Daniel Harris,Chris Delcher

DOI: https://doi.org/10.2196/54958

2024-05-21

Abstract:Background: Location and environmental social determinants of health are increasingly important factors in both an individual's health and the monitoring of community-level public health issues. Objective: We aimed to measure the extent to which location obfuscation techniques, designed to protect an individual's privacy, can unintentionally shift geographical coordinates into neighborhoods with significantly different socioeconomic demographics, which limits the precision of findings for public health stakeholders. Methods: Point obfuscation techniques intentionally blur geographic coordinates to conceal the original location. The pinwheel obfuscation method is an existing technique in which a point is moved along a pinwheel-like path given a randomly chosen angle and a maximum radius; we evaluate the impact of this technique using 2 data sets by comparing the demographics of the original point and the resulting shifted point by cross-referencing data from the United States Census Bureau. Results: Using poverty measures showed that points from regions of low poverty may be shifted to regions of high poverty; similarly, points in regions with high poverty may be shifted into regions of low poverty. We varied the maximum allowable obfuscation radius; the mean difference in poverty rate before and after obfuscation ranged from 6.5% to 11.7%. Additionally, obfuscation inadvertently caused false hot spots for deaths by suicide in Cook County, Illinois. Conclusions: Privacy concerns require patient locations to be imprecise to protect against risk of identification; precision public health requires accuracy. We propose a modified obfuscation technique that is constrained to generate a new point within a specified census-designated region to preserve both privacy and analytical accuracy by avoiding demographic shifts.

M. J. Edmondson,C. Luo,R. Duan,M. Maltenfort,Z. Chen,J. Shults,J. Bian,P. Ryan,C. Forrest,Y. Chen

DOI: https://doi.org/10.1101/2020.12.17.20248194

2020-01-01

MedRxiv

Abstract:Background Multi-site studies facilitate the study of rare outcomes or exposures through integrating patient information from several distinct care sites. Due to patient privacy concerns, sharing of patient-level information among collaborating sites is often prohibited, suggesting a need for privacy-preserving data analysis methods. Several such methods exist, but have been shown to sometimes result in biased estimation or require extensive communication among sites. Objective We present a communication-efficient, privacy-preserving method for performing distributed regression on Electronic Health Records (EHR) data across multiple sites for zero-inflated count outcomes. Our approach is motivated by two real-world data problems: examining risk factors associated with pediatric avoidable hospitalization and modeling frequency of serious adverse events in colorectal cancer patients. Methods We use hurdle regression, a two-part (logistic-Poisson) regression model, to characterize the effects of risk factors on zero-inflated count outcomes. We develop a one-shot algorithm for performing hurdle regression (ODAH) across multiple sites, using individual patient data at one site and aggregated data from all other sites to approximate the complete data log likelihood. We evaluate ODAH through extensive simulations and an application to EHR data from the Children's Hospital of Philadelphia (CHOP) and the OneFlorida Clinical Research Consortium. We compare ODAH estimates to those from meta-analysis and pooled analysis (all patient data pooled together, the gold standard). Results In simulations, ODAH estimates exhibited bias relative to the gold standard of less than 0.1% across several settings. In contrast, meta-analysis estimated exhibited relative bias up to 12.7%, largely dependent on event rate. When applying ODAH to CHOP data, relative biases for estimates in both components of the hurdle model were less than 5.1%, while meta-analysis estimates exhibited relative bias as high as 63.6%. When analyzing OneFlorida data, ODAH relative biases were less than 10% for eight of the ten estimated coefficients, while meta-analysis estimates again showed substantially greater bias. Conclusions Our simulations and real-world applications suggest ODAH is a promising method for performing privacy-preserving distributed learning on EHR data when modeling zero-inflated count outcomes.

