Redaction of Sensitive Patient Data

US 20180096102A1
Filed: 10/03/2016
Published: 04/05/2018
Est. Priority Date: 10/03/2016
Status: Abandoned Application

First Claim

Patent Images

1. A method, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to redact sensitive data from a payload of data, the method comprising:

analyzing, by the data processing system, one or more data types of data, in the payload of data, to be written to a first data structure, wherein the one or more data types correspond to attributes of a person;

scoring, by the data processing system, the one or more data types as to their sensitivity, wherein the sensitivity of a data type is a measure of a probability that a corresponding data value of the data type, either alone or in combination with other data values associated with other data types, will uniquely identify the person;

comparing, by the data processing system, each score, or an aggregation of the scores of a plurality of data types in the one or more data types, to at least one threshold;

responsive to at least one score, or the aggregation of the scores, being equal to or exceeding the at least one threshold, redacting, by the data processing system, data corresponding to one or more data types with which the at least one score, or the aggregation of scores, are associated, from the data structure; and

replacing, by the data processing system, the redacted data in the data structure with both a unique redacted identifier and at least one data type identifier that identifies at least one data type of the redacted data, to thereby generate a redacted data structure.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mechanisms are provided to redact sensitive data from a payload. The mechanisms analyze data types in the payload, where the data types correspond to attributes of a person. The mechanisms score the data types as to their sensitivity, which is a measure of a probability that a corresponding data value of the data type, either alone or in combination with other data values, will uniquely identify the person. Each score, or an aggregation of the scores, is compared to a threshold. Responsive to a score, or the aggregation of the scores, being equal to or exceeding the threshold, the mechanisms redact data corresponding to data types whose scores, or the aggregation of scores, are associated. The redacted data is replaced a unique redacted identifier and a data type identifier that identifies at least one data type of the redacted data.

16 Citations

View as Search Results

20 Claims

1. A method, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to redact sensitive data from a payload of data, the method comprising:
- analyzing, by the data processing system, one or more data types of data, in the payload of data, to be written to a first data structure, wherein the one or more data types correspond to attributes of a person;
  
  scoring, by the data processing system, the one or more data types as to their sensitivity, wherein the sensitivity of a data type is a measure of a probability that a corresponding data value of the data type, either alone or in combination with other data values associated with other data types, will uniquely identify the person;
  
  comparing, by the data processing system, each score, or an aggregation of the scores of a plurality of data types in the one or more data types, to at least one threshold;
  
  responsive to at least one score, or the aggregation of the scores, being equal to or exceeding the at least one threshold, redacting, by the data processing system, data corresponding to one or more data types with which the at least one score, or the aggregation of scores, are associated, from the data structure; and
  
  replacing, by the data processing system, the redacted data in the data structure with both a unique redacted identifier and at least one data type identifier that identifies at least one data type of the redacted data, to thereby generate a redacted data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - providing, by the data processing system, the redacted data structure to another computing system that performs operations on the redacted data structure without exposing data values that uniquely identify the person.
  - 3. The method of claim 2, wherein the operation performed by the other computing system is one of an application development operation for developing an application or a debugging operation for debugging an application that operates on the data stored in the first data structure.
  - 4. The method of claim 1, wherein only data in the payload associated with data types whose scores are equal to or greater than the at least one threshold are redacted in the redacted data structure and other data in the payload associated with other data types are not redacted in the redacted data structure.
  - 5. The method of claim 1, further comprising:
    - storing the redacted data, separate from the redacted data structure, in a redacted data storage in association with the corresponding redacted identifier.
  - 6. The method of claim 5, wherein access to the redacted data storage is strictly controlled through an access control mechanism such that only authorized users or applications are able to access information in the redacted data storage.
  - 7. The method of claim 5, further comprising:
    - in response to a request to recreate the payload, performing a lookup operation, in the redacted data storage, of the redacted identifier present in the redacted data structure;
      
      retrieving, from the redacted data storage, the redacted data corresponding to the redacted identifier; and
      
      recreating the payload by replacing the redacted identifier in the redacted data structure with the redacted data retrieved from the redacted data storage.
  - 8. The method of claim 1, wherein the person is a patient, the payload of data provides patient data, and wherein the one or more data types comprise data types of patient data that have a probability of uniquely identifying the patient.
  - 9. The method of claim 1, wherein scoring the one or more data types as to their sensitivity, comprising providing higher scores to data types corresponding to primary sensitive information than data types corresponding to secondary sensitive information, wherein primary sensitive information is information that by itself is uniquely identifiable of the person, and wherein secondary sensitive information is information that is uniquely identifiable of the person only when viewed in combination with other primary or secondary sensitive information.
  - 10. The method of claim 1, further comprising:
    - providing, by the data processing system, the redacted data structure to another cognitive decision support system to perform operations for generating a decision support output; and
      
      performing, in an application development environment of a computing system, an application development operation for developing an application of the cognitive decision support system based on processing of the redacted data structure by the cognitive decision support system, without exposing data values that uniquely identify the person to the application development environment.

