This project is no longer active; this page is no longer updated.
Related projects: [Amanuensis], [Amulet], [Auracle], [SIMBA], [THaW]
Related keywords: [authentication], [iot], [mhealth], [patent], [privacy], [security], [sensors], [survey], [wearable], [wifi]
In the TISH (Trustworthy Information Systems for Healthcare) project we explored wearable and portable devices for use in health monitoring and management, with an emphasis on the security and privacy issues that arise with these devices and their apps. We considered wearable, mobile, or home-based technologies being used by patients or clinical staff, and addressed issues of person identification and authentication, privacy and data sharing, secure data processing, anonymity in wireless-network communications, and mobile sensing. Some of this work is summarized below.
Much of this work culminated in the THaW project and inspired work in the Amanuensis, Amulet, Auracle, and SIMBA projects.
This page also includes work funded in the SHARPS and PC3 grants.
Overview, challenges, surveys: Early in this project we wrote an extensive survey of the literature regarding privacy in mHealth technology [avancha:survey], and extracted a threat model from that work [kotz:mhealth-threats, kotz:mhealth-spimacs]. Later in the project we held a workshop to review the state of the science [anthony:sith3]. A 2012 presentation at Microsoft Research gave an overview of several of the research activities noted on this page; see the [video].
Biometric identification/verification.
In this work we address two critical challenges. First, we evaluate
the use of bioimpedance for recognizing who is wearing
wireless sensors and show that bioimpedance is a feasible
biometric. Second, we investigate the use of accelerometers for
verifying whether two of these wireless sensors are on the same
person and show that our method is successful as distinguishing
between sensors on the same body and on different bodies. We stress
that any solution to these problems must be usable, meaning the user
should not have to do anything but attach the sensor to their body
and have them just work. This work is best described in Cornelius'
PhD thesis
[cornelius:thesis],
and also appeared in several papers
[cornelius:wearable,
cornelius:impedance,
cornelius:j-same-body,
cornelius:same-body,
cornelius:biometrics-poster].
We also conducted an early investigation into the prospect of
identifying people with their 'vocal resonance', that is, the sound of
their voice as recorded through their body
[cornelius:voice-tr];
this work later was finished under the
THaW project.
Authentication of computer users: We invented the concept of bilateral authentication and applied it to the challenge of continuous authentication of desktop computer users. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. In our solution, explored fully in Mare's dissertation [mare:thesis] and the papers below, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user's hand movement. Our approach performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 seconds. For a different threshold that trades security for usability, it correctly verified 90% of users and identified all adversaries within 50 seconds [mare:thesis, mare:patent9832206, mare:zebra-tr, mare:zebra14]. This project was renamed CSAW and was completed under the THaW project.
Privacy and data sharing: We explored several questions related to the willingness of people to share mHealth data, the means to attest to its provenance, and privacy-preserving systems to retrospectively detect when people were in spatio-temporal proximity. In Prasad's dissertation [prasad:thesis] and related papers we present our findings about factors that affect people's sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus. [prasad:thesis, prasad:nethealth13, prasad:provenance-poster, prasad:bfitbit, prasad:fitbit, prasad:msthesis].
Hide-n-Sense: wireless security and anonymity. Although some work on mHealth sensing addressed security, achieving strong privacy for low-power sensors remains a challenge. We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties at the link layer, with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized Message Authentication Codes; and asymmetric resource requirements, in recognition of the limited resources in tiny mHealth sensors. Second, we demonstrate its feasibility by implementing a prototype on a Chronos wrist device, and evaluating it experimentally. Third, we provide a security, privacy, and energy analysis of our system [mare:hns-j, mare:hns-w, mare:hns-tr].
Plug-n-Trust: secure sensing and data processing. Plug-n-Trust (PnT) was a novel approach to protecting both the confidentiality and integrity of safety-critical medical sensing and data processing on vulnerable mobile phones. With PnT, a plug-in smart card provides a trusted computing environment, keeping data safe even on a compromised mobile phone. By design, PnT is simple to use and deploy, while providing a flexible programming interface amenable to a wide range of applications. We designed an implementation for Java-based smart cards and Android phones, in which we use a split-computation model with a novel path hashing technique to verify proper behavior without exposing confidential data. Our experimental evaluation demonstrates that PnT achieves its security goals while incurring acceptable overhead [sorber:pnt, sorber:pnt-poster].
Sensing blood-pressure reliably: We built a user-friendly, mobile health-data collection system designed to support minimally trained, non-clinical health workers to gather data about blood pressure and body weight using off-the-shelf medical sensors. This system comprises a blood-pressure cuff, a weighing scale and a portable point-of-sales printer. With this system, we introduced a new method to record contextual information associated with a blood-pressure reading using a tablet's touchscreen and accelerometer. This contextual information can be used to verify that a patient's lower arm remained well-supported and stationary during her blood-pressure measurement. The work resulted in Murthy's MS thesis and Smithayer's BA thesis [murthy:thesis, murthy:bp, smithayer:bp].