John Pearson,Cameron Jacobson,Nkemdirim Ugochukwu,Elliot Asare,Kelvin Kan,Nathan Pace,Jiuying Han,Neng Wan,Robert Schonberger,Michael Andreae

DOI: https://doi.org/10.1097/AIA.0000000000000389

2023-01-01

Abstract:Social context matters for health, healthcare processes/quality and patient outcomes. The social status and circumstances we are born into, grow up in and live under, are called social determinants of health; they drive our health, and how we access and experience care; they are the fundamental causes of disease outcomes. Such circumstances are influenced heavily by our location through neighborhood context, which relates to support networks. Geography can influence proximity to resources and is an important dimension of social determinants of health, which also encompass race/ethnicity, language, health literacy, gender identity, social capital, wealth and income. Beginning with an explanation of social determinants, we explore the use of Geospatial Analysis methods and geocoding, including the importance of collaborating with geography experts, the pitfalls of geocoding, and how geographic analysis can help us to understand patient populations within the context of Social Determinants of Health. We then explain mechanisms and methods of geospatial analysis with two examples: (1) Bayesian hierarchical regression with crossed random effects and (2) discontinuity regression i.e., change point analysis. We leveraged the local University of Utah and Yale cohorts of the Multicenter Perioperative Outcomes Group (MPOG.org), a perioperative electronic health registry; we enriched the Utah cohort with US-census tract level social determinants of health after geocoding patient addresses and extracting social determinants of health from the National Neighborhood Database (NaNDA). We explain how to investigate the impact of US-census tract level community deprivation indices and racial/ethnic composition on (1) individual clinicians’ administration of risk-adjusted perioperative antiemetic prophylaxis, (2) patients’ decisions to defer cataract surgery at the cusp of Medicare eligibility and finally (3) methods to further characterize patient populations at risk through publicly available datasets in the context of public transit access. Our examples are not rigorous analyses, and our preliminary inferences should not be taken at face value, but rather seen as illustration of geospatial analysis processes and methods. Our worked examples show the potential utility of geospatial analysis, and in particular the power of geocoding patient addresses to extract US-census level social determinants of health from publicly available databases to enrich electronic health registries for healthcare disparity research and targeted health system level countermeasures.

Harrison Quick

DOI: https://doi.org/10.48550/arXiv.2103.03833

2021-03-03

Abstract:CDC WONDER is a web-based tool for the dissemination of epidemiologic data collected by the National Vital Statistics System. While CDC WONDER has built-in privacy protections, they do not satisfy formal privacy protections such as differential privacy and thus are susceptible to targeted attacks. Given the importance of making high-quality public health data publicly available while preserving the privacy of the underlying data subjects, we aim to improve the utility of a recently developed approach for generating Poisson-distributed, differentially private synthetic data by using publicly available information to truncate the range of the synthetic data. Specifically, we utilize county-level population information from the U.S. Census Bureau and national death reports produced by the CDC to inform prior distributions on county-level death rates and infer reasonable ranges for Poisson-distributed, county-level death counts. In doing so, the requirements for satisfying differential privacy for a given privacy budget can be reduced by several orders of magnitude, thereby leading to substantial improvements in utility. To illustrate our proposed approach, we consider a dataset comprised of over 26,000 cancer-related deaths from the Commonwealth of Pennsylvania belonging to over 47,000 combinations of cause-of-death and demographic variables such as age, race, sex, and county-of-residence and demonstrate the proposed framework's ability to preserve features such as geographic, urban/rural, and racial disparities present in the true data.

Applications,Methodology

Graham Cormode,Magda Procopiuc,Entong Shen,Divesh Srivastava,Ting Yu

DOI: https://doi.org/10.48550/arXiv.1103.5170

2012-03-14

Abstract:Differential privacy has recently emerged as the de facto standard for private data release. This makes it possible to provide strong theoretical guarantees on the privacy and utility of released data. While it is well-known how to release data based on counts and simple functions under this guarantee, it remains to provide general purpose techniques to release different kinds of data. In this paper, we focus on spatial data such as locations and more generally any data that can be indexed by a tree structure. Directly applying existing differential privacy methods to this type of data simply generates noise. Instead, we introduce a new class of "private spatial decompositions": these adapt standard spatial indexing methods such as quadtrees and kd-trees to provide a private description of the data distribution. Equipping such structures with differential privacy requires several steps to ensure that they provide meaningful privacy guarantees. Various primitives, such as choosing splitting points and describing the distribution of points within a region, must be done privately, and the guarantees of the different building blocks composed to provide an overall guarantee. Consequently, we expose the design space for private spatial decompositions, and analyze some key examples. Our experimental study demonstrates that it is possible to build such decompositions efficiently, and use them to answer a variety of queries privately with high accuracy.

