Marius de Arruda Botelho Herr,Michael Graf,Peter Placzek,Florian König,Felix Bötte,Tyra Stickel,David Hieber,Lukas Zimmermann,Michael Slupina,Christopher Mohr,Stephanie Biergans,Mete Akgün,Nico Pfeifer,Oliver Kohlbacher

DOI: https://doi.org/10.48550/arXiv.2212.03481

IF: 5.414

2022-12-07

Machine Learning

Abstract:The need for data privacy and security -- enforced through increasingly strict data protection regulations -- renders the use of healthcare data for machine learning difficult. In particular, the transfer of data between different hospitals is often not permissible and thus cross-site pooling of data not an option. The Personal Health Train (PHT) paradigm proposed within the GO-FAIR initiative implements an 'algorithm to the data' paradigm that ensures that distributed data can be accessed for analysis without transferring any sensitive data. We present PHT-meDIC, a productively deployed open-source implementation of the PHT concept. Containerization allows us to easily deploy even complex data analysis pipelines (e.g, genomics, image analysis) across multiple sites in a secure and scalable manner. We discuss the underlying technological concepts, security models, and governance processes. The implementation has been successfully applied to distributed analyses of large-scale data, including applications of deep neural networks to medical image data.

Z. El Ali,C. Deloménie,J. Botton,M. Pallardy,S. Kerdine-Römer

DOI: https://doi.org/10.1016/j.taap.2017.02.014

IF: 4.46

2017-05-01

Toxicology and Applied Pharmacology

Abstract:

Michael A. C. Johnson,Hans-Rainer Klöckner,Albina Muzafarova,Kristen Lackeos,David J. Champion,Marta Dembska,Sirko Schindler,Marcus Paradies

DOI: https://doi.org/10.3847/2515-5172/ad3dfc

2024-04-23

Abstract:Data volumes and rates of research infrastructures will continue to increase in the upcoming years and impact how we interact with their final data products. Little of the processed data can be directly investigated and most of it will be automatically processed with as little user interaction as possible. Capturing all necessary information of such processing ensures reproducibility of the final results and generates trust in the entire process. We present PRAETOR, a software suite that enables automated generation, modelling, and analysis of provenance information of Python pipelines. Furthermore, the evaluation of the pipeline performance, based upon a user defined quality matrix in the provenance, enables the first step of machine learning processes, where such information can be fed into dedicated optimisation procedures.

Instrumentation and Methods for Astrophysics

Kai Mindermann,Frederik Riedel,Asim Abdulkhaleq,Christoph Stach,Stefan Wagner

DOI: https://doi.org/10.1109/REW.2017.30

2017-10-24

Abstract:Context: System Theoretic Process Analysis for Privacy (STPA-Priv) is a novel privacy risk elicitation method using a top down approach. It has not gotten very much attention but may offer a convenient structured approach and generation of additional artifacts compared to other methods. Aim: The aim of this exploratory study is to find out what benefits the privacy risk elicitation method STPA-Priv has and to explain how the method can be used. Method: Therefore we apply STPA-Priv to a real world health scenario that involves a smart glucose measurement device used by children. Different kinds of data from the smart device including location data should be shared with the parents, physicians, and urban planners. This makes it a sociotechnical system that offers adequate and complex privacy risks to be found. Results: We find out that STPA-Priv is a structured method for privacy analysis and finds complex privacy risks. The method is supported by a tool called XSTAMPP which makes the analysis and its results more profound. Additionally, we learn that an iterative application of the steps might be necessary to find more privacy risks when more information about the system is available later. Conclusions: STPA-Priv helps to identify complex privacy risks that are derived from sociotechnical interactions in a system. It also outputs privacy constraints that are to be enforced by the system to ensure privacy.