Many people were involved in TISH projects; those involved as co-authors include Denise Anthony, Sasikanth Avancha, Amit Baxi, Andrew Campbell, Cory Cornelius, Andrew Gettinger, Carl A. Gunter, Ryan Halter, M. Eric Johnson, Shloka R. Kini, David Kotz, Shrirang Mare, Zachary Marois, Lisa Marsch, Andrés Molina-Markham, Rima Narayana Murthy, Kolin Paul, Ronald Peterson, Aarathi Prasad, Minho Shin, Joseph Skinner, Sean Smith, Emma N. Smithayer, Jacob Sorber, and Timothy Stablein.
TISH research was primarily funded by the US National Science Foundation (NSF), as follows: NSF Trustworthy Computing award 0910842, NSF IIS program award 1016823, NSF PC3 award 1143548. Additional funding was provided by the US Department of Health and Human Services (Office of the National Coordinator) through the SHARP program (see SHARPS website), by the US Department of Homeland Security (DHS-NCSD) through ISTS, and by the Intel University Research Council.
The views and conclusions contained on this site and in its documents are those of the authors and should not be interpreted as necessarily representing the official position or policies, either expressed or implied, of the sponsor(s). Any mention of specific companies or products does not imply any endorsement by the authors or by the sponsor(s).
[Also available in BibTeX]
Papers are listed in reverse-chronological order;
click an entry to pop up the abstract.
For full information and pdf, please click Details link.
Follow updates with RSS.
First, we present the findings of a user study we conducted to understand people’s authentication behavior: things they authenticate to, how and when they authenticate, authentication errors they encounter and why, and their opinions about authentication. In our study, participants performed about 39 authentications per day on average; the majority of these authentications were to personal computers (desktop, laptop, smartphone, tablet) and with passwords, but the number of authentications to other things (e.g., car, door) was not insignificant. We saw a high failure rate for desktop and laptop authentication among our participants, affirming the need for a more usable authentication method. Overall, we found that authentication was a noticeable part of all our participants’ lives and burdensome for many participants, but they accepted it as cost of security, devising their own ways to cope with it.
Second, we propose a new approach to authentication, called bilateral authentication, that leverages wrist-wearable technology to enable seamless authentication for things that people use with their hands, while wearing a smart wristband. In bilateral authentication two entities (e.g., user’s wristband and the user’s phone) share their knowledge (e.g., about user’s interaction with the phone) to verify the user’s identity. Using this approach, we developed a seamless authentication method for desktops and smartphones. Our authentication method offers quick and effortless authentication, continuous user verification while the desktop (or smartphone) is in use, and automatic deauthentication after use. We evaluated our authentication method through four in-lab user studies, evaluating the method’s usability and security from the system and the user’s perspective. Based on the evaluation, our authentication method shows promise for reducing users’ authentication burden for desktops and smartphones.
We built a user-friendly, mobile health-data collection system using wireless medical sensors that interface with an Android application. The data-collection system was designed to support minimally trained, non-clinical health workers to gather data about blood pressure and body weight using off-the-shelf medical sensors. This system comprises a blood-pressure cuff, a weighing scale and a portable point-of-sales printer. With this system, we introduced a new method to record contextual information associated with a blood-pressure reading using a tablet’s touchscreen and accelerometer. This contextual information can be used to verify that a patient’s lower arm remained well-supported and stationary during her blood-pressure measurement. In a preliminary user study, we found that a binary support vector machine classifier could be used to distinguish lower-arm movements from stationary arms with 90% accuracy. Predetermined thresholds for the accelerometer readings suffice to determine whether the tablet, and therefore the arm that rested on it, remained supported. Together, these two methods can allow mHealth applications to guide untrained patients (or health workers) in measuring blood pressure correctly.
Usability is a particularly important design and deployment challenge in remote, rural areas, given the limited resources for technology training and support. We conducted a field study to assess our system’s usability in Kolar town, India, where we logged health worker interactions with the app’s interface using an existing usability toolkit. Researchers analyzed logs from this toolkit to evaluate the app’s user experience and quantify specific usability challenges in the app. We have recorded experiential notes from the field study in this document.
Our recognition method uses bioimpedance, a measurement of how tissue responds when exposed to an electrical current. By collecting bioimpedance samples using a small wearable device we designed, our system can determine that (a)the wearer is indeed the expected person and (b) the device is physically on the wearer’s body. Our recognition method works with 98% balanced-accuracy under a cross-validation of a day’s worth of bioimpedance samples from a cohort of 8 volunteer subjects. We also demonstrate that our system continues to recognize a subset of these subjects even several months later. Finally, we measure the energy requirements of our system as implemented on a Nexus S smart phone and custom-designed module for the Shimmer sensing platform.