Databases

Maged N. Kamel Boulos,Mei-Po Kwan,Khaled El Emam,Ada Lai-Ling Chung,Song Gao,Douglas B. Richardson

DOI: https://doi.org/10.1186/s12942-022-00300-9

2022-01-19

International Journal of Health Geographics

Abstract:Abstract This article provides a state-of-the-art summary of location privacy issues and geoprivacy-preserving methods in public health interventions and health research involving disaggregate geographic data about individuals. Synthetic data generation (from real data using machine learning) is discussed in detail as a promising privacy-preserving approach. To fully achieve their goals, privacy-preserving methods should form part of a wider comprehensive socio-technical framework for the appropriate disclosure, use and dissemination of data containing personal identifiable information. Select highlights are also presented from a related December 2021 AAG (American Association of Geographers) webinar that explored ethical and other issues surrounding the use of geospatial data to address public health issues during challenging crises, such as the COVID-19 pandemic.

public, environmental & occupational health

Christopher Bian,Albert Cheu,Yannis Guzman,Marco Gruteser,Peter Kairouz,Ryan McKenna,Edo Roth

2024-07-04

Abstract:Environmental Insights Explorer (EIE) is a Google product that reports aggregate statistics about human mobility, including various methods of transit used by people across roughly 50,000 regions globally. These statistics are used to estimate carbon emissions and provided to policymakers to inform their decisions on transportation policy and infrastructure. Due to the inherent sensitivity of this type of user data, it is crucial that the statistics derived and released from it are computed with appropriate privacy protections. In this work, we use a combination of federated analytics and differential privacy to release these required statistics, while operating under strict error constraints to ensure utility for downstream stakeholders. In this work, we propose a new mechanism that achieves $ \epsilon \approx 2 $-DP while satisfying these strict utility constraints, greatly improving over natural baselines. We believe this mechanism may be of more general interest for the broad class of group-by-sum workloads.

Cryptography and Security,Databases

David Leoni

DOI: https://doi.org/10.48550/arXiv.1205.2726

2012-05-11

Databases

Abstract:OpenData movement around the globe is demanding more access to information which lies locked in public or private servers. As recently reported by a McKinsey publication, this data has significant economic value, yet its release has potential to blatantly conflict with people privacy. Recent UK government inquires have shown concern from various parties about publication of anonymized databases, as there is concrete possibility of user identification by means of linkage attacks. Differential privacy stands out as a model that provides strong formal guarantees about the anonymity of the participants in a sanitized database. Only recent results demonstrated its applicability on real-life datasets, though. This paper covers such breakthrough discoveries, by reviewing applications of differential privacy for non-interactive publication of anonymized real-life datasets. Theory, utility and a data-aware comparison are discussed on a variety of principles and concrete applications.

Teng Wang,Jun Zhao,Zhi Hu,Xinyu Yang,Xuebin Ren,Kwok-Yan Lam

DOI: https://doi.org/10.1016/j.neucom.2020.09.073

IF: 6

2021-02-01

Neurocomputing

Abstract:<p>Local Differential Privacy (LDP) can provide each user with strong privacy guarantees under untrusted data curators while ensuring accurate statistics derived from privatized data. Due to its powerfulness, LDP has been widely adopted to protect privacy in various tasks (e.g., heavy hitters discovery, probability estimation) and systems (e.g., Google Chrome, Apple iOS). In particular, <span class="math"><math>(∊,δ)</math></span>-LDP has been studied in related statistical tasks like private learning and hypothesis testing, but is mainly achieved by using Gaussian mechanism, leading to the limited data utility. In this paper, we investigate several novel mechanisms that achieve <span class="math"><math>(∊,δ)</math></span>-LDP with higher data utility in collecting and analyzing users' data. Specifically, we first design two <span class="math"><math>(∊,δ)</math></span>-LDP algorithms for mean estimations on multi-dimensional numeric data, which can ensure higher accuracy than the optimal Gaussian mechanism. Then, we investigate different local protocols for frequency estimations on categorical attributes under <span class="math"><math>(∊,δ)</math></span>-LDP. Based on the proposed mechanisms, we further study on <span class="math"><math>(∊,δ)</math></span>-LDP-compliant stochastic gradient descent algorithms for machine learning models. Besides, the theoretical analysis of the error bound and the variance of the proposed algorithms are also presented in the paper. We have conducted extensive experiments on both real-world and synthetic datasets and demonstrated the high data utility of our proposed algorithms in the perspectives of simple data statistics tasks and complex machine learning tasks. The experimental results have shown that our proposed algorithms can effectively improve the data utility in different tasks while alleviating the privacy concerns of each individual.</p>

