PS- Just spotted ftrotter's question for the first time. I also worked in healthcare IT and prototyped a PII protecting schema. Alas, my POC also flew like a lead zepplin. No password recovery. This strategy requires GUIDs, aka RealID in the USA.
"I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translucency. ..."
I could have written that. Oh well. Someone in much the same situation, having the same questions, and then reaching about the same answer is somewhat validating.
10+ years later, I'm sure there's now dozens of us advocating Translucent Databases techniques.
Source: Created some of the first medical records digital exchanges (NYCLIX, BHIX, etc) in the mid 2000s. Worked very hard to figure out how to protect patient privacy. This breach and subsequent blackmailing was one of our nightmare scenarios. FWIW, nothing (nothing) has improved since.
Just like a password wallet. Store the hash of passwords, not the actual passwords. Then disallow password resets.
Then you effectively "forget" your account if you lose your password.
The book Translucent Databases (2nd ed) [2009] explains clever strategies for applying this technique to protect sensitive data. It's brilliant.
https://www.wayner.org/node/39
https://www.amazon.com/gp/product/1441421343
Meta: I remain disappointed by the obscurity of this book and translucent techniques. A long time friend recently asked me about GDPR compliance and so forth, in prep for reworking stuff to allow proper audits. Very tech savvy. The translucent notions just could not compute. So their efforts went down the conventional rabbit hole of actually deleting data. Which I don't consider practical or auditable. How can you be sure an org deleted every record, log, backup, etc? You can't.
CA issued GUIDs unlocks the Translucent Database technology, enabling all PII to be encrypted AT REST at the field level.
Translucent Databases 2/e: Confusion, Misdirection, Randomness, Sharing, Authentication And Steganography To Defend Privacy Paperback [2009]
https://www.amazon.com/Translucent-Databases-2Nd-Authenticat...
PS- Just spotted ftrotter's question for the first time. I also worked in healthcare IT and prototyped a PII protecting schema. Alas, my POC also flew like a lead zepplin. No password recovery. This strategy requires GUIDs, aka RealID in the USA.
https://stackoverflow.com/questions/2109451/translucent-data...
"I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translucency. ..."
I could have written that. Oh well. Someone in much the same situation, having the same questions, and then reaching about the same answer is somewhat validating.
10+ years later, I'm sure there's now dozens of us advocating Translucent Databases techniques.
Never store PII as cleartext, akin to proper password storage.
Translucent Databases https://www.amazon.com/gp/product/1441421343
Encrypting databases, file systems, and backups remain necessary, but insufficient.
Field level encryption. Just like password files. Salt and hash any potentially identifying information.
Translucent Databases shows how. https://www.amazon.com/gp/product/1441421343
Source: Created some of the first medical records digital exchanges (NYCLIX, BHIX, etc) in the mid 2000s. Worked very hard to figure out how to protect patient privacy. This breach and subsequent blackmailing was one of our nightmare scenarios. FWIW, nothing (nothing) has improved since.
Just like a password wallet. Store the hash of passwords, not the actual passwords. Then disallow password resets.
Then you effectively "forget" your account if you lose your password.
The book Translucent Databases (2nd ed) [2009] explains clever strategies for applying this technique to protect sensitive data. It's brilliant.
https://www.wayner.org/node/39
https://www.amazon.com/gp/product/1441421343
Meta: I remain disappointed by the obscurity of this book and translucent techniques. A long time friend recently asked me about GDPR compliance and so forth, in prep for reworking stuff to allow proper audits. Very tech savvy. The translucent notions just could not compute. So their efforts went down the conventional rabbit hole of actually deleting data. Which I don't consider practical or auditable. How can you be sure an org deleted every record, log, backup, etc? You can't.
Privacy minded and anti-government types opposed RealID.
https://www.amazon.com/Translucent-Databases-2Nd-Authenticat...
Source: Me. I worked on both voter privacy and electronic medical records.
#2 -
The government, thru contracts with services like Lexis/Nexus (nee Seisent) have already created globally unique identifiers for pretty much every person, living or dead. Replacing SSN would just formalize, simplify, daylight such matters.
Alas, wedge issues like voter registration databases (assessing eligibility to vote) and immigration status, in near real-time, would become trivial and nearly error free, so I doubt this commonsense, practical effort will happen any time soon.