Each person possesses a unique electrocardiograph (ECG), which the researchers believe could be used as a form of authentication in the same manner as fingerprints and iris.
Electrocardiography is the process of recording the heart’s electrical activity through electrodes that are placed on the skin.
The Researchers, from New York’s Binghamton University, are testing whether the concept could replace random data (entropy) or static encryption keys.
Ironically, this novel biometrics concept could find its most compelling application in the place where heart activity is already wisely measured: hospitals.
Healthcare security breaches have already reached an all-time high, as this infographic shows. Forty-one percent of all data breaches brought to the attention of the UK Information Commissioner’s Office in the first quarter of 2016 were from the medical sector.
The problem could get worse still as hospitals start using more internet of things devices that connect to the hospital’s computer network.
Lacking the processing power of desktop PCs and web servers, IoT devices cannot support encryption and therefore represent weak links in a building’s network.
But an ECG-based biometrics solution simplifies implementation details, making it a viable solution for smart healthcare devices, claim the researchers.
Already accustomed to measuring heart activity, doctors would now also do so to verify a patient’s identity. Pressing a biometrics sensor against a patient’s skin for a few seconds would give them immediate access to a patient’s files.
“The ECG signal is one of the most important and common physiological parameters collected and analyzed to understand a patient’s’ health,” said Zhanpeng Jin, assistant professor in the Department of Electrical and Computer Engineering at the Thomas J Watson School of Engineering and Applied Science at Binghamton University.
“While ECG signals are collected for clinical diagnosis and transmitted through networks to electronic health records, we strategically reused the ECG signals for the data encryption. Through this strategy, the security and privacy can be enhanced while minimum cost will be added.”
“These types of solutions are promising and along with physical biometrics will have a place in strengthening online consumer identification as part of a multi-factor response.” Robert Capps, VP of business development, NuData Security
However, the ECG concept will not be used in the real world until researchers can find a way round the fact that ECGs change as people age or become injured or ill.
And for all their flaws, text-based passwords can be changed within seconds as soon as a data breach is discovered. Were a person’s ECG footprint to leak online and be reproducible, researchers would also need a back-up plan for securing that person’s data, given they cannot change their ECG.