computer science, artificial intelligence

James Gardner,Li Xiong,Yonghui Xiao,Jingjing Gao,Andrew R Post,Xiaoqian Jiang,Lucila Ohno-Machado,J. Gardner,L. Xiong,Y. Xiao,J. Gao,A. R. Post,X. Jiang,L. Ohno-Machado

DOI: https://doi.org/10.1136/amiajnl-2012-001032

2013-01-01

Journal of the American Medical Informatics Association

Abstract:OBJECTIVES: We present SHARE, a new system for statistical health information release with differential privacy. We present two case studies that evaluate the software on real medical datasets and demonstrate the feasibility and utility of applying the differential privacy framework on biomedical data.MATERIALS AND METHODS: SHARE releases statistical information in electronic health records with differential privacy, a strong privacy framework for statistical data release. It includes a number of state-of-the-art methods for releasing multidimensional histograms and longitudinal patterns. We performed a variety of experiments on two real datasets, the surveillance, epidemiology and end results (SEER) breast cancer dataset and the Emory electronic medical record (EeMR) dataset, to demonstrate the feasibility and utility of SHARE.RESULTS: Experimental results indicate that SHARE can deal with heterogeneous data present in medical data, and that the released statistics are useful. The Kullback-Leibler divergence between the released multidimensional histograms and the original data distribution is below 0.5 and 0.01 for seven-dimensional and three-dimensional data cubes generated from the SEER dataset, respectively. The relative error for longitudinal pattern queries on the EeMR dataset varies between 0 and 0.3. While the results are promising, they also suggest that challenges remain in applying statistical data release using the differential privacy framework for higher dimensional data.CONCLUSIONS: SHARE is one of the first systems to provide a mechanism for custodians to release differentially private aggregate statistics for a variety of use cases in the medical domain. This proof-of-concept system is intended to be applied to large-scale medical data warehouses.

information science & library science,computer science, information systems, interdisciplinary applications,health care sciences & services,medical informatics

Simson L. Garfinkel,John M. Abowd,Sarah Powazek

DOI: https://doi.org/10.1145/3267323.3268949

2018-09-07

Abstract:When differential privacy was created more than a decade ago, the motivating example was statistics published by an official statistics agency. In attempting to transition differential privacy from the academy to practice, the U.S. Census Bureau has encountered many challenges unanticipated by differential privacy's creators. These challenges include obtaining qualified personnel and a suitable computing environment, the difficulty accounting for all uses of the confidential data, the lack of release mechanisms that align with the needs of data users, the expectation on the part of data users that they will have access to micro-data, and the difficulty in setting the value of the privacy-loss parameter, $\epsilon$ (epsilon), and the lack of tools and trained individuals to verify the correctness of differential privacy implementations.

Cryptography and Security

Yanran Li,Brent A. Coull,Nancy Krieger,Emily Peterson,Lance A. Waller,Jarvis T. Chen,Rachel C. Nethery

DOI: https://doi.org/10.48550/arXiv.2209.04316

2023-03-30

Abstract:The US Census Bureau will implement a new privacy-preserving disclosure avoidance system (DAS), which includes application of differential privacy, on the public-release 2020 census data. There are concerns that the DAS may bias small-area and demographically-stratified population counts, which play a critical role in public health research and policy, serving as denominators in estimation of disease/mortality rates. Employing three DAS demonstration products, we quantify errors attributable to reliance on DAS-protected denominators in standard small-area disease mapping models for characterizing health inequities. We conduct simulation studies and real data analyses of inequities in premature mortality at the census tract level in Massachusetts. Results show that overall patterns of inequity by racialized group and economic deprivation level are not compromised by the DAS. While early versions of DAS induce errors in mortality rate estimation that are larger for Black than for non-Hispanic white populations, this issue is ameliorated in newer DAS versions.

