Moderator Steve Cohen identified the following themes during these presentations: game theory, data resources that allow for a breach, and how to simulate the threat of disclosure. He asked the panelists to address where we are heading in the next five years to address these threats.
Malin responded that social media is a serious threat: people self-disclose and disclose about others. His team is doing research on how Twitter is used, and preliminary findings are that people talk more about others than about themselves, and it is a minefield of potential disclosures (for example, “pray for my mom, she has breast cancer”). Another challenge is that electronic health records are becoming commercialized, and start-ups are using data without regulation, which is a big loophole.
Sweeney added that no one is really studying the predictive analytics industry, so we don’t know how big an industry it is. Re-identification is a way of illustrating risk—it’s big although unquantified – we don’t know how much really goes on, because DUAs don’t stop it, they just hide it because the penalties are so draconian. Federal agencies should try to figure out how to link data in a secure way in the cloud to produce aggregated data for the public.
Barth-Jones stated that the future concern is harm from bad de-identification practice—from bad science and inefficiency. We should focus on reducing bad de-identification practices.
Love is concerned that data will be too protected, and opt-in/opt-out will be disastrous for public health and for population health (an example is when parents do not vaccinate their children).
El Emam noted that techniques are becoming more sophisticated, including protection of data. Risks can be managed with appropriate de-identification practices.
Malin recommended that data holders have a dialogue with the community regarding use of data for research purposes. They should create an advisory board and keep them in place, and make them partners. This will reduce the risk of research being shutdown in the event of a breach.