Impact case study database
Enabling Sensitive Personal Data to be Shared with Trust using Novel Digital Security Methods
1. Summary of the impact
Research conducted at Edinburgh Napier University has addressed the requirement for human trust in the capture, storage, use and sharing of sensitive data, notably that collected and used in health care. The patented work has been used in a wide range of applications, such as providing governance of the information sharing within health care and finance, and provides a scientific base for a highly successful spin-out (Symphonic Software), recently acquired for USD31million (11-2020). Our research has led to the development of secure, robust and scalable information infrastructures which benefit both individuals and society in areas such as the health and finance sectors.
2. Underpinning research
Weaknesses in information sharing within the UK’s public sector have led to many issues, such as those identified within the Victoria Climbié case where police forces failed to share important information which might have saved Victoria’s life. Along with this, there are well-known weaknesses within health care around the lack of data integration of the citizen within their health and social care practices.
Over the past decade, Professor Bill Buchanan, Alistair Lawson and Professor Christoph Thuemmler (a clinical practitioner) led a team of researchers focused on developing new secure infrastructures addressing these issues, developing novel data governance models which support information sharing and integrate the rights of the citizen. The research addressed gaps around data governance related to ownership rights, governance, and privacy through the creation of a framework that set out new processes relating to citizen-defined access policies.
The research began with a collaboration with Police Scotland, looking at weaknesses around information sharing within law enforcement [P1]. Through this project, the team developed a way of solving the complex problem of the large-scale integration of rights across interconnected domains, where a domain is defined as the entity which stores citizen data (for example, storing health data within the NHS, or social care data within Council-owned systems). The team created a method of using Binary Decision Diagrams (BDDs) [O1] to model complex policies, which enables novel approaches to integration of risk models [O3] and the abstraction of legal requirements using a novel data obfuscation method [O4]. The team then evaluated this in the context of protecting citizen data within investigations. The approach enabled complex sharing policies to be structured, and the detection of rule anomalies (allowing something, and then disallowing it at another place) and rule shadowing (where rules are contained in a large set or where they can be merged).
This research was patented in US, UK and World patents filed in 2013/14, defining a ground-breaking method of modelling information sharing between organizations and where the permissions for the sharing of information are represented as Boolean functions using Binary Decision Diagrams (BDDs) [O1].
The research, also led by Professor Buchanan (funded within two EPSRC/Innovate UK funded projects: DACAR [P3] and Trust **[P2]**) was then further developed by introducing the concept of data-buckets owned by the citizen [O2]. The team evaluated this in health and social care domains [P3] in a collaboration with clinical researchers in Imperial College, and clinical staff at Chelsea and Westminster Hospital. Trust [P2] focused on improved health care within the home environment, with a special focus on the risks for elderly citizens. The new platform ensured that the citizen had complete ownership and governance of their own health care data. As well as the health and social care evaluation [O2] the researchers evaluated this in the context of integration with home environments [O6], focusing on citizen rights within information sharing.
The team have extended research into the secure and robust storage of data within Cloud-based systems, using secret encrypted shares to distribute data across multiple Cloud systems [O5] [P11]. This method considerably enhances both the security and resilience of the storage of health care records. It led to new research projects related to trust architectures within health care [P4][P5] and the detection of frailty in a home environment [P6][P10].
3. References to the research
[O2]–[O6] have all been published following rigorous peer review
[O1] Uthmani, O., Buchanan, W., Lawson, A., & Fan, L. (2015). U.S. Patent No. 9,043,867. Washington, DC: U.S. Patent and Trademark Office. World patent: WO2014108678A1. UK patent: GB2525119A. URL: https://patents.google.com/patent/WO2014108678A1/en
[O2] Fan, L., Buchanan, W., Thuemmler, C., Lo, O., Khedim, A., Uthmani, O.,Lawson, A. & Bell, D. (2011, July). DACAR platform for eHealth services cloud. In 2011 IEEE 4th International Conference on Cloud Computing (pp. 219-226). IEEE. http://barbie.uta.edu/~hdfeng/cloud/cloud37.pdf
[O3] Van Deursen, N., Buchanan, W. J., & Duff, A. (2013). Monitoring information security risks within health care. Computers & Security, 37, 31-45.
https://www.sciencedirect.com/science/article/pii/S0167404813000813?via%3Dihub
[O4] Kwecka, Z., Buchanan, W., Schafer, B., & Rauhofer, J. (2014). “I am Spartacus”: privacy enhancing technologies, collaborative obfuscation and privacy as a public good. Artificial intelligence and law, 22(2), 113-139.
https://link.springer.com/article/10.1007/s10506-014-9155-5
[O5] Buchanan, W. J., Ukwandu, E., van Deursen, N., Fan, L., Russell, G., Lo, O., & Thuemmler, C. (2015, October). Secret shares to protect health records in Cloud-based infrastructures. In 2015 17th International Conference on E-health Networking, Application & Services (HealthCom) (pp. 669-672). IEEE. https://www.napier.ac.uk/~/media/worktribe/output-170299/secret-shares-to-protect-health-records-in-cloud-based-infrastructures.pdf
[O6] Ekonomou, E., Fan, L., Buchanan, W., & Thuemmler, C. (2011, November). An integrated cloud-based healthcare infrastructure. In 2011 IEEE Third International Conference on Cloud Computing Technology and Science (pp. 532-536). IEEE.
https://ieeexplore.ieee.org/document/6133189
This research has been funded through the following grants and routes to exploitation:
[P1] Information Sharing between the Police and their Community Partners. Dates: 1 September 2008 - 30 October 2011. Principal Investigator: WJ Buchanan. Funder: SIPR Scottish Institute for Policing Research. Value: £30,000 (Part-funded PhD studentship).
[P2] TS/I002561/1, Scaleable and Open Framework for Human and Digital Trust between Informal and Formal Infrastructures in Personal Health Care. Dates: 1 March 2011 – 31 July 2013. Principal Investigator: WJ Buchanan. Other Investigators: Mr N Bose, Dr J Graves, Professor CP Thuemmler. Funder: EPSRC/Innovate UK. Value: £243,325.
[P3] TS/H001883/1, Data Capture and Auto Identification Reference. Dates: 1 November 2009 – 1 November 2011. Principal Investigator: WJ Buchanan. Other Investigators: Alistair Lawson, Professor CP Thuemmler. Funder: EPSRC/Innovate UK. Value: £283,965.
[P4] e-FRAIL - Early detection of FRAilty and Illness. Dates: 1 October 2015 – 31 December 2016. Principal Investigator: WJ Buchanan. Co-Investigator: Alistair Lawson, Funder: DHI (Digital Health Institute). Value: £113,896.
[P5] Next Generation Trust Architecture. 1 March 2018 - 29 February 2020. Principal Investigator: WJ Buchanan. Co-Investigators: Alistair Lawson. Funder: DHI (Digital Health Institute). Value: £214,635.
[P6] Next Generation Connectivity with Health and Well-being. 1 October 2018 – 2 July 2021. Principal Investigator: WJ Buchanan. Co-Investigators: Alistair Lawson. Funder: DHI (Digital Health Institute). Value: £89,489.
4. Details of the impact
The work has led to a highly successful spin-out, Symphonic Software, which was acquired by Ping Identity in 2020 for USD31million (11-2020). The software infrastructure sold by Symphonic Software has been used within the information sharing of personal identifiable information (PII) in health-care related applications, including health-care sharing across EU borders, and has had many commercial applications, including the finance sector. Successful collaborations have taken place with a range of companies on citizen-focused privacy-related work, resulting in a patent that will be used in the US education sector. The impacts are summarized in the following sections:
A. Integrating the citizen and their rights
Proof-of-Concept funding from Scottish Enterprise [P9] allowed the underlying research on proving a large scale information sharing architecture in health care to be developed into the sa.FIRE (Secure Analysis and Filtering Risk Engine) information architecture engine. This attracted further investment and in 2013, a company was spun-out: Symphonic Software [C2]. By Dec 2020, Symphonic Software had 35 full-time employees and has been through several rounds of investment [C3]. It has developed markets around the world, and has been involved in large-scale integration projects, including health and social care information sharing within the NHS National Services Scotland and Scottish Ambulance Service [C2]. The developed engine has now been applied to different application areas, including in the finance sector, and in information sharing across the public sector. Symphonic Software’s customer list includes: Ping Identity, NHS National Services Scotland, Tesco Bank, the Scottish Government, Janrain (part of Akamai), and OneLondon [C2].
Symphonic was acquired by Ping Identity in November 2020 for USD31million (11-2020). The CEO and Founder of Ping Identity says: “ The acquisition of Symphonic accelerates our vision for enterprises to not only maintain security and compliance with confidence, but to easily deliver personalized, trustworthy experiences” [C7]. For the last four years, Ping Identity has been defined as a leader in Gartner’s 2020 Magic Quadrant for Access Management.
The CEO of Symphonic says: “ I would like to thank the University for providing us with the opportunity to scale the research work from the DACAR project and other related research into the creation of Symphonic. From the core ideas and working within Symphonic, we have developed the fundamental research into a number of sectors and industries, including Health, represented by EU Horizon 2020 work, the NHS in Scotland and in some of the US's largest health-related organisations. The fundamental ideas that originated in Napier's research work have provided a core focus around the citizen and their rights, and we have appreciated the opportunity to scale the core research principles into a range of application areas”. [C10]
The information sharing infrastructure developed in the research [O2] is also being used in the EU-funded SHiELD (European Security in Health Data Exchange) programme of which Symphonic Software is a partner. This aims to share citizen health care data across borders [C5]. Symphonic thus successfully applied information sharing to a range of health and social care applications. The Director/CIO of OneLondon, North London Partners in health and care, says: " Symphonic provided us with the services and support to deliver the outcomes needed for the OneLondon information governance programme. The solution is used across the whole of London to protect access to patient data, streamline data governance and improve patient care" [C2]. The Head of Finance Crime at Tesco Bank says: “ Through a collaborative approach, Symphonic provided a sophisticated orchestration layer and policy decision platform enabling Tesco Bank to meet demanding regulatory requirements” [C2]. CEO at RAIDIAM – a UK-based identity company - explains: " Symphonic brings a real step change to digital policy decision making. Their solution makes solving complex business use cases at an internet scale easier to deliver and easier to manage” [C2].
B. Citizen-focused data privacy
Our work around data privacy has led to successful collaborations. A collaboration with HAS Technology focused on new infrastructure for health and social care, leading to wearable technologies to predict the risk of people falling. This won “Innovation of the Year” at the Scottish Knowledge Exchange awards in 2020 [C8].
The research team has scaled their work into secure storage of citizen data within public clouds, working with Payfont Ltd in the creation of a Cloud-based architecture which uses data fragments. The developed system is known as ADeCA (Anonymised Distributed eCloud Architecture) and is a heterogeneous, keyless, non-linear, hybrid data architecture that renders data completely fragmented and contextless, making it meaningless to outsiders [O5]. This won ‘Innovation of the Year’ in 2017 at the inaugural Scottish Knowledge Exchange Awards [C6]. It has resulted in a patent [C11], which was acquired by Leading Software Limited in December 2019 and is being applied within an education product within the US. Charlie Morrison, a Director of Leading Software Limited, outlines: “ We are building on this patent and will provide a solution that could be used globally i.e. in every one of the 61,000 colleges/universities worldwide. It would be a highly secure 'data vault' facility where highly sensitive University/College/High School student transcript files are removed/transferred in from the student records systems and stored separately using ADeCA principles (as defined in the patent) in an application that is only viewable or accessible by approved students, admin staff employers and so on, authenticating with multi-factor tests” [C12].
The long-term drive around trust, governance, consent and privacy resulted in Prof Bill Buchanan receiving an "Outstanding Contribution Award" in 2018 at the Scottish Knowledge Exchange Awards for sustained work within areas such as health care [C9]. Along with this, the success of this work has supported the university in the creation of the world's first Blockchain Identity lab [C1] which has a core focus on the citizen and their rights [P7][P8], attracting further funding in 2020 [C4].
These impacts have been facilitated by the following grants:
[P7] Health Blockchain. 1 August 2017 - 31 March 2019. Data Lab, Spiritus Development Limited. Principal Investigator: WJ Buchanan. Funder: Data Lab. Value: £144,965.
[P8] Advanced Blockchain Identity Lab. 1 May 2018 - 30 September 2021. Principal Investigator: WJ Buchanan. Funder: Blockpass IDN Ltd. Value: £655,950.
[P9] sa.Fire (Proof of Concept). 5 March 2012 – 31 October 2013, Principal Investigator: WJ Buchanan. Co-Investigator: Alistair Lawson, Lu Fan, Omair Uthmani. Funder: Scottish Enterprise. Value: £320,000.
[P10] e-Frail - Phase 2. 1 August 2017 – 28 February 2018. Principal Investigator: WJ Buchanan. Co-Investigators: Alistair Lawson, Adrian Smales. Funder: DHI. Value: £53,017.61
[P11] KTP Payfont Ltd. 1 July 2015 – 30 Jun 2017. Principal Investigator: WJ Buchanan. Co-Investigator: R Macfarlane. Funder: Innovate UK, Payfont Ltd. Value: £137,184.34
5. Sources to corroborate the impact
[C1] News article: Blockpass Partners with Edinburgh Napier University to Build the World's First Advanced Blockchain Identity Laboratory.
[C2] Screenshot for OneLondon quote
[C3] News article: Par equity investment. https://www.parequity.com/portfolio/symphonic
[C4] Evidence of new funding won in 2020 https://cordis.europa.eu/project/id/959879
[C5] Evidence of Symphonic Software involvement in EU funded European Security in Health Data Exchange https://cordis.europa.eu/project/id/727301
[C6] Screenshot evidencing Winner, Innovation of the Year, 2017
[C7] News article: Ping Identity to Acquire Symphonic Software to Accelerate Dynamic Authorization for Enterprises Pursuing Zero Trust Identity Security
https://www.pingidentity.com/en/company/press-releases-folder/2020/symphonicsoft.html
[C8] News article: University wins Innovation of the Year
[C9] News article: William Buchanan Wins ‘”Outstanding Contribution to Knowledge Exchange” for work related to Cyber Security and Health Care.
https://interface-online.org.uk/news/scottish-knowledge-exchange-awards-2018-winners-announced-0
[C10] Letter from CEO, Symphonic Software, December 2020
[C11] Patent US20170005797A1: Resilient secret sharing cloud based architecture for data vault
https://patents.google.com/patent/US20170005797A1/en
[C12] Letter from Charlie Morrison, Director, Leading Software Limited
Additional contextual information
Grant funding
| Grant number | Value of grant |
|---|---|
| PR283 | £30,000 |
| TS/I002561/1 | £243,325 |
| 400092 TS/I002561/1 | £283,965 |
| E-frail/DEWAR | £111,785 |
| xxx_SFC DHI | £214,228 |
| Next Generation | £86,694 |
| TB_DataLab | £122,660 |
| PS7305CA11 | £320,000 |
| e-Frail2 | £50,606 |
| KTP010069 | £135,030 |