Computers and Society

K. Benes

DOI: https://doi.org/10.1007/BF02926669

1964-06-01

Biologia Plantarum

Abstract:

Zoltán Szabó,Vilmos Bilicki

DOI: https://doi.org/10.3390/fi15100326

2023-09-30

Future Internet

Abstract:Due to the proliferation of large language models (LLMs) and their widespread use in applications such as ChatGPT, there has been a significant increase in interest in AI over the past year. Multiple researchers have raised the question: how will AI be applied and in what areas? Programming, including the generation, interpretation, analysis, and documentation of static program code based on promptsis one of the most promising fields. With the GPT API, we have explored a new aspect of this: static analysis of the source code of front-end applications at the endpoints of the data path. Our focus was the detection of the CWE-653 vulnerability—inadequately isolated sensitive code segments that could lead to unauthorized access or data leakage. This type of vulnerability detection consists of the detection of code segments dealing with sensitive data and the categorization of the isolation and protection levels of those segments that were previously not feasible without human intervention. However, we believed that the interpretive capabilities of GPT models could be explored to create a set of prompts to detect these cases on a file-by-file basis for the applications under study, and the efficiency of the method could pave the way for additional analysis tasks that were previously unavailable for automation. In the introduction to our paper, we characterize in detail the problem space of vulnerability and weakness detection, the challenges of the domain, and the advances that have been achieved in similarly complex areas using GPT or other LLMs. Then, we present our methodology, which includes our classification of sensitive data and protection levels. This is followed by the process of preprocessing, analyzing, and evaluating static code. This was achieved through a series of GPT prompts containing parts of static source code, utilizing few-shot examples and chain-of-thought techniques that detected sensitive code segments and mapped the complex code base into manageable JSON structures.Finally, we present our findings and evaluation of the open source project analysis, comparing the results of the GPT-based pipelines with manual evaluations, highlighting that the field yields a high research value. The results show a vulnerability detection rate for this particular type of model of 88.76%, among others.

Ludwig Stage,Dimka Karastoyanova

2023-10-18

Abstract:To benefit from the abundance of data and the insights it brings data processing pipelines are being used in many areas of research and development in both industry and academia. One approach to automating data processing pipelines is the workflow technology, as it also supports collaborative, trial-and-error experimentation with the pipeline architecture in different application domains. In addition to the necessary flexibility that such pipelines need to possess, in collaborative settings cross-organisational interactions are plagued by lack of trust. While capturing provenance information related to the pipeline execution and the processed data is a first step towards enabling trusted collaborations, the current solutions do not allow for provenance of the change in the processing pipelines, where the subject of change can be made on any aspect of the workflow implementing the pipeline and on the data used while the pipeline is being executed. Therefore in this work we provide a solution architecture and a proof of concept implementation of a service, called Provenance Holder, which enable provenance of collaborative, adaptive data processing pipelines in a trusted manner. We also contribute a definition of a set of properties of such a service and identify future research directions.

Cryptography and Security

Miroslav Puskaric,Balasubramanian Chandramouli,Thomas Osmo,Roy Gusinow,Chiara Dellacasa,Elisa Rossi,Salvatore Cataudella,Anna Górska,Eugenia Rinaldi

DOI: https://doi.org/10.3233/SHTI240737

2024-08-22

Abstract:The motivation behind this research is to perform a privacy-preserving analysis of data located at remote sites and in different jurisdictions with no possibility of sharing individual-level information. Here, we present key findings from requirements analysis and a resulting federated data analysis workflow built using open-source research software, where patient-level information is securely stored and never exposed during the analysis process. We present additional improvements to further strengthen the security of the workflow. We emphasize and showcase the use of data harmonization in the analysis. The data analysis is done using the R language for statistical computing and DataSHIELD libraries for non-disclosive analysis of sensitive data. The workflow was validated against two data analysis scenarios, confirming the results obtained with a centralized analysis approach. The clinical datasets are part of the large Pan-European SARS-Cov-2 cohort, collected and managed by the ORCHESTRA project. We demonstrate the viability of establishing a cross-border federated data analysis framework and conducting an analysis without exposing patient-level information, achieving results equivalent to centralized non-secure analysis. However, it is vital to ensure requirements associated with data harmonization, anonymization and IT infrastructure to maintain availability, usability and data security.

