TISH Project

In the TISH (Trustworthy Information Systems for Healthcare) project we explored wearable and portable devices for use in health monitoring and management, with an emphasis on the security and privacy issues that arise with these devices and their apps. We considered wearable, mobile, or home-based technologies being used by patients or clinical staff, and addressed issues of person identification and authentication, privacy and data sharing, secure data processing, anonymity in wireless-network communications, and mobile sensing. Some of this work is summarized below.

Overview, challenges, surveys: Early in this project we wrote an extensive survey of the literature regarding privacy in mHealth technology [avancha:survey], and extracted a threat model from that work [kotz:mhealth-threats, kotz:mhealth-spimacs]. Later in the project we held a workshop to review the state of the science [anthony:sith3]. A 2012 presentation at Microsoft Research gave an overview of several of the research activities noted on this page; see the [video].

diagram of the bioimpedance bracelet and its electronics

Biometric identification/verification. In this work we address two critical challenges. First, we evaluate the use of bioimpedance for recognizing who is wearing wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them just work. This work is best described in Cornelius' PhD thesis [cornelius:thesis], and also appeared in several papers [cornelius:wearable, cornelius:impedance, cornelius:j-same-body, cornelius:same-body, cornelius:biometrics-poster]. We also conducted an early investigation into the prospect of identifying people with their 'vocal resonance', that is, the sound of their voice as recorded through their body [cornelius:voice-tr]; this work later was finished under the THaW project.

Authentication of computer users: We invented the concept of bilateral authentication and applied it to the challenge of continuous authentication of desktop computer users. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. In our solution, explored fully in Mare's dissertation [mare:thesis] and the papers below, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. Our approach performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 seconds. For a different threshold that trades security for usability, it correctly verified 90% of users and identified all adversaries within 50 seconds [mare:thesis, mare:patent9832206, mare:zebra-tr, mare:zebra14]. This project was renamed CSAW and was completed under the THaW project.

Privacy and data sharing: We explored several questions related to the willingness of people to share mHealth data, the means to attest to its provenance, and privacy-preserving systems to retrospectively detect when people were in spatio-temporal proximity. In Prasad's dissertation [prasad:thesis] and related papers we present our findings about factors that affect people's sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus. [prasad:thesis, prasad:nethealth13, prasad:provenance-poster, prasad:bfitbit, prasad:fitbit, prasad:msthesis].

Hide-n-Sense: wireless security and anonymity. Although some work on mHealth sensing addressed security, achieving strong privacy for low-power sensors remains a challenge. We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties at the link layer, with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized Message Authentication Codes; and asymmetric resource requirements, in recognition of the limited resources in tiny mHealth sensors. Second, we demonstrate its feasibility by implementing a prototype on a Chronos wrist device, and evaluating it experimentally. Third, we provide a security, privacy, and energy analysis of our system [mare:hns-j, mare:hns-w, mare:hns-tr].

Plug-n-Trust: secure sensing and data processing. Plug-n-Trust (PnT) was a novel approach to protecting both the confidentiality and integrity of safety-critical medical sensing and data processing on vulnerable mobile phones. With PnT, a plug-in smart card provides a trusted computing environment, keeping data safe even on a compromised mobile phone. By design, PnT is simple to use and deploy, while providing a flexible programming interface amenable to a wide range of applications. We designed an implementation for Java-based smart cards and Android phones, in which we use a split-computation model with a novel path hashing technique to verify proper behavior without exposing confidential data. Our experimental evaluation demonstrates that PnT achieves its security goals while incurring acceptable overhead [sorber:pnt, sorber:pnt-poster].

Sensing blood-pressure reliably: We built a user-friendly, mobile health-data collection system designed to support minimally trained, non-clinical health workers to gather data about blood pressure and body weight using off-the-shelf medical sensors. This system comprises a blood-pressure cuff, a weighing scale and a portable point-of-sales printer. With this system, we introduced a new method to record contextual information associated with a blood-pressure reading using a tablet's touchscreen and accelerometer. This contextual information can be used to verify that a patient's lower arm remained well-supported and stationary during her blood-pressure measurement. The work resulted in Murthy's MS thesis and Smithayer's BA thesis [murthy:thesis, murthy:bp, smithayer:bp].

