JMIR Publications

ABSTRACT

Background:

Clinical and social trials create evidence enabling medical progress. However, gathering of personal and patient data requires high security and privacy standards. Direct linking of personal information and medical data is commonly hidden through pseudonymization. While this makes unauthorized access to personal medical data more difficult, a centralized pseudonymization list can still pose a security risk. In addition, medical data linked via pseudonyms can still be used for data-driven reidentification.

Objective:

To propose a novel approach towards pseudonymization based on public/private key cryptography that allows (1) decentralized patient-driven creation and maintenance of pseudonyms, (2) one-time pseudonymization of each data record, and (3) grouping of patient data records even without knowing the pseudonymization key. In addition, the approach supports consent management, automatically anonymizes the data after trial closure and provides basic mechanisms against data forging.

Methods:

Based on public/private key cryptography, a signing mechanism for patient data records is set up and the workflows for (1) user registration, (2) user login, (3) record storing, and (4) record grouping are detailed. The proposed mechanism is evaluated for performance, the potential risks based on cryptographic collision are examined, and a threat analysis is carried out.

Results:

The performance analysis showed that all workflows could be performed with an average runtime of 0.057-42.320 ms (user registration), 0.083-0.606 ms (record creation) and 0.005-0.198 ms (record grouping) depending on the chosen cryptographic tools. No realistic risk of cryptographic collision is expected in the proposed system and the threat analysis revealed that three distinct server systems of the proposed setup had to be compromised to allow access to grouped medical data and private data. However, this would still only allow data-driven deidentification. For a full reidentification, all three trial servers and all study participants would have to be compromised.

Conclusions:

The proposed approach has a high security and privacy level in comparison to traditional centralized pseudonymization approaches and does not require a trusted third party. The only drawback in comparison to central pseudonymization is the directed feedback of accidental findings to individual participants, as this is not possible with a quasi-anonymous storage of patient data.