Patrizia Heinl,Andrius Patapovas,Michael Pilgermann

2024-09-19

Abstract:Cyber attacks on the healthcare industry can have tremendous consequences and the attack surface expands continuously. In order to handle the steadily rising workload, an expanding amount of analog processes in healthcare institutions is digitized. Despite regulations becoming stricter, not all existing infrastructure is sufficiently protected against cyber attacks. With an increasing number of devices and digital processes, the system and network landscape becomes more complex and harder to manage and therefore also more difficult to protect. The aim of this project is to introduce an AI-enabled platform that collects security relevant information from the outside of a health organization, analyzes it, delivers a risk score and supports decision makers in healthcare institutions to optimize investment choices for security measures. Therefore, an architecture of such a platform is designed, relevant information sources are identified, and AI methods for relevant data collection, selection, and risk scoring are explored.

Cryptography and Security

Concetta Tania Di Iorio,Fabrizio Carinci,Jillian Oderkirk,David Smith,Manuela Siano,Dorotea Alessandra de Marco,Simon de Lusignan,Paivi Hamalainen,Massimo Massi Benedetti

DOI: https://doi.org/10.1136/medethics-2019-105948

2020-03-27

Journal of Medical Ethics

Abstract:Background Data processing of health research databases often requires a Data Protection Impact Assessment to evaluate the severity of the risk and the appropriateness of measures taken to comply with the European Union (EU) General Data Protection Regulation (GDPR). We aimed to define and apply a comprehensive method for the evaluation of privacy, data governance and ethics among research networks involved in the EU Project Bridge Health. Methods Computerised survey among associated partners of main EU Consortia, using a targeted instrument designed by the principal investigator and progressively refined in collaboration with an international advisory panel. Descriptive measures using the percentage of adoption of privacy, data governance and ethical principles as main endpoints were used for the analysis and interpretation of the results. Results A total of 15 centres provided relevant information on the processing of sensitive data from 10 European countries. Major areas of concern were noted for: data linkage (median, range of adoption: 45%, 30%–80%), access and accuracy of personal data (50%, 0%–100%) and anonymisation procedures (56%, 11%–100%). A high variability was noted in the application of privacy principles. Conclusions A comprehensive methodology of Privacy and Ethics Impact and Performance Assessment was successfully applied at international level. The method can help implementing the GDPR and expanding the scope of Data Protection Impact Assessment, so that the public benefit of the secondary use of health data could be well balanced with the respect of personal privacy.

ethics,medical ethics,social issues,social sciences, biomedical

M.A.P. Chamikara,P. Bertok,I. Khalil,D. Liu,S. Camtepe

DOI: https://doi.org/10.1016/j.comcom.2021.04.006

IF: 5.047

2021-05-01

Computer Communications

Abstract:<p>Personally identifiable information (PII) can find its way into cyberspace through various channels, and many potential sources can leak such information. Data sharing (e.g. cross-agency data sharing) for machine learning and analytics is one of the important components in data science. However, due to privacy concerns, data should be enforced with strong privacy guarantees before sharing. Different privacy-preserving approaches were developed for privacy preserving data sharing; however, identifying the best privacy-preservation approach for the privacy-preservation of a certain dataset is still a challenge. Different parameters can influence the efficacy of the process, such as the characteristics of the input dataset, the strength of the privacy-preservation approach, and the expected level of utility of the resulting dataset (on the corresponding data mining application such as classification). This paper presents a framework named <u>P</u>rivacy <u>P</u>reservation <u>a</u>s <u>a</u><u>S</u>ervice (PPaaS) to reduce this complexity. The proposed method employs selective privacy preservation via data perturbation and looks at different dynamics that can influence the quality of the privacy preservation of a dataset. PPaaS includes pools of data perturbation methods, and for each application and the input dataset, PPaaS selects the most suitable data perturbation approach after rigorous evaluation. It enhances the usability of privacy-preserving methods within its pool; it is a generic platform that can be used to sanitize big data in a granular, application-specific manner by employing a suitable combination of diverse privacy-preserving algorithms to provide a proper balance between privacy and utility.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Martin Bialke,Dana Stahl,Torsten Leddig,Wolfgang Hoffmann