Applications

danah boyd

DOI: https://doi.org/10.48550/arXiv.1907.03639

2019-07-08

Abstract:In early 2021, the US Census Bureau will begin releasing statistical tables based on the decennial census conducted in 2020. Because of significant changes in the data landscape, the Census Bureau is changing its approach to disclosure avoidance. The confidentiality of individuals represented "anonymously" in these statistical tables will be protected by a "formal privacy" technique that allows the Bureau to mathematically assess the risk of revealing information about individuals in the released statistical tables. The Bureau's approach is an implementation of "differential privacy," and it gives a rigorously demonstrated guaranteed level of privacy protection that traditional methods of disclosure avoidance do not. Given the importance of the Census Bureau's statistical tables to democracy, resource allocation, justice, and research, confusion about what differential privacy is and how it might alter or eliminate data products has rippled through the community of its data users, namely: demographers, statisticians, and census advocates. The purpose of this primer is to provide context to the Census Bureau's decision to use a technique based on differential privacy and to help data users and other census advocates who are struggling to understand what this mathematical tool is, why it matters, and how it will affect the Bureau's data products.

Computers and Society

WeiKang Liu,Yanchun Zhang,Hong Yang,Qinxue Meng

DOI: https://doi.org/10.1007/s40745-023-00475-3

2023-06-10

Abstract:Machine learning methods promote the sustainable development of wise information technology of medicine (WITMED), and a variety of medical data brings high value and convenience to medical analysis. However, the applications of medical data have also been confronted with the risk of privacy leakage that is hard to avoid, especially when conducting correlation analysis or data sharing among multiple institutions. Data security and privacy preservation have recently played an essential role in the field of secure and private medical data analysis, where many differential privacy strategies are applied to medical data publishing and mining. In this paper, we survey research work on the applications of differential privacy for medical data analysis, discussing the necessity of medical privacy-preserving, the advantages of differential privacy, and their applications to typical medical data, such as genomic data and wearable device data. Furthermore, we discuss the challenges and potential future research directions for differential privacy in medical applications.

Hongwei Li,Yuanshun Dai,Xiaodong Lin

DOI: https://doi.org/10.1109/healthcom.2015.7454576

2015-01-01

Abstract:E-health data release, which answers the statistical queries of the Electronic Health Records (EHRs), has been widely adopted in modern health care services. However, since the EHRs contain sensitive information of the patients, the data release procedure may lead to the leakage of the privacy of patients if it is done without necessary protection measures in place. On addressing this, existing research literature introduces differential privacy to provide the necessary privacy guarantee. However, it is not suitable in sensitive e-health environments because it lacks the efficiency for data processing and updating. In this paper, we propose an efficient e-health data release scheme with consistency guarantee under differential privacy. Specifically, we improve the performance of the previous work by designing a new private partition algorithm of histogram and also proposing a heuristic hierarchical query method. We conduct real experiments and compare our scheme with the existing one to show that the proposal is more efficient in terms of data processing and updating. Moreover, we increase the accuracy of data release through consistency and give proof of privacy to show that the proposed algorithm is under ϵ-differential privacy.

Patrick Song,Jayshree Sarathy,Michael Shoemate,Salil Vadhan

DOI: https://doi.org/10.1145/3687011

2024-10-13

Abstract:Differential privacy (DP) is a promising framework for privacy-preserving data science, but recent studies have exposed challenges in bringing this theoretical framework for privacy into practice. These tensions are particularly salient in the context of open-source software libraries for DP data analysis, which are emerging tools to help data stewards and analysts build privacy-preserving data pipelines for their applications. While there has been significant investment into such libraries, we need further inquiry into the role of these libraries in promoting understanding of and trust in DP, and in turn, the ways in which design of these open-source libraries can shed light on the challenges of creating trustworthy data infrastructures in practice. In this study, we use qualitative methods and mental models approaches to analyze the differences between conceptual models used to design open-source DP libraries and mental models of DP held by users. Through a two-stage study design involving formative interviews with 5 developers of open-source DP libraries and user studies with 17 data analysts, we find that DP libraries often struggle to bridge the gaps between developer and user mental models. In particular, we highlight the tension DP libraries face in maintaining rigorous DP implementations and facilitating user interaction. We conclude by offering practical recommendations for further development of DP libraries.

