Technique for secure processing of patient data

Thanks to a technique developed by Radboud University large-scale research involving patient data can be done without threat to either the security of the information or the privacy of the patients. This technique will be used for a new, large-scale study of Parkinson's disease.

Collecting and analysing medical data on a large scale is an increasingly important research tool in understanding illnesses. To quickly arrive at new insights and avoid double work, it is important that international researchers work together to use and enrich one another's data. Such studies often involve sensitive patient information. Patients must be confident that their privacy will be safeguarded and their data securely stored in line with upcoming European regulations on privacy, known as the strictest in the world.

To make this possible, Professor Bart Jacobs and Professor Eric Verheul, both computer scientists at Radboud University, have developed the Polymorphic Encryption and Pseudonymisation (PEP) technique. The PEP technique realises this goal by pseudonymising and encrypting data in such a way that the data cannot be accessed even by the party who stores the data. Moreover, access to the data is strictly regulated and monitored. The PEP technique makes it possible to analyse data from a study while ensuring that a patient's privacy is safeguarded.

One of the first applications of the PEP technique is a study of Parkinson's that was initiated by Radboud University. In this study, 650 people with Parkinson's will be monitored for two years by means of, among other things, portable measuring equipment (wearables). Thanks to the PEP technique, the research data collected in the Netherlands can be shared in pseudonymised form with top researchers throughout the world.

Public investment in privacy

"In the context of international medical research, personal information is worth its weight in gold. So it's important for the government to invest in an infrastructure that guarantees the protection of this information," said Bart Jacobs, Professor of Digital Security at Radboud University. "Especially to ensure that people will remain willing to participate in future studies of this sort." Radboud University and Radboud university medical center are investing €920,000 in the development of the PEP software. The Province of Gelderland is contributing €750,000. The software will be made available as open source so that other parties may also use it.

Bart Jacobs is optimistic about the future of the PEP system. "The study of Parkinson's should demonstrate the usefulness of PEP. With this showcase as an example, PEP could grow to become the international standard for storing and exchanging privacy-sensitive medical data." The first reactions from the field are positive, Jacobs concluded.

In short, Polymorphic Encryption and Pseudonymisation works as follows:

• the managers of the data cannot access the data
• participants in the study decide for each study if they want to allow their data to be used
• researchers who use the data are given a unique key
• the participants have a different pseudonym for each researcher. This prevents researchers from using another route to access data that they are not allowed to see.