In Electronic Health Records (EHR's) data masking, or controlled access,[1] is the process of concealing patient health data from certain healthcare providers. Patients have the right to request the masking of their personal information, making it inaccessible to any physician, or a particular physician, unless a specific reason is provided.[2] Data masking is also performed by healthcare agencies to restrict the amount of information that can be accessed by external bodies such as researchers, health insurance agencies and unauthorised individuals. It is a method used to protect patients’ sensitive information so that privacy and confidentiality are less of a concern. Techniques used to alter information within a patient's EHR include data encryption, obfuscation, hashing, exclusion and perturbation.[3]
The increased access that transpires from introducing EHR's is seen as a large concern to some patients.[4] Masking information is a technique that contributes to establishing the confidentiality of EHR's, as a large amount of sensitive information is contained within these records. History of health outcomes such as drug/alcohol abuse, sexually transmitted infections or abortion during pregnancy are known to lead to social discrimination and cause social harm to the patient, hence the importance of protecting the content within EHR's.[5] Masking limits the access that internal and external individuals can have to a particular record, increasing the protection of its contents. When patients apply for masking of their EHR, health services must meet their needs and alter the system accordingly so that unauthorised individuals can't gain access.[6]
Patient Masking Requests
- To increase security of their EHR's, patients can elect to mask their information by signing a form provided by the health service. It is necessary that health services with EHR software notify and educate their patients of data masking capabilities and the advantages and disadvantages of the process. In submitting a request, patients are given the control to specify the physicians and health service staff members that are provided with consent and the right to access their record.[7] Health services must abide by patient masking requests under the Health Records Act and implement data masking techniques within the EHR technology, otherwise major consequences can result.[8] In addition, audit trails can be implemented by health services to track and identify which individuals have accessed a patient's EHR over a certain time period.[9]
In patient care, authorised users have the ability to override masking and access restrictions under emergency circumstances. If a patient is in a critical health state and treatment is urgently required, physicians are provided with the right to access all required information within the EHR. This mechanism is known as "breaking the glass." Any unmasking of a patient's EHR is audited, and a sufficient reason for access is generally required.[10]
Masking refers to sets of alterations and changes made to protect information within the confines of Electronic health records. Not only is masking performed at a patient's request, it is a common method used to assist in the conduction of clinical and epidemiological research. It reduces confidentiality and privacy concerns associated with supplying information to external bodies. In general, direct identifiers are removed from the dataset, replaced with random values, changed using the hashing function, or restored with a unique key.[11] Mechanisms as such are expanded on under the following headings.
Encryption
- Encryption is often the most complex form of data masking, although it is a relatively safe and secure method. It involves inserting a password or key to grant an individual access to view certain data. Only permitted users are provided with a password and therefore have the capacity to recover sensitive information included within an EHR. When the system requests data masking of an EHR, access is extremely difficult and time-consuming for hackers or unauthorized users, as they do not possess the unique code that will decrypt the data.[12]
Data Obfuscation
- Data obfuscation limits the sharing of highly sensitive health information within an Electronic health record by scrambling particular data elements to prevent unauthorized access. The technique doesn't physically mask data; it alters data to avoid detection from external network systems. Data obfuscation is commonly used as it increases anonymity and preserves relationships within a dataset that would often be destroyed in more rigorous forms of masking.[13] Use of methods as such is most evident in interrelated numeric data such as addresses or dates. For example, in research epidemiologists may be interested in accessing highly specific location data to correlate patterns of diseases within particular neighborhoods and cities. However, finding clusters of poor health outcomes don't require knowledge of actual patient addresses, it simply requires relationships between patient addresses. As a result, data extraction for the study may translate addresses into another metric that preserves locations without revealing the actual physical location.[14]
Data Perturbation
- In data perturbation alterations are made to either input databases or the query results returned.[15] Data perturbation involves preserving aggregate trends in the original data while removing and modifying the actual data.[16] For example, clinical data can be swapped between EHR's, preserving the existing values in a field but eliminating the specific mapping between fields of a record. Random “noise” can also be added the data, maintaining the statistical properties of a field while randomly altering exact values within a particular EHR. Data perturbation has been hailed as one of the most effective data protection techniques, whilst being relatively simple to implement.[17]
Data Exclusion
- Data exclusion involves the removal of specific data elements to restrict them from being accessed. The process involves often removing an EHR entirely from the system (at patient's request) or removing specific sections of a patient's record. This method of masking provides the highest level of confidentiality; however, continuity of care can be significantly affected in some cases.[18] In addition, data exclusion from EHR's is most commonly applied for when external researchers are investigating the nature of patient health outcomes. To protect individual privacy, patient identifiers and demographics such as name, date of birth and address, are removed from the copied EHR's, whilst researchers evaluate clinical information such as diagnoses and performed procedures. The process ensures that patients' sensitive information remains anonymous whilst gains in research can still be made.[19]
Data Hashing
- Data hashing involves blocking and de-identifying certain characters within strings of information so that personal information is no longer recognizable to its original form.[20] This method ensures masked information is no longer visually identifiable to unauthorized users.[21] The fact that data hashing alters the data itself means it is only appropriate when applied to data that is not required again in the future. For instance, if a study was conducted to investigate the prevalence of Type 2 Diabetes in Victoria, Australia, researchers would only require demographic information regarding to the state of residence. To protect patient privacy and confidentiality, more specific indicators such as house number, address, suburb and post code would be masked. For example:
- No. XXX XXXXX Street, XX XXXX, Victoria, Australia, Post code 31XX.
McGuire, Amy L.; Fisher, Rebecca; Cusenza, Paul; Hudson, Kathy; Rothstein, Mark A.; McGraw, Deven; Matteson, Stephen; Glaser, John; Henley, Douglas E. (2013). "Confidentiality, privacy, and security of genetic and genomic test information in electronic health records: points to consider" (PDF). Genetics in Medicine. 10 (7): 495–499. doi:10.1097/gim.0b013e31817a8aaa. PMID 18580687. S2CID 29833634. Retrieved 2013-04-14.
McGuire, Amy L.; Fisher, Rebecca; Cusenza, Paul; Hudson, Kathy; Rothstein, Mark A.; McGraw, Deven; Matteson, Stephen; Glaser, John; Henley, Douglas E. (2013). "Confidentiality, privacy, and security of genetic and genomic test information in electronic health records: points to consider". Genetics in Medicine. 10 (7): 495–499. doi:10.1097/GIM.0b013e31817a8aaa. PMID 18580687. S2CID 29833634.