To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same -- the user’s hand movement. In our experiments ZEBRA performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90% of users and identified all adversaries within 50 s.
In this thesis we describe solutions to two of these problems. First, we evaluate the use of bioimpedance for recognizing who is wearing these wireless sensors and show that bioimpedance is a feasible biometric. Second, we investigate the use of accelerometers for verifying whether two of these wireless sensors are on the same person and show that our method is successful as distinguishing between sensors on the same body and on different bodies. We stress that any solution to these problems must be usable, meaning the user should not have to do anything but attach the sensor to their body and have them just work.
These methods solve interesting problems in their own right, but it is the combination of these methods that shows their true power. Combined together they allow a network of wireless sensors to cooperate and determine whom they are sensing even though only one of the wireless sensors might be able to determine this fact. If all the wireless sensors know they are on the same body as each other and one of them knows which person it is on, then they can each exploit the transitive relationship to know that they must all be on that person’s body. We show how these methods can work together in a prototype system. This ability to operate unobtrusively, collecting in situ data and labeling it properly without interrupting the wearer’s activities of daily life, will be vital to the success of these wireless sensors.
We present a wearable sensor to passively recognize people. Our sensor uses the unique electrical properties of a person’s body to recognize their identity. More specifically, the sensor uses bioimpedance -- a measure of how the body’s tissues oppose a tiny applied alternating current -- and learns how a person’s body uniquely responds to alternating current of different frequencies. In this paper we demonstrate the feasibility of our system by showing its effectiveness at accurately recognizing people in a household 90% of the time.
In this paper, we describe Plug-n-Trust (PnT), a novel approach to protecting both the confidentiality and integrity of safety-critical medical sensing and data processing on vulnerable mobile phones. With PnT, a plug-in smart card provides a trusted computing environment, keeping data safe even on a compromised mobile phone. By design, PnT is simple to use and deploy, while providing a flexible programming interface amenable to a wide range of applications. We describe our implementation, designed for Java-based smart cards and Android phones, in which we use a split-computation model with a novel path hashing technique to verify proper behavior without exposing confidential data. Our experimental evaluation demonstrates that PnT achieves its security goals while incurring acceptable overhead.
In order for such a vision to be successful, these devices will need to seamlessly interoperate with no interaction required of the user. As difficult as it is for users to manage their wireless area networks, it will be even more difficult for a user to manage their wireless body-area network in a truly pervasive world. As such, we believe these wearable devices should form a wireless body-area network that is passive in nature. This means that these pervasive wearable devices will require no configuration, yet they will be able form a wireless body-area network by (1) discovering their peers, (2) recognizing they are attached to the same body, (3) securing their communications, and (4) identifying to whom they are attached. While we are interested in all aspects of these passive wireless body-area networks, we focus on the last requirement: identifying who is wearing a device.
We conducted focus groups to understand the privacy concerns that patients have when they use mHealth devices. We conducted a user study to understand how willing patients are to share their personal health information that was collected using an mHealth device. To the best of our knowledge, ours is the first study that explores users’ privacy concerns by giving them the opportunity to actually share the information collected about them using mHealth devices. We found that patients tend to share more information with third parties than the public and prefer to keep certain information from their family and friends. Finally, based on these discoveries, we propose some guidelines to developing defaults for sharing settings in mHealth systems.
We make three contributions. First, we propose Adapt-lite, a set of two techniques that can be applied to existing wireless protocols to make them energy efficient without compromising their security or privacy properties. The techniques are: adaptive security, which dynamically modifies packet overhead; and MAC striping, which makes forgery difficult even for small-sized MACs. Second, we apply these techniques to an existing wireless protocol, and demonstrate a prototype on a Chronos wrist device. Third, we provide security, privacy, and energy analysis of our techniques.
We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized MACs; and an asymmetric resource requirement. Second, we demonstrate a prototype on a Chronos wrist device, and evaluate it experimentally. Third, we provide a security, privacy, and energy analysis of our system.
We provide a method to probabilistically detect this situation. Because accelerometers are relatively cheap and require little power, we imagine that the cellphone and each sensor will have a companion accelerometer embedded with the sensor itself. We extract standard features from these companion accelerometers, and use a pair-wise statistic -- coherence, a measurement of how well two signals are related in the frequency domain -- to determine how well features correlate for different locations on the body. We then use these feature coherences to train a classifier to recognize whether a pair of sensors -- or a sensor and a cellphone -- are on the same body. We evaluate our method over a dataset of several individuals walking around with sensors in various positions on their body and experimentally show that our method is capable of achieving an accuracies over 80%.
This poster describes a simple, flexible, and novel approach to protecting both the confidentiality and integrity medical sensing and data processing on vulnerable mobile phones, using plug-in smart cards---even a phone compromised by malware. We describe our design, implementation, and initial experimental results using real smart cards and Android smartphones.