People

Many people were involved in TISH projects; those involved as co-authors include Denise Anthony, Sasikanth Avancha, Amit Baxi, Andrew Campbell, Cory Cornelius, Andrew Gettinger, Carl A. Gunter, Ryan Halter, M. Eric Johnson, Shloka R. Kini, David Kotz, Shrirang Mare, Zachary Marois, Lisa Marsch, Andrés Molina-Markham, Rima Narayana Murthy, Kolin Paul, Ronald Peterson, Aarathi Prasad, Minho Shin, Joseph Skinner, Sean Smith, Emma N. Smithayer, Jacob Sorber, and Timothy Stablein.

Funding and acknowledgements

TISH research was primarily funded by the US National Science Foundation (NSF), as follows: NSF Trustworthy Computing award 0910842, NSF IIS program award 1016823, NSF PC3 award 1143548. Additional funding was provided by the US Department of Health and Human Services (Office of the National Coordinator) through the SHARP program (see SHARPS website), by the US Department of Homeland Security (DHS-NCSD) through ISTS, and by the Intel University Research Council.

The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).

Papers (tagged 'tish')

Papers are listed in reverse-chronological order; click an entry to pop up the abstract. For full information and pdf, please click Details link. Follow updates with RSS.

2017:

Shrirang Mare, Andrés Molina-Markham, Ronald Peterson, and David Kotz. System, Method and Authorization Device for Biometric Access Control to Digital Devices. U.S. Patent 9,832,206; International Patent Application WO2014153528A2, November 28, 2017. Priority date 2013-03-21; Filed 2014-03-21; Issued 2017-11-28. [Details]

A system and method for authenticating and continuously verifying authorized users of a digital device includes an authentication device attached to an arm or wrist of authorized users. The authentication device has an accelerometer, digital radio, a processor configured to provide identity information over the radio, and to transmit motion data. The motion data is received by the digital device and the identity transmitted is verified as an identity associated with an authorized user. Input at a touchscreen, touchpad, mouse, trackball, or keyboard of the digital device is detected, and correlated with the motion data. Access to the digital device is allowed if the detected input and the detected motion data correlate, and disallowed otherwise.

2016:

Shrirang Mare. Seamless Authentication for Ubiquitous Devices. PhD thesis, May 2016. Available as Dartmouth Computer Science Technical Report TR2016-793. [Details]

User authentication is an integral part of our lives; we authenticate ourselves to personal computers and a variety of other things several times a day. Authentication is burdensome. When we wish to access to a computer or a resource, it is an additional task that we need to perform -- an interruption in our workflow. In this dissertation, we study people’s authentication behavior and attempt to make authentication to desktops and smartphones less burdensome for users.

First, we present the findings of a user study we conducted to understand people’s authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants’ lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it.

Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user’s wristband and the user’s phone) share their knowledge (e.g., about user’s interaction with the phone) to verify the user’s identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method’s usability and security from the system and the user’s perspective. Based on the evaluation, our authentication method shows promise for reducing users’ authentication burden for desktops and smartphones.

Aarathi Prasad. Privacy-preserving controls for sharing mHealth data. PhD thesis, May 2016. Available as Dartmouth Computer Science Technical Report TR2016-794. [Details]

Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. In this dissertation, we present our findings about factors that affect people’s sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus.

2014:

Aarathi Prasad, Jacob Sorber, Timothy Stablein, Denise Anthony, and David Kotz. Understanding User Privacy Preferences for mHealth Data Sharing. MHealth: Multidisciplinary Verticals. November 2014. [Details]

Rima Narayana Murthy. mCollector: Sensor-enabled health-data collection system for rural areas in the developing world. Master's thesis, August 2014. Available as Dartmouth Technical Report TR2015-788. [Details]

Health data collection poses unique challenges in rural areas of the developing world. mHealth systems that are used by health workers to collect data in remote rural regions should also record contextual information to increase confidence in the fidelity of the collected data.

We built a user-friendly, mobile health-data collection system using wireless medical sensors that interface with an Android application. The data-collection system was designed to support minimally trained, non-clinical health workers to gather data about blood pressure and body weight using off-the-shelf medical sensors. This system comprises a blood-pressure cuff, a weighing scale and a portable point-of-sales printer. With this system, we introduced a new method to record contextual information associated with a blood-pressure reading using a tablet’s touchscreen and accelerometer. This contextual information can be used to verify that a patient’s lower arm remained well-supported and stationary during her blood-pressure measurement. In a preliminary user study, we found that a binary support vector machine classifier could be used to distinguish lower-arm movements from stationary arms with 90% accuracy. Predetermined thresholds for the accelerometer readings suffice to determine whether the tablet, and therefore the arm that rested on it, remained supported. Together, these two methods can allow mHealth applications to guide untrained patients (or health workers) in measuring blood pressure correctly.

