Why we need it?
The ASCLEPIOS Privacy Analytics Module (APAM) helps healthcare providers obtain insights on data processing legitimacy at healthcare organisations to protect patients’ privacy. It enables the organisation to monitor whether data processing is taking place as intended and authorized, and to demonstrate this when requested by the patient or auditors. This capability is very important for compliance with the General Data Protection Regulation (GDPR) enforced in Europe. According to the GDPR, healthcare organisations need to demonstrate that appropriate procedural security measures are being applied to safeguard patient privacy for the electronic medical records (EMR) they guard. Most importantly, access to the data needs to be compliant with the GDPR, which – among other regulations – states that the data subjects (for example, patients) have the right to know how and when their data is processed. Therefore, data processing actions need to be controlled and monitored and, when requested by the patient or data privacy officers, they should be shown in an understandable form.
To achieve its goal, APAM analyses logs of access requests captured at the different architecture layers and components of the ASCLEPIOS framework. APAM offers visibility on the usage of the underlying services, being able to identify what data has been accessed, by whom, when, from where, why and how (the so called `5W1H’ questions). This information helps healthcare providers monitor these operations and thus facilitates them in timely detecting abnormal behaviours. APAM can also help detect cases where users are having difficulties in using the services properly or are interacting with a system in an unconventional manner that could lead to increased vulnerability to attacks.
How does it work?
APAM provides computations and visualisations of numerous important metrics extracted from the data access logs with two target users in mind: the patient himself and the organisation’s Data Protection Officer (DPO). For the patient, APAM discloses information about the data access requests on her medical record, providing transparency as required for GDPR compliance. For the DPO, APAM provides analytics methods to reveal medical data access patterns across the whole organisation.
APAM includes functions to retrieve and present data access history and to detect abnormal or illegitimate data processing. APAM can deliver the metrics outcomes from the functions through a rich interactive web-based dashboard. Moreover, APAM offers a REST-API that can be used by other applications to retrieve the metrics. Examples of metrics used by APAM are the number of successful/failed requests from professionals in a particular department and the location from which failed requests have been issued. The featured image presents an illustration of the APAM’s visualisation interface made with Kibana.