3 research outputs found
Are My EHRs Private Enough? -Event-level Privacy Protection
Privacy is a major concern in sharing human subject data to researchers for
secondary analyses. A simple binary consent (opt-in or not) may significantly
reduce the amount of sharable data, since many patients might only be concerned
about a few sensitive medical conditions rather than the entire medical
records. We propose event-level privacy protection, and develop a feature
ablation method to protect event-level privacy in electronic medical records.
Using a list of 13 sensitive diagnoses, we evaluate the feasibility and the
efficacy of the proposed method. As feature ablation progresses, the
identifiability of a sensitive medical condition decreases with varying speeds
on different diseases. We find that these sensitive diagnoses can be divided
into 3 categories: (1) 5 diseases have fast declining identifiability (AUC
below 0.6 with less than 400 features excluded); (2) 7 diseases with
progressively declining identifiability (AUC below 0.7 with between 200 and 700
features excluded); and (3) 1 disease with slowly declining identifiability
(AUC above 0.7 with 1000 features excluded). The fact that the majority (12 out
of 13) of the sensitive diseases fall into the first two categories suggests
the potential of the proposed feature ablation method as a solution for
event-level record privacy protection.Comment: accepted by TCB
Selling Data at an Auction under Privacy Constraints
Private data query combines mechanism design with privacy protection to
produce aggregated statistics from privately-owned data records. The problem
arises in a data marketplace where data owners have personalised privacy
requirements and private data valuations. We focus on the case when the data
owners are single-minded, i.e., they are willing to release their data only if
the data broker guarantees to meet their announced privacy requirements. For a
data broker who wants to purchase data from such data owners, we propose the
SingleMindedQuery (SMQ) mechanism, which uses a reverse auction to select data
owners and determine compensations. SMQ satisfies interim incentive
compatibility, individual rationality, and budget feasibility. Moreover, it
uses purchased privacy expectation maximisation as a principle to produce
accurate outputs for commonly-used queries such as counting, median and linear
predictor. The effectiveness of our method is empirically validated by a series
of experiments
Individual Sensitivity Preprocessing for Data Privacy
The sensitivity metric in differential privacy, which is informally defined
as the largest marginal change in output between neighboring databases, is of
substantial significance in determining the accuracy of private data analyses.
Techniques for improving accuracy when the average sensitivity is much smaller
than the worst-case sensitivity have been developed within the differential
privacy literature, including tools such as smooth sensitivity,
Sample-and-Aggregate, Propose-Test-Release, and Lipschitz extensions.
In this work, we provide a new and general Sensitivity-Preprocessing
framework for reducing sensitivity, where efficient application gives
state-of-the-art accuracy for privately outputting the important statistical
metrics median and mean when no underlying assumptions are made about the
database. In particular, our framework compares favorably to smooth sensitivity
for privately outputting median, in terms of both running time and accuracy.
Furthermore, because our framework is a preprocessing step, it can also be
complementary to smooth sensitivity and any other private mechanism, where
applying both can achieve further gains in accuracy.
We additionally introduce a new notion of individual sensitivity and show
that it is an important metric in the variant definition of personalized
differential privacy. We show that our algorithm can extend to this context and
serve as a useful tool for this variant definition and its applications in
markets for privacy.Comment: Abbreviated abstract to accommodate character restriction