Usability is a particularly important design and deployment challenge in remote, rural areas, given the limited resources for technology training and support. We conducted a field study to assess our system’s usability in Kolar town, India, where we logged health worker interactions with the app’s interface using an existing usability toolkit. Researchers analyzed logs from this toolkit to evaluate the app’s user experience and quantify specific usability challenges in the app. We have recorded experiential notes from the field study in this document.

Cory Cornelius, Ronald Peterson, Joseph Skinner, Ryan Halter, and David Kotz. A wearable system that knows who wears it. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2014. [Details]

Body-area networks of pervasive wearable devices are increasingly used for health monitoring, personal assistance, entertainment, and home automation. In an ideal world, a user would simply wear their desired set of devices with no configuration necessary: the devices would discover each other, recognize that they are on the same person, construct a secure communications channel, and recognize the user to which they are attached. In this paper we address a portion of this vision by offering a wearable system that unobtrusively recognizes the person wearing it. Because it can recognize the user, our system can properly label sensor data or personalize interactions.

Our recognition method uses bioimpedance, a measurement of how tissue responds when exposed to an electrical current. By collecting bioimpedance samples using a small wearable device we designed, our system can determine that (a)the wearer is indeed the expected person and (b) the device is physically on the wearer’s body. Our recognition method works with 98% balanced-accuracy under a cross-validation of a day’s worth of bioimpedance samples from a cohort of 8 volunteer subjects. We also demonstrate that our system continues to recognize a subset of these subjects even several months later. Finally, we measure the energy requirements of our system as implemented on a Nexus S smart phone and custom-designed module for the Shimmer sensing platform.

Shrirang Mare, Jacob Sorber, Minho Shin, Cory Cornelius, and David Kotz. Hide-n-Sense: preserving privacy efficiently in wireless mHealth. Mobile Networks and Applications (MONET). June 2014. Special issue on Wireless Technology for Pervasive Healthcare. [Details]

As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Furthermore, individuals can become better engaged in monitoring and managing their own health. Although some work on mHealth sensing has addressed security, achieving strong privacy for low-power sensors remains a challenge. We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties at the link layer, with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized Message Authentication Codes; and asymmetric resource requirements, in recognition of the limited resources in tiny mHealth sensors. Second, we demonstrate its feasibility by implementing a prototype on a Chronos wrist device, and evaluating it experimentally. Third, we provide a security, privacy, and energy analysis of our system.

Shrirang Mare, Andrés Molina-Markham, Cory Cornelius, Ronald Peterson, and David Kotz. ZEBRA: Zero-Effort Bilateral Recurring Authentication (Companion report). Technical Report, May 2014. This project has been renamed CSAW. [Details]

We describe and evaluate Zero-Effort Bilateral Recurring Authentication (ZEBRA) in our paper that appears in IEEE Symposium on Security and Privacy, May 2014. In this report we provide a more detailed comparative evaluation of ZEBRA against other related authentication schemes. The abstract of the paper follows. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user’s hand movement. In our experiments ZEBRA performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90% of users and identified all adversaries within 50 s.

Shrirang Mare, Andrés Molina-Markham, Cory Cornelius, Ronald Peterson, and David Kotz. ZEBRA: Zero-Effort Bilateral Recurring Authentication. Proceedings of the IEEE Symposium on Security & Privacy. May 2014. This project has been renamed CSAW. [Details]

Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests.

To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user’s hand movement. In our experiments ZEBRA performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90% of users and identified all adversaries within 50 s.

Cory Cornelius, Zachary Marois, Jacob Sorber, Ron Peterson, Shrirang Mare, and David Kotz. Vocal resonance as a biometric for pervasive wearable devices. Technical Report, February 2014. [Details]

We anticipate the advent of body-area networks of pervasive wearable devices, whether for health monitoring, personal assistance, entertainment, or home automation. In our vision, the user can simply wear the desired set of devices, and they “just work”; no configuration is needed, and yet they discover each other, recognize that they are on the same body, configure a secure communications channel, and identify the user to which they are attached. This paper addresses a method to achieve the latter, that is, for a wearable device to identify the wearer, allowing sensor data to be properly labeled or personalized behavior to be properly achieved. We use vocal resonance, that is, the sound of the person’s voice as it travels through the person’s body. By collecting voice samples from a small wearable microphone, our method allows the device to determine whether (a) the speaker is indeed the expected person, and (b) the microphone device is physically on the speaker’s body. We collected data from 25 subjects, demonstrate the feasibility of a prototype, and show that our method works with 77% accuracy when a threshold is chosen a priori.