DOI: https://doi.org/10.2196/65784

IF: 3.2

2024-12-01

JMIR Medical Informatics

Abstract:With great interest we read the article entitled "Development of a Trusted Third Party at a Large University Hospital: Design and Implementation Study" by Wündisch et al. (1). The objective of the article was to introduce a "comprehensive architecture for a Trusted Third Party (TTP) that aims to support a wide range of different research projects" incorporating "a fine-grained authentication and authorization model [and] a modern REST-API" in order to "support cross-service workflows". Their work is based on well-established software components of the University Medicine Greifswald for record linkage (E PIX®), pseudonymisation (gPAS®) and consent management (gICS®) (2). With this letter, we aim to place the authors' statement that "the literature lacks insights into the design of more comprehensive architectures that support complex research workflows that are actually in production use" into a state-of-the-art perspective to prevent any misleading impressions. While the authors concede that "research exists on the components mentioned above", their article contains several inaccuracies that we would like to highlight in the following. The functional scope of the existing solutions (E-PIX, gPAS, gICS) is presented in Table 1. However, the existing workflow management solution of the University Medicine Greifswald (TTP Dispatcher) was not displayed (2). The authors only reference this highly relevant component later in text of their article. Furthermore, the content and designation of Table 2 "additional functional requirements" misleadingly suggests that the listed requirements are not covered by the solutions mentioned in Table 1. In published work (2) (3) and available materials (4), many of the checkmarks listed in Table 2 have been successfully validated, and moreover, the compliance of the tools with the pertinent TMF guidelines (3) has been demonstrated. Unlike the authors' indication, the TTP dispatcher solution from the University Medicine Greifswald provides a common REST-API across all TTP services (based on E-PIX, gPAS and gICS) and enables cross-service workflows (2). Contrary to the description by Wündisch et. al., the dispatcher architecture allows the implementation of complex research workflows. We published a list of available workflows together with a corresponding example ("automatic creation of pseudonyms linked to the primary identifier when registering a patient or study participant")(2). Since 2018, the existing TTP dispatcher solution has been made available in various project collaborations (3). In 2024, the TTP dispatcher is used in projects throughout Germany and the comprehensive documentation for the latest software version is publicly available (4). With regard to the relevance of the secure authentication mechanisms, we fully agree with the authors that OAuth 2.0 support based on OIDC and a fine-grained authorisation model are essential for securing TTP-Services. Therefore, Keycloak-support for E-PIX, gPAS and gICS is operational since 2022 (5). We can also only encourage the interoperability endeavours of the authors with regard to HL7 FHIR. For this reason, the University Medicine Greifswald has actively contributed to the HL7 FHIR standard and has fully implemented it (5). We hope that our additions have clarified any remaining uncertainties and welcome further opportunities to exchange and share our practical experience with the authors.

medical informatics

Jeremy Straub

2023-06-07

Abstract:Penetration testing increases the security of systems through tasking testers to 'think like the adversary' and attempt to find the ways that an attacker would break into the system. For many systems, this can be conducted in a safe and controlled way; however, some systems are so critical to human life and safety that the risk of their failure or disablement due to active penetration testing cannot be assumed. These systems are also critical to evaluate the security of, to prevent attackers from disabling them or causing their maloperation; however, this must be done in a manner that doesn't risk the very malady that testing seeks to avoid through the testing process itself. This paper presents P2SCP, a paradigm for penetration testing of systems that cannot be subjected to the risk of penetration testing. It discusses how data collection, the creation of digital twins and cousins and evaluative analysis can be utilized to conduct virtual penetration tests on critical infrastructure systems. This proposed paradigm is analyzed through the use of several case studies.