Human-Computer Interaction

Olivia Choudhury,Aris Gkoulalas-Divanis,Theodoros Salonidis,Issa Sylla,Yoonyoung Park,Grace Hsu,Amar Das

DOI: https://doi.org/10.48550/arXiv.1910.02578

2020-02-27

Abstract:Leveraging real-world health data for machine learning tasks requires addressing many practical challenges, such as distributed data silos, privacy concerns with creating a centralized database from person-specific sensitive data, resource constraints for transferring and integrating data from multiple sites, and risk of a single point of failure. In this paper, we introduce a federated learning framework that can learn a global model from distributed health data held locally at different sites. The framework offers two levels of privacy protection. First, it does not move or share raw data across sites or with a centralized server during the model training process. Second, it uses a differential privacy mechanism to further protect the model from potential privacy attacks. We perform a comprehensive evaluation of our approach on two healthcare applications, using real-world electronic health data of 1 million patients. We demonstrate the feasibility and effectiveness of the federated learning framework in offering an elevated level of privacy and maintaining utility of the global model.

Machine Learning,Cryptography and Security

Amanda Coston,Neel Guha,Derek Ouyang,Lisa Lu,Alexandra Chouldechova,Daniel E. Ho

DOI: https://doi.org/10.1145/3442188.3445881

2021-04-16

Abstract:Anonymized smartphone-based mobility data has been widely adopted in devising and evaluating COVID-19 response strategies such as the targeting of public health resources. Yet little attention has been paid to measurement validity and demographic bias, due in part to the lack of documentation about which users are represented as well as the challenge of obtaining ground truth data on unique visits and demographics. We illustrate how linking large-scale administrative data can enable auditing mobility data for bias in the absence of demographic information and ground truth labels. More precisely, we show that linking voter roll data -- containing individual-level voter turnout for specific voting locations along with race and age -- can facilitate the construction of rigorous bias and reliability tests. These tests illuminate a sampling bias that is particularly noteworthy in the pandemic context: older and non-white voters are less likely to be captured by mobility data. We show that allocating public health resources based on such mobility data could disproportionately harm high-risk elderly and minority groups.

Applications,Computers and Society

Joerg Drechsler

DOI: https://doi.org/10.1080/01621459.2022.2161385

2022-04-22

Abstract:Government agencies typically need to take potential risks of disclosure into account whenever they publish statistics based on their data or give external researchers access to collected data. In this context, the promise of formal privacy guarantees offered by concepts such as differential privacy seems to be the panacea enabling the agencies to quantify and control the privacy loss incurred by any data release exactly. Nevertheless, despite the excitement in academia and industry, most agencies -- with the prominent exception of the U.S. Census Bureau -- have been reluctant to even consider the concept for their data release strategy. This paper discusses potential reasons for this. We argue that the requirements for implementing differential privacy approaches at government agencies are often fundamentally different from the requirements in industry. This raises many challenges and questions that still need to be addressed before the concept can be used as an overarching principle when sharing data with the public. The paper does not offer any solutions to these challenges. Instead, we hope to stimulate some collaborative research efforts, as we believe that many of the problems can only be addressed by interdisciplinary collaborations.

Cryptography and Security,Other Statistics

Marina Blanton,Ah Reum Kang,Subhadeep Karan,Jaroslaw Zola

DOI: https://doi.org/10.48550/arXiv.1806.06477

2018-06-18

Abstract:Objective: To enable privacy-preserving learning of high quality generative and discriminative machine learning models from distributed electronic health records. Methods and Results: We describe general and scalable strategy to build machine learning models in a provably privacy-preserving way. Compared to the standard approaches using, e.g., differential privacy, our method does not require alteration of the input biomedical data, works with completely or partially distributed datasets, and is resilient as long as the majority of the sites participating in data processing are trusted to not collude. We show how the proposed strategy can be applied on distributed medical records to solve the variables assignment problem, the key task in exact feature selection and Bayesian networks learning. Conclusions: Our proposed architecture can be used by health care organizations, spanning providers, insurers, researchers and computational service providers, to build robust and high quality predictive models in cases where distributed data has to be combined without being disclosed, altered or otherwise compromised.

Cryptography and Security