{"id":11993,"date":"2018-02-05T09:55:09","date_gmt":"2018-02-05T14:55:09","guid":{"rendered":"http:\/\/www.iri.com\/blog\/?p=11993"},"modified":"2025-02-06T14:26:22","modified_gmt":"2025-02-06T19:26:22","slug":"hipaa-re-id-risk-scoring","status":"publish","type":"post","link":"https:\/\/www.iri.com\/blog\/data-protection\/hipaa-re-id-risk-scoring\/","title":{"rendered":"Scoring Datasets for Re-ID Risk"},"content":{"rendered":"

One of the biggest concerns with releasing a dataset is the risk that a potential attacker can identify the owners of particular records. Even though masking or removing unique identifiers, like names and Social Security Numbers, can reduce that risk substantially, it may still not be enough. Harvard professor Latanya Sweeney reported that 87% of the U.S population can be identified using only their gender, date of birth, and a 5-digit zip code<\/span>1<\/sup><\/a><\/span><\/span>. <\/span><\/p>\n

To prevent data breaches and comply with the Health Insurance Portability and Accountability Act (HIPAA) and GDPR Recital 26, you should also de-identify such \u201cquasi-identifiers\u201d (along with \u201ckey identifiers\u201d like name and SSN) to the point where the risk of re-identification is statistically moot<\/span>2<\/sup><\/a><\/span><\/span>. IRI <\/span>data masking<\/span><\/a> software is designed to do that, especially to anonymize healthcare data (PHI) for privacy compliance, but how do you assess the results?\u00a0<\/span><\/p>\n

This article shows how to credibly score the HIPAA re-identification risk of structured data de-identified with IRI <\/span>FieldShield<\/span><\/a>, <\/span>CellShield<\/span><\/a> or DarkShield<\/a><\/span> using the risk scoring wizard now available as a plugin to <\/span>IRI Workbench<\/span><\/a>. While it was designed with HIPAA EDM security rule in mind, student data privacy laws like FERPA<\/a> also indicates the application of such an approach.<\/span><\/p>\n

Loading Data<\/b><\/h2>\n
\"FieldShield
IRI FieldShield data masking job in the IRI Voracity platform\u2019s Eclipse IDE, IRI Workbench<\/figcaption><\/figure>\n

In our example, we are going to analyze the re-ID risk of a delimited file with the unique identifier having already been masked by FieldShield. Our interest is now to ascertain that the dataset cannot be re-identified through its quasi-identifiers alone.<\/span><\/p>\n

To open the Re-ID Scoring wizard, select <\/span>New Re-ID Risk Scoring <\/span><\/i>from the FieldShield <\/span> menu. You may also navigate to the wizard by selecting <\/span>File -> New -> Other <\/span><\/i>and selecting <\/span>Re-ID Risk Scoring <\/span><\/i>from the <\/span>IRI <\/span><\/i>category.<\/span><\/p>\n

\"new<\/p>\n

Specifying the Data Source<\/b><\/h2>\n

Once you have opened the Re-ID Scoring wizard you are prompted to select the source of the dataset that you wish to score. The wizard can take either flat, character delimited files, like Comma-Separated Values (CSV) or Tab-Separated Values (TSV) files, or a database table connected in Workbench via its <\/span>Data Tools Platform<\/span><\/a> (DTP) plug-in, as seen in the Data Source Explorer.<\/span><\/p>\n

Depending on the choice, you will be required to provide specific configuration details on the next page. For flat files, the file path must be provided, along with the character set, delimiter, and frame character used within the dataset. For databases, a <\/span>Connection Profile<\/span><\/i> from one of the DTP connections and the corresponding <\/span>Database Table<\/span><\/i> need to be selected from a dropdown list or otherwise created from a dialog in the wizard. <\/span><\/p>\n

Both file and table scoring require you to specify the <\/span>Superset Region<\/span><\/i> that will be used to estimate the uniqueness of your dataset against a broader population. The region should match the national background of the most amount of records within your dataset.<\/span><\/p>\n

Previewing your Data<\/b><\/h2>\n

\"new<\/p>\n

To ensure that you have correctly configured your data source, a preview page shows a subset of your data which the wizard structured based on your configuration. For flat files, the <\/span>delimiter<\/span><\/i> and <\/span>frame<\/span><\/i> characters will influence the number of records and how each individual attribute is separated from one another. <\/span><\/p>\n

If your dataset is incorrectly delimited or shows up with an error in the preview, you may need to go back to the previous step and enter the correct configuration options. For flat files there is an additional option to specify if the first line within the file is a header row. Otherwise, default field names will be provided and used in the risk score.<\/span><\/p>\n

Labeling Attributes<\/b><\/h2>\n

\"risk<\/p>\n

Once you are satisfied with the layout and content of your data, it is time to label each attribute based on the risk associated with exposing these attributes, and how they can be used by a potential attacker. These are, in decreasing order of risk for re-identification:<\/span><\/p>\n