Rima Murthy and David Kotz. Assessing blood-pressure measurement in tablet-based mHealth apps. Proceedings of the Workshop on Networked Healthcare Technology (NetHealth). January 2014. [Details]

We propose a new method to record contextual information associated with a blood-pressure reading using a tablet’s touchscreen and accelerometer. This contextual information can be used to verify that a patient’s lower arm remained well-supported and stationary during her blood-pressure measurement. We found that a binary support vector machine classifier could be used to distinguish different types of lower-arm movements from stationary arms with 90% accuracy overall. Predetermined thresholds for the accelerometer readings suffice to determine whether the tablet, and therefore the arm that rested on it, remained supported. Together, these two methods can allow mHealth applications to guide untrained patients (or health workers) in measuring blood pressure correctly.

2013:

Denise Anthony, Andrew Campbell, Thomas Candon, Andrew Gettinger, Carl A. Gunter, M. Eric Johnson, David Kotz, Lisa Marsch, Andrés Molina-Markham, Karen Page, and Sean Smith. Securing Information Technology in Healthcare. IEEE Security & Privacy. November 2013. Invited paper. [Details]

Information technology (IT) has great potential to improve healthcare quality while also improving efficiency, and thus has been a major focus of recent healthcare reform efforts. However, developing, deploying and using IT that is both secure and genuinely effective in the complex clinical, organizational and economic environment of healthcare is a significant challenge. Further, it is imperative that we better understand the privacy concerns of patients and providers, as well as the ability of current technologies, policies, and laws to adequately protect privacy. The Securing Information Technology in Healthcare (SITH) workshops were created to provide a forum to discuss security and privacy for experts from a broad range of perspectives, from officers at large healthcare companies, startups and nonprofits, to physicians, researchers and policy makers.

Cory T. Cornelius. Usable Security for Wireless Body-Area Networks. PhD thesis, September 2013. Available as Dartmouth Computer Science Technical Report TR2013-741. [Details]

We expect wireless body-area networks of pervasive wearable devices will enable in situ health monitoring, personal assistance, entertainment personalization, and home automation. As these devices become ubiquitous, we also expect them to interoperate. That is, instead of closed, end-to-end body-worn sensing systems, we envision standardized sensors that wirelessly communicate their data to a device many people already carry today, the smart phone. However, this ubiquity of wireless sensors combined with the characteristics they sense present many security and privacy problems.

In this thesis we describe solutions to two of these problems. First, we evaluate the use of bioimpedance for recognizing who is wearing these wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them just work.

These methods solve interesting problems in their own right, but it is the combination of these methods that shows their true power. Combined together they allow a network of wireless sensors to cooperate and determine whom they are sensing even though only one of the wireless sensors might be able to determine this fact. If all the wireless sensors know they are on the same body as each other and one of them knows which person it is on, then they can each exploit the transitive relationship to know that they must all be on that person’s body. We show how these methods can work together in a prototype system. This ability to operate unobtrusively, collecting in situ data and labeling it properly without interrupting the wearer’s activities of daily life, will be vital to the success of these wireless sensors.

Shloka R. Kini. Please Take My Survey: Compliance with smartphone-based EMA/ESM studies. Technical Report, May 2013. [Details]

This thesis analyzes the factors that affect compliance in Ecological Momentary Assessment (EMA) survey systems using smartphones. Current EMA systems have simple parameters in their triggering mechanisms, which results in missed or ignored surveys, creating a loss of subject data. Over the course of three user studies, with slight variations, we analyze the factors that influence the willingness of a survey participant to answer surveys on an Android phone. An understanding of these factors would be valuable for mobile developers in developing advanced EMA trigger systems. After having experienced various unforeseen challenges in the process, we describe the parameters and difficulties in administering a study of this nature, making recommendations for future EMA applications and user studies. We also compare and analyze the pros and cons involved in developing various EMA systems. Psychologists and sociologists who use EMA systems to gather behavioral data might benefit from the experiential and behavioral data collected as part of our user studies.