Cryptography and Security

Ivan Costa,Ivone Amorim,Eva Maia,Pedro Barbosa,Isabel Praca

2024-04-17

Abstract:Healthcare data contains some of the most sensitive information about an individual, yet sharing this data with healthcare practitioners can significantly enhance patient care and support research efforts. However, current systems for sharing health data between patients and caregivers do not fully address the critical security requirements of privacy, confidentiality, and consent management. Furthermore, compliance with regulatory laws such as GDPR and HIPAA is often deficient, largely because patients typically are asked to provide general consent for healthcare entities to access their data. Recognizing the limitations of existing systems, we present S3PHER, a novel approach to sharing health data that provides patients with control over who accesses their data, what data is accessed, and when. Our system ensures end to end privacy by integrating a Proxy ReEncryption Scheme with a Searchable Encryption Scheme, utilizing Homomorphic Encryption to enable healthcare practitioners to privately search and access patients' documents. The practicality and benefits of S3PHER are further validated through end to end deployment and use case analyses, with tests on real datasets demonstrating promising execution times.

Cryptography and Security

Maximilian Jugl,Sascha Welten,Yongli Mou,Yeliz Ucer Yediel,Oya Deniz Beyan,Ulrich Sax,Toralf Kirsten

DOI: https://doi.org/10.48550/arXiv.2309.06171

2023-09-12

Distributed, Parallel, and Cluster Computing

Abstract:With the generation of personal and medical data at several locations, medical data science faces unique challenges when working on distributed datasets. Growing data protection requirements in recent years drastically limit the use of personally identifiable information. Distributed data analysis aims to provide solutions for securely working on highly sensitive data while minimizing the risk of information leaks, which would not be possible to the same degree in a centralized approach. A novel concept in this field is the Personal Health Train (PHT), which encapsulates the idea of bringing the analysis to the data, not vice versa. Data sources are represented as train stations. Trains containing analysis tasks move between stations and aggregate results. Train executions are coordinated by a central station which data analysts can interact with. Data remains at their respective stations and analysis results are only stored inside the train, providing a safe and secure environment for distributed data analysis. Duplicate records across multiple locations can skew results in a distributed data analysis. On the other hand, merging information from several datasets referring to the same real-world entities may improve data completeness and therefore data quality. In this paper, we present an approach for record linkage on distributed datasets using the Personal Health Train. We verify this approach and evaluate its effectiveness by applying it to two datasets based on real-world data and outline its possible applications in the context of distributed data analysis tasks.

C Parretti,E Pourabbas,F Rolli,F Pecoraro,P Citti

DOI: https://doi.org/10.1088/1757-899X/1174/1/012015

2021-09-10

IOP Conference Series: Materials Science and Engineering

Abstract:Recent developments in Information and Communication Technology have paved the foundations for new forms of collaboration between health systems in different countries. These collaborations allow, on the one hand, to monitor recurrent health emergencies on territories, and on the other hand, they allow national health systems to share information about foreign citizens in transit on their territory. European legislation regarding the processing of personal data places strict constraints on the cross-border transfer of personal data. In this case, companies or organizations, operating on information interchange, must adopt robust mechanisms to verify the adequacy requirements, in order to allow monitoring of security levels, identification of possible intervention actions and preparation of updated security plans for inspection visits required by European standards. In this context, Axiomatic Design allows not only to design medical systems and equipment in compliance with current regulations, but also to provide representations of the design artifact already prepared to implant privacy risk assessment mechanisms. This makes it possible to identify the activities/components to be assessed up to a level of elementary granularity such as to allow risk assessment for the single module. At the same time, the axiomatic approach enables the overall recomposition of privacy violation risks on the basis of a modular representation of the whole system according to the well-known V model scheme. This recomposition allows to build the so-called risk privacy coverage matrix, in order to trace the risk level of the elementary modules, associating them with more and more complex components. In this way, the foundations to build a dynamic monitoring system of the privacy risk level of the system can be defined.