11. A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a computing device, causes the computing device to:
- analyze one or more data types of data, in a payload of data, to be written to a first data structure, wherein the one or more data types correspond to attributes of a person;
  
  score the one or more data types as to their sensitivity, wherein the sensitivity of a data type is a measure of a probability that a corresponding data value of the data type, either alone or in combination with other data values associated with other data types, will uniquely identify the person;
  
  compare each score, or an aggregation of the scores of a plurality of data types in the one or more data types, to at least one threshold;
  
  responsive to at least one score, or the aggregation of the scores, being equal to or exceeding the at least one threshold, redact data corresponding to one or more data types with which the at least one score, or the aggregation of scores, are associated, from the data structure; and
  
  replace the redacted data in the data structure with both a unique redacted identifier and at least one data type identifier that identifies at least one data type of the redacted data, to thereby generate a redacted data structure.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer program product of claim 11, wherein the computer readable program further causes the computing device to:
    - provide the redacted data structure to another computing system that performs operations on the redacted data structure without exposing data values that uniquely identify the person.
  - 13. The computer program product of claim 11, wherein only data in the payload associated with data types whose scores are equal to or greater than the at least one threshold are redacted in the redacted data structure and other data in the payload associated with other data types are not redacted in the redacted data structure.
  - 14. The computer program product of claim 11, wherein the computer readable program further causes the computing device to store the redacted data, separately from the redacted data structure, in a redacted data storage in association with the corresponding redacted identifier.
  - 15. The computer program product of claim 14, wherein access to the redacted data storage is strictly controlled through an access control mechanism such that only authorized users or applications are able to access information in the redacted data storage.
  - 16. The computer program product of claim 14, wherein the computer readable program further causes the computing device to:
    - in response to a request to recreate the payload, perform a lookup operation, in the redacted data storage, of the redacted identifier present in the redacted data structure;
      
      retrieve, from the redacted data storage, the redacted data corresponding to the redacted identifier; and
      
      recreate the payload by replacing the redacted identifier in the redacted data structure with the redacted data retrieved from the redacted data storage.
  - 17. The computer program product of claim 11, wherein the person is a patient, the payload of data provides patient data, and wherein the one or more data types comprise data types of patient data that have a probability of uniquely identifying the patient.
  - 18. The computer program product of claim 11, wherein scoring the one or more data types as to their sensitivity, comprising providing higher scores to data types corresponding to primary sensitive information than data types corresponding to secondary sensitive information, wherein primary sensitive information is information that by itself is uniquely identifiable of the person, and wherein secondary sensitive information is information that is uniquely identifiable of the person only when viewed in combination with other primary or secondary sensitive information.
  - 19. The computer program product of claim 11, wherein the computer readable program further causes the computing device to:
    - provide the redacted data structure to another cognitive decision support system to perform operations for generating a decision support output; and
      
      perform, in an application development environment, an application development operation for developing an application of the cognitive decision support system based on processing of the redacted data structure by the cognitive decision support system, without exposing data values that uniquely identify the person to the application development environment.

20. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor, cause the processor to;
  
  analyze one or more data types of data, in a payload of data, to be written to a first data structure, wherein the one or more data types correspond to attributes of a person;
  
  score the one or more data types as to their sensitivity, wherein the sensitivity of a data type is a measure of a probability that a corresponding data value of the data type, either alone or in combination with other data values associated with other data types, will uniquely identify the person;
  
  compare each score, or an aggregation of the scores of a plurality of data types in the one or more data types, to at least one threshold;
  
  responsive to at least one score, or the aggregation of the scores, being equal to or exceeding the at least one threshold, redact data corresponding to one or more data types with which the at least one score, or the aggregation of scores, are associated, from the data structure; and
  
  replace the redacted data in the data structure with both a unique redacted identifier and at least one data type identifier that identifies at least one data type of the redacted data, to thereby generate a redacted data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Merative US LP
Original Assignee
International Business Machines Corporation
Inventors
Akinmeji, Abimbola, Allen, Corville O., Chung, Albert A., Salmon, Richard A.

Application Number

US15/283,477
Publication Number

US 20180096102A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2455   Query execution

G06F 16/24578   using ranking

G06F 21/6254   by anonymising data, e.g. d...

G06F 2221/2101   Auditing as a secondary aspect

G16H 10/60   for patient-specific data, ...

Redaction of Sensitive Patient Data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Redaction of Sensitive Patient Data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links