Aarathi Prasad, Ronald Peterson, Shrirang Mare, Jacob Sorber, Kolin Paul, and David Kotz. Provenance framework for mHealth. Proceedings of the Workshop on Networked Healthcare Technology (NetHealth). January 2013. [Details]

Mobile health technologies allow patients to collect their health information outside the hospital and share this information with others. But how can data consumers know whether to trust the sensor-collected and human-entered data they receive? Data consumers might be able to verify the accuracy and authenticity of the data if they have information about its origin and about changes made to it, i.e., the provenance of the data. We propose a provenance framework for mHealth devices, to collect and share provenance metadata and help the data consumer verify whether certain provenance properties are satisfied by the data they receive. This paper describes the programming model for this framework, which describes the rules to be implemented for providing provenance-collecting capabilities to an mHealth application.

2012:

Cory Cornelius and David Kotz. Recognizing whether sensors are on the same body. Journal of Pervasive and Mobile Computing. December 2012. [Details]

In an open mobile health (mHealth) sensing system, users will be able to seamlessly pair sensors with their cellphone and expect the system to just work. This ubiquity of sensors, however, creates the potential for users to accidentally wear sensors that are not paired with their own cellphone. Our method probabilistically detects this situation by finding correlations between embedded accelerometers in the cellphone and sensor. We evaluate our method over a dataset of seven individuals with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracy of 85%.

Sasikanth Avancha, Amit Baxi, and David Kotz. Privacy in mobile technology for personal healthcare. ACM Computing Surveys. November 2012. [Details]

Information technology can improve the quality, efficiency, and cost of healthcare. In this survey, we examine the privacy requirements of mobile computing technologies that have the potential to transform healthcare. Such mHealth technology enables physicians to remotely monitor patients’ health, and enables individuals to manage their own health more easily. Despite these advantages, privacy is essential for any personal monitoring technology. Through an extensive survey of the literature, we develop a conceptual privacy framework for mHealth, itemize the privacy properties needed in mHealth systems, and discuss the technologies that could support privacy-sensitive mHealth systems. We end with a list of open research questions.

Aarathi Prasad, Ronald Peterson, Jacob Sorber, and David Kotz. A Provenance Framework for mHealth. Proceedings of the Workshop for Mobile Systems, Applications, and Services for Healthcare (mHealthSys) Poster Track. November 2012. [Details]

How can data consumers know whether to trust the sensor-collected and human-entered data they receive from mHealth devices? What confidence do they have that it is accurate and authentic? Data recipients might be able to verify the accuracy and authenticity of the data if they have information about its origin and about changes made to it, i.e., the provenance of the data.We define provenance in mHealth as contextual information that can attest to the authenticity and accuracy of the data and can help the recipient in interpreting the data. To realize this vision, we propose a provenance framework for mHealth. The primary function of the framework is to collect and share provenance metadata and help the data consumer verify whether certain provenance properties are satisfied by the data they receive.

Aarathi Prasad, Jacob Sorber, Timothy Stablein, Denise Anthony, and David Kotz. Understanding Sharing Preferences and Behavior for mHealth Devices. Proceedings of the Workshop on Privacy in the Electronic Society (WPES). October 2012. [Details]

mHealth devices offer many potential benefits to patients, health providers and others involved in the patients’ healthcare. If patients are not in control of the collection and sharing of their personal health information, they will have privacy concerns even while enjoying the benefits of the devices. We investigated patients’ willingness to share their personal health information, collected using mHealth devices, with their family, friends, third parties and the public. Our findings are based on a user study conducted with 41 participants. The best way to understand people’s privacy concerns is to give them the opportunity to use the device and actually share the information, and to the best of our knowledge, ours is the first study that does so. We discovered that patients want to share, selectively, their health information with people other than their doctors. We also show that privacy concerns are not static; patients may change their sharing decisions over time. Based on our findings, we suggest that privacy controls for mHealth systems should be flexible to allow patients to choose different settings for different recipients, and to change their sharing settings at any time.

Cory Cornelius, Jacob Sorber, Ronald Peterson, Joe Skinner, Ryan Halter, and David Kotz. Who wears me? Bioimpedance as a passive biometric. Proceedings of the USENIX Workshop on Health Security and Privacy. August 2012. [Details]

Mobile and wearable systems for monitoring health are becoming common. If such an mHealth system knows the identity of its wearer, the system can properly label and store data collected by the system. Existing recognition schemes for such mobile applications and pervasive devices are not particularly usable -- they require active engagement with the person (e.g., the input of passwords), or they are too easy to fool (e.g., they depend on the presence of a device that is easily stolen or lost).

