A new report of the European Union Agency for Cybersecurity (ENISA) explores how pseudonymisation techniques can help increase the protection of health data.
The healthcare sector has highly benefited from technological developments and the digitalisation process. However, as those new technologies need to be integrated into IT infrastructures, which is already complex in nature, new challenges emerge in relation to data protection and cybersecurity. This is especially true since providing health services today implies an extended exchange of medical information and of health data among different healthcare service providers.
How medical data help deliver better health services
With a large volume of data, the healthcare sector has therefore the capacity to improve diagnosis and modelling of clinical outcomes, help assess early intervention strategies, etc. This new ecosystem improves the delivery and monitoring of health services at different levels including decision making and provides timely, appropriate and uninterrupted medical care.
How to ensure the safe processing of medical data
Nonetheless, the increasing processing of digitised medical data has also led to the associated risks of cyberattacks and of data breaches. To ensure adequate protection of patients’ medical data, technical solutions such as those offered by pseudonymisation can be implemented.
The report published today builds on the previous works of ENISA and explores the different techniques of pseudonymisation in the context of simple use cases.
What is pseudonymisation?
Pseudonymisation can significantly support personal data protection. It improves the protection of data. Pseudonymisation consists in de-associating a data subject's identity from the personal data being processed for that data subject. In practice, this is done by replacing one or more personal identifiers with what we call pseudonyms.
Different techniques can be used to this effect, which are based on the way pseudonyms are generated. Such techniques include counter, random number, hash function, hash-based message authentication code (HMAC) and encryption.
Although not essentially new, the process is explicitly referenced by the General Data Protection Regulation (GDPR) as a technique to use to promote data protection by design and to secure the processing of personal data.
Scope of the report
The report explains how the techniques can be applied to improve the level of protection of personal data through simple use-cases.
The decision on the techniques to be used should be based on previously conducted risk-impact assessment activities such as:
- the target personal data (e.g. a set of identifiers);
- the technique to be used;
- the parameters applicable to the technique;
- the pseudonymisation policy to be used.
The techniques and parameters to take into account can therefore vary according to the applicable requirements in relation to regulations, speed, simplicity, predictability and cost.
The scenarios chosen to explore these parameters are:
- Exchanging patient’s health data;
- Clinical trials;
- Patient-sourced monitoring of health data.
Privacy engineering in Artificial Intelligence (AI) at the 10th Annual Privacy Forum
The 10th Annual Privacy Forum will be taking place on 23 & 24 June 2022 in Warsaw, Poland. ENISA organises this event together with the European Commission’s DG Connect, the Cardinal Stefan Wyszyński University and the Koźmiński University. The event will host leading experts from both public and private sectors to debate the challenges and opportunities in this area. Discussions will be held on privacy engineering, data sharing and data protection aspects of artificial intelligence. For more information: https://privacyforum.eu/
Background
The European Union Agency for Cybersecurity has been working in the area of privacy and data protection since 2014, by analysing technical solutions for the implementation of the GDPR, privacy by design and security of personal data processing.
Previous works of the Agency in 2019 include the recommendations on shaping technology according to GDPR provisions, providing an overview on data pseudonymisation, another report on pseudonymisation techniques and best practices.
Further information
Deploying Pseudonymisation Techniques – ENISA report
Annual Privacy Forum 2022 – 23 & 24 June 2022 in Warsaw, Poland
ENISA webpage on Data Protection
Contact
For questions related to the press and interviews, please contact press(at)enisa.europa.eu