Last Friday, March 29th I attended MIT-KIT Workshop of Private Health Data in Boston, MA. The conference was co-sponsored by MIT-KIT and Professor Sandy Pentland of the MIT Media Lab. The format of the conference was a short presentation followed by a discussion between the approximately 50 attendees of the conference.
Sandy Pentland gave the opening talk; in 2012 he was named one of the ‘seven most powerful data scientists in the world’. He wrote WISH Report on Big Data: Revolutionizing Medicine and Public Health and just released a new book Social Physics.
The first topic of discussion was Open Issues in Patient Data Sharing lead by Adrian Gropper, principal of HealthURL. He spoke about The Code of Fair Information Practices and the necessity of the 5 principles to be implemented into a healthcare technology product for that product to be scalable. The 5 principles of the Code of Fair Information Practice are as follows:
- There must be no personal data record-keeping systems whose very existence is secret.
- There must be a way for a person to find out what information about the person is in a record and how it is used.
- There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person’s consent.
- There must be a way for a person to correct or amend a record of identifiable information about the person.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.
The second discussion was based on Emerging Standards and Technologies presented by Debbie Bucci from the Office of the National Coordinator for Health IT and Machiej Machulak from Cloud Identity Limited. Web 2.0 access control is inconsistent and unsophisticated and federation is obsolete in the healthcare field. User-Managed-Access is an OAuth-based web management protocol that gives users a central point where they can see data that is hosted on different applications. The UMA protocol requires clients to have a token to access the authorization server. This is useful in healthcare as you can unify access to control under one app and to share data with a user they need to be listed. OpenID Connect was another topic of discussion, it builds off the oauth2 protocol and allows clients to authorize users based on identity information provided by a 3rd party, trusted authentication server. In short, this allows applications to authorize their users without having to manage and own passwords in their database.
The third discussion focused on BlueButton+, moderated by Josh Mandel of Harvard Medical School and Justin Richer of MITRE Corporation. The original idea behind BlueButton was to allow patients to have easy access to view and download their medical records. BlueButton+ takes this idea one step further by allowing users to connect to their data directly with S/MIME encrypted email or through RESTful API and web technologies. Using BlueButton+ a patient could use any application to connect to BlueButton directly from their smart phone while they are in their doctor’s office.
The slides from the conference can be found here