We present a wearable sensor to passively recognize people. Our sensor uses the unique electrical properties of a person’s body to recognize their identity. More specifically, the sensor uses bioimpedance -- a measure of how the body’s tissues oppose a tiny applied alternating current -- and learns how a person’s body uniquely responds to alternating current of different frequencies. In this paper we demonstrate the feasibility of our system by showing its effectiveness at accurately recognizing people in a household 90% of the time.

Jacob Sorber, Minho Shin, Ron Peterson, and David Kotz. Plug-n-Trust: Practical trusted sensing for mHealth. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2012. [Details]

Mobile computing and sensing technologies present exciting opportunities for healthcare. Prescription wireless sensors worn by patients can automatically deliver medical data to care providers, dramatically improving their ability to diagnose, monitor, and manage a range of medical conditions. Using the mobile phones that patients already carry to provide connectivity between sensors and providers is essential to keeping costs low and deployments simple. Unfortunately, software-based attacks against phones are also on the rise, and successful attacks on privacy-sensitive and safety-critical applications can have significant consequences for patients.

In this paper, we describe Plug-n-Trust (PnT), a novel approach to protecting both the confidentiality and integrity of safety-critical medical sensing and data processing on vulnerable mobile phones. With PnT, a plug-in smart card provides a trusted computing environment, keeping data safe even on a compromised mobile phone. By design, PnT is simple to use and deploy, while providing a flexible programming interface amenable to a wide range of applications. We describe our implementation, designed for Java-based smart cards and Android phones, in which we use a split-computation model with a novel path hashing technique to verify proper behavior without exposing confidential data. Our experimental evaluation demonstrates that PnT achieves its security goals while incurring acceptable overhead.

Emma N. Smithayer. Sensor-based system for verifying blood-pressure measurement position. Technical Report, June 2012. [Details]

Mobile maternal-health programs send workers door to door to visit pregnant women in rural India and collect data such as blood pressure or weight, then send that data to doctors for review. Since the doctors do not see the data collection, ensuring correct collection methods is crucial to allow them to make good treatment decisions. However, blood-pressure measurements are sometimes taken with the patient’s arm in the wrong position, which can cause inaccurate readings. This paper describes a system consisting of an automatic blood pressure cuff with an accelerometer and force sensors attached to determine whether the arm is at the correct angle, held still, and properly supported. A user study indicated that the prototype was effective in helping untrained users take a measurement in the correct position.

Cory Cornelius, Zachary Marois, Jacob Sorber, Ron Peterson, Shrirang Mare, and David Kotz. Passive Biometrics for Pervasive Wearable Devices (Poster paper). Proceedings of the Workshop on Mobile Computing Systems and Applications (HotMobile). February 2012. [Details]

Wearable devices -- like the FitBit, MOTOACTV, and Jawbone UP -- are increasingly becoming more pervasive whether for monitoring health and fitness, personal assistance, or home automation. While pervasive wearable devices have long been researched, we are now beginning to see the fruits of this research in the form of commercial offerings. Today, many of these commercial wearable devices are closed systems that do not interoperate with other devices a person might carry. We believe, however, these commercial offerings signal the coming of wireless body-area networks that will connect these pervasive wearable devices and leverage existing devices a user already owns (e.g., a smartphone). Such wireless body-area networks will allow devices to specialize and utilize the capabilities of other devices in the network. A sensor, for example, might harness the internet connectivity of a smartphone to store its data in the cloud. Utilized in this way, devices will become cheaper because they will only require the components necessary for their speciality, and they will also become more pervasive because they can easily be shared between users.

In order for such a vision to be successful, these devices will need to seamlessly interoperate with no interaction required of the user. As difficult as it is for users to manage their wireless area networks, it will be even more difficult for a user to manage their wireless body-area network in a truly pervasive world. As such, we believe these wearable devices should form a wireless body-area network that is passive in nature. This means that these pervasive wearable devices will require no configuration, yet they will be able form a wireless body-area network by (1) discovering their peers, (2) recognizing they are attached to the same body, (3) securing their communications, and (4) identifying to whom they are attached. While we are interested in all aspects of these passive wireless body-area networks, we focus on the last requirement: identifying who is wearing a device.

Aarathi Prasad. Exposing Privacy Concerns in mHealth Data Sharing. Master's thesis, February 2012. Available as Technical Report TR2012-711. [Details]

Mobile health (mHealth) has become important in the field of healthcare information technology, as patients begin to use mobile devices to record their daily activities and vital signs. These devices can record personal health information even outside the hospital setting, while the patients are at home or at their workplace. However, the devices might record sensitive information that might not be relevant for medical purposes and in some cases may be misused. Patients need expressive privacy controls so that they can trade potential health benefits of the technology with the privacy risks. To provide such privacy controls, it is important to understand what patients feel are the benefits and risks associated with the technology and what controls they want over the information.

