Format

Send to

Choose Destination
J Am Med Inform Assoc. 2019 Aug 7. pii: ocz114. doi: 10.1093/jamia/ocz114. [Epub ahead of print]

The machine giveth and the machine taketh away: a parrot attack on clinical text deidentified with hiding in plain sight.

Author information

1
Kaiser Permanente Washington Health Research Institute, Seattle, Washington, USA.
2
Privacy Analytics Inc, Ottawa, Ontario, Canada.
3
Department of Biomedical Informatics, Vanderbilt University Medical Center, Nashville, Tennessee, USA.
4
Department of Biostatistics, Vanderbilt University Medical Center, Nashville, Tennessee, USA.
5
Department of Electrical Engineering and Computer Science, Vanderbilt University, Nashville, Tennessee, USA.
6
The MITRE Corp, Bedford, Massachusetts, USA.

Abstract

OBJECTIVE:

Clinical corpora can be deidentified using a combination of machine-learned automated taggers and hiding in plain sight (HIPS) resynthesis. The latter replaces detected personally identifiable information (PII) with random surrogates, allowing leaked PII to blend in or "hide in plain sight." We evaluated the extent to which a malicious attacker could expose leaked PII in such a corpus.

MATERIALS AND METHODS:

We modeled a scenario where an institution (the defender) externally shared an 800-note corpus of actual outpatient clinical encounter notes from a large, integrated health care delivery system in Washington State. These notes were deidentified by a machine-learned PII tagger and HIPS resynthesis. A malicious attacker obtained and performed a parrot attack intending to expose leaked PII in this corpus. Specifically, the attacker mimicked the defender's process by manually annotating all PII-like content in half of the released corpus, training a PII tagger on these data, and using the trained model to tag the remaining encounter notes. The attacker hypothesized that untagged identifiers would be leaked PII, discoverable by manual review. We evaluated the attacker's success using measures of leak-detection rate and accuracy.

RESULTS:

The attacker correctly hypothesized that 211 (68%) of 310 actual PII leaks in the corpus were leaks, and wrongly hypothesized that 191 resynthesized PII instances were also leaks. One-third of actual leaks remained undetected.

DISCUSSION AND CONCLUSION:

A malicious parrot attack to reveal leaked PII in clinical text deidentified by machine-learned HIPS resynthesis can attenuate but not eliminate the protective effect of HIPS deidentification.

KEYWORDS:

deidentification; machine learning; natural language processing, patient data privacy; patient privacy

PMID:
31390016
DOI:
10.1093/jamia/ocz114

Supplemental Content

Full text links

Icon for Silverchair Information Systems
Loading ...
Support Center