Gustavo Gonzalez-Granadillo,Sofia Anna Menesidou,Dimitrios Papamartzivanos,Ramon Romeu,Diana Navarro-Llobet,Caxton Okoh,Sokratis Nifakos,Christos Xenakis,Emmanouil Panaousis

DOI: https://doi.org/10.3390/s21165493

IF: 3.9

2021-08-15

Sensors

Abstract:Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Antonio Capodieci,Luca Mainetti,Stefano Lisi,Roberto Paiano,Sara Matino,Mariavittoria Ugirashebuja

DOI: https://doi.org/10.1007/s11042-024-20308-6

IF: 2.577

2024-11-06

Multimedia Tools and Applications

Abstract:The European Parliament adopted the European General Data Protection Regulation (GDPR, EU 2016/679), which revolutionized the legislative framework for personal data protection within the European Union. The GDPR mandates organizations to shift from a passive approach, relying on minimum security measures outlined in the 1994 EU Directive, to a proactive accountability-based approach. Organizations are expected to implement verification systems, foster continuous improvement, and follow principles such as privacy by design and privacy by default. The latter principle emphasizes incorporating privacy considerations throughout the entire engineering process. The challenge for organizations lies in effectively auditing their compliance with the GDPR. This study proposes a structured approach based on the business process modeling to aid in GDPR compliance. It involves identifying crucial compliance points for the GDPR. A case study is presented where the method is applied to a purchase of a health insurance policy process in the context of the Secure Safe Apulia project.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Mikhail Fomichev,Manisha Luthra,Maik Benndorf,Pratyush Agnihotri

DOI: https://doi.org/10.1145/3583678.3596889

2023-05-30

Abstract:Stream processing systems (SPSs) have been designed to process data streams in real-time, allowing organizations to analyze and act upon data on-the-fly, as it is generated. However, handling sensitive or personal data in these multilayered SPSs that distribute resources across sensor, fog, and cloud layers raises privacy concerns, as the data may be subject to unauthorized access and attacks that can violate user privacy, hence facing regulations such as the GDPR across the SPS layers. To address these issues, different privacy-preserving mechanisms (PPMs) are proposed to protect user privacy in SPSs. Yet, selecting and applying such PPMs in SPSs is challenging, since they must operate in real-time while tolerating little overhead. The multilayered nature of SPSs complicates privacy protection because each layer may confront different privacy threats, which must be addressed by specific PPMs. To overcome these challenges, we present Prinseps, our comprehensive privacy vision for SPSs. Towards this vision, we (1) identify critical privacy threats on different layers of the multilayered SPS, (2) evaluate the effectiveness of existing PPMs in addressing such threats, and (3) integrate privacy considerations into the decision-making processes of SPSs.

Cryptography and Security

Michael Kühr,Mohammad Hamad,Pedram MohajerAnsari,Mert D. Pesé,Sebastian Steinhorst

2024-09-02

Abstract:Cameras are crucial sensors for autonomous vehicles. They capture images that are essential for many safety-critical tasks, including perception. To process these images, a complex pipeline with multiple layers is used. Security attacks on this pipeline can severely affect passenger safety and system performance. However, many attacks overlook different layers of the pipeline, and their feasibility and impact vary. While there has been research to improve the quality and robustness of the image processing pipeline, these efforts often work in parallel with security research, without much awareness of their potential synergy. In this work, we aim to bridge this gap by combining security and robustness research for the image processing pipeline in autonomous vehicles. We classify the risk of attacks using the automotive security standard ISO 21434, emphasizing the need to consider all layers for overall system security. We also demonstrate how existing robustness research can help mitigate the impact of attacks, addressing the current research gap. Finally, we present an embedded testbed that can influence various parameters across all layers, allowing researchers to analyze the effects of different defense strategies and attack impacts. We demonstrate the importance of such a test environment through a use-case analysis and show how blinding attacks can be mitigated using HDR imaging as an example of robustness-related research.

Cryptography and Security