We conducted focus groups to understand the privacy concerns that patients have when they use mHealth devices. We conducted a user study to understand how willing patients are to share their personal health information that was collected using an mHealth device. To the best of our knowledge, ours is the first study that explores users’ privacy concerns by giving them the opportunity to actually share the information collected about them using mHealth devices. We found that patients tend to share more information with third parties than the public and prefer to keep certain information from their family and friends. Finally, based on these discoveries, we propose some guidelines to developing defaults for sharing settings in mHealth systems.

2011:

Shrirang Mare, Jacob Sorber, Minho Shin, Cory Cornelius, and David Kotz. Adapt-lite: Privacy-aware, secure, and efficient mHealth sensing. Proceedings of the Workshop on Privacy in the Electronic Society (WPES). October 2011. [Details]

We make three contributions. First, we propose Adapt-lite, a set of two techniques that can be applied to existing wireless protocols to make them energy efficient without compromising their security or privacy properties. The techniques are: adaptive security, which dynamically modifies packet overhead; and MAC striping, which makes forgery difficult even for small-sized MACs. Second, we apply these techniques to an existing wireless protocol, and demonstrate a prototype on a Chronos wrist device. Third, we provide security, privacy, and energy analysis of our techniques.

Shrirang Mare, Jacob Sorber, Minho Shin, Cory Cornelius, and David Kotz. Hide-n-Sense: Privacy-aware secure mHealth sensing. Technical Report, September 2011. [Details]

We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized MACs; and an asymmetric resource requirement. Second, we demonstrate a prototype on a Chronos wrist device, and evaluate it experimentally. Third, we provide a security, privacy, and energy analysis of our system.

Shrirang Mare, Jacob Sorber, Minho Shin, Cory Cornelius, and David Kotz. Adaptive security and privacy for mHealth sensing. Proceedings of the USENIX Workshop on Health Security (HealthSec). August 2011. Short paper. [Details]

As healthcare in many countries faces an aging population and rising costs, mobile Health (mHealth) sensing technologies promise a new opportunity. However, the privacy concerns associated with mHealth sensing are a limiting factor for their widespread adoption. The use of wireless body area networks pose a particular challenge. Although there exist protocols that provide a secure and private communication channel between two devices, the large transmission overhead associated with these protocols limit their application to low-power mHealth sensing devices. We propose an adaptive security model that enables use of privacy-preserving protocols in low-power mHealth sensing by reducing the network overhead in the transmissions, while maintaining the security and privacy properties provided by the protocols.

Aarathi Prasad, Jacob Sorber, Timothy Stablein, Denise Anthony, and David Kotz. Exposing privacy concerns in mHealth. Proceedings of the USENIX Workshop on Health Security (HealthSec). August 2011. Position paper. [Details]

We conducted several exploratory focus groups to understand what privacy concerns Patients might have with the collection, storage and sharing of their personal health information, when using mHealth devices. We found that Patients want control over their health information, and we noticed privacy trends that were particular to Patients in the same age group and with similar health experiences.

Cory Cornelius and David Kotz. Recognizing whether sensors are on the same body. Proceedings of the International Conference on Pervasive Computing (Pervasive). June 2011. [Details]

As personal health sensors become ubiquitous, we also expect them to become interoperable. That is, instead of closed, end-to-end personal health sensing systems, we envision standardized sensors wirelessly communicating their data to a device many people already carry today, the cellphone. In an open personal health sensing system, users will be able to seamlessly pair off-the-shelf sensors with their cellphone and expect the system to just work. However, this ubiquity of sensors creates the potential for users to accidentally wear sensors that are not necessarily paired with their own cellphone. A husband, for example, might mistakenly wear a heart-rate sensor that is actually paired with his wife’s cellphone. As long as the heart-rate sensor is within communication range, the wife’s cellphone will be receiving heart-rate data about her husband, data that is incorrectly entered into her own health record.

We provide a method to probabilistically detect this situation. Because accelerometers are relatively cheap and require little power, we imagine that the cellphone and each sensor will have a companion accelerometer embedded with the sensor itself. We extract standard features from these companion accelerometers, and use a pair-wise statistic -- coherence, a measurement of how well two signals are related in the frequency domain -- to determine how well features correlate for different locations on the body. We then use these feature coherences to train a classifier to recognize whether a pair of sensors -- or a sensor and a cellphone -- are on the same body. We evaluate our method over a dataset of several individuals walking around with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracies over 80%.

Jacob Sorber, Minho Shin, Ron Peterson, and David Kotz. Poster: Practical Trusted Computing for mHealth Sensing. Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys). June 2011. [Details]

Mobile sensing technologies present exciting opportunities for healthcare. Wireless sensors can automatically provide sensor data to care providers, dramatically improving their ability to diagnose, monitor, and manage a wide range of medical conditions. Using mobile phones to provide connectivity between sensors and providers is essential to keeping costs low and deployments simple. Unfortunately, software-based attacks against phones, which can have significant consequences for patients, are also on the rise.

This poster describes a simple, flexible, and novel approach to protecting both the confidentiality and integrity medical sensing and data processing on vulnerable mobile phones, using plug-in smart cards---even a phone compromised by malware. We describe our design, implementation, and initial experimental results using real smart cards and Android smartphones.

David Kotz. A threat taxonomy for mHealth privacy. Proceedings of the Workshop on Networked Healthcare Technology (NetHealth). January 2011. [Details]

Networked mobile devices have great potential to enable individuals (and their physicians) to better monitor their health and to manage medical conditions. In this paper, we examine the privacy-related threats to these so-called mHealth technologies. We develop a taxonomy of the privacy-related threats, and discuss some of the technologies that could support privacy-sensitive mHealth systems. We conclude with a brief summary of research challenges.

2010:

Cory Cornelius and David Kotz. On Usable Authentication for Wireless Body Area Networks. Proceedings of the USENIX Workshop on Health Security (HealthSec). August 2010. Position paper. [Details]

We examine a specific security problem in wireless body area networks (WBANs), what we call the one body authentication problem. That is, how can we ensure that the wireless sensors in a WBAN are collecting data about one individual and not several individuals. We explore existing solutions to this problem and provide some analysis why these solutions are inadequate. Finally, we provide some direction towards a promising solution to the problem and how it can be used to create a usably secure WBAN.

Shrirang Mare and David Kotz. Is Bluetooth the right technology for mHealth? Proceedings of the USENIX Workshop on Health Security (HealthSec). August 2010. Position paper. [Details]

Many people believe mobile healthcare (mHealth) would help alleviate the rising cost of healthcare and improve the quality of service. Bluetooth, which is the most popular wireless technology for personal medical devices, is used for most of the mHealth sensing applications. In this paper we raise the question -- Is Bluetooth the right technology for mHealth? To instigate the discussion we discuss some shortcomings of Bluetooth and also point out an alternative solution.

Aarathi Prasad and David Kotz. Can I access your Data? Privacy Management in mHealth. Proceedings of the USENIX Workshop on Health Security (HealthSec). August 2010. Position paper. [Details]

Mobile health (mHealth) has become important in the field of healthcare information technology, as patients begin to use mobile medical sensors to record their daily activities and vital signs. Since their medical data is collected by their sensors, the patients may wish to control data collection and distribution, so as to protect their data and share it only when the need arises. It must be possible for patients to grant or deny access to the data on the storage unit (mobile phones or personal health records (PHR)). Thus, an efficient framework is required for managing patient consent electronically, i.e.to allow patients to express their desires about what data to collect, what to store, and how to share. We describe several challenges posed by privacy management in mobile health.

2009:

David Kotz, Sasikanth Avancha, and Amit Baxi. A privacy framework for mobile health and home-care systems. Proceedings of the Workshop on Security and Privacy in Medical and Home-Care Systems (SPIMACS). November 2009. [Details]

In this paper, we consider the challenge of preserving patient privacy in the context of mobile healthcare and home-care systems, that is, the use of mobile computing and communications technologies in the delivery of healthcare or the provision of at-home medical care and assisted living. This paper makes three primary contributions. First, we compare existing privacy frameworks, identifying key differences and shortcomings. Second, we identify a privacy framework for mobile healthcare and home-care systems. Third, we extract a set of privacy properties intended for use by those who design systems and applications for mobile healthcare and home-care systems, linking them back to the privacy principles. Finally, we list several important research questions that the community should address. We hope that the privacy framework in this paper can help to guide the researchers and developers in this community, and that the privacy properties provide a concrete foundation for privacy-sensitive systems and applications for mobile healthcare and home-care systems.

TISH: Trustworthy Information Systems for Healthcare (2009-2018)

Summary

People

Funding and acknowledgements

Papers (tagged 'tish')