Method Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Microaggregation Method Example – Disclosure risk values NO VICINITY! Traian Truta - Northern Kentucky University
Disclosure Risk Measures for Microaggregation Method Example – Disclosure risk values WITH VICINITY! Traian Truta - Northern Kentucky University
General Disclosure Risk Measures • icfk– inversion-change factor for attribute k • p – number of key attributes • v – binary vector associated to key attribute Traian Truta - Northern Kentucky University
Experimental Data • Simulated medical record billing data • Age, Sex, Zip and Amount_Billed • Three initial microdata: • n= 1,000 (called IM1000) • n= 5,000 (IM5000) • n= 25,000 (IM25000) • Key attributes: • KA1= {Age, Sex, Zip} • KA2= {Age, Sex} Traian Truta - Northern Kentucky University
Results for Sampling and Microaggregation Sampling, followed by microaggregation for Age when IM5000 and KA1 are used. Traian Truta - Northern Kentucky University
Results for Sampling and Microaggregation Sampling and microaggregation for Age when IM5000 and KA1 are used. Traian Truta - Northern Kentucky University
Conclusions • The data owner may customize its disclosure risk measure to reflect better the characteristics of the microdata. Privacy requirements may help data owner to define the disclosure risk weight matrix. • Importance of masking key attributes with small vicinity sets Traian Truta - Northern Kentucky University
Future Work • Our experiments were focused on healthcare microdata; experiments for other types of data, such as financial data are needed. • To study disclosure control for microdata under the assumption that the initial microdata is frequently updated (Dynamic Disclosure Control) Traian Truta - Northern Kentucky University
Some Papers • Details about DR Measures • “Disclosure Risk Measures for Sampling Disclosure Control Method,” to appear in the Proceedings of ACM Symposium on Applied Computing (SAC2004), special track on Computer Applications in Health Care (COMPAHEC2004), Nicosia, Cyprus • “Disclosure Risk Measures for Microdata,” Proceedings of the International Conference on Scientific and Statistical Database Management (SSDBM2003), Cambridge, Ma, pp. 15 – 22, 2003 • Information Loss Measures • “Privacy and Confidentiality Management for the Microaggregation Disclosure Control Method,” Proceedings of the Workshop on Privacy and Electronic Society (WPES2003), In Conjunction with 10th ACM CCS, Washington DC, pp. 21 – 30, 2003 • Automatic Masked Microdata Generator • “Automatic Generation of Masked Microdata,” to appear in the Acta Universitatis Apulensis, Alba Iulia, Romania Traian Truta - Northern Kentucky University
Acknowledgements • Dr. Farshad Fotouhi • Dr. Daniel Barth-Jones Traian Truta - Northern Kentucky University
Questions? Traian Truta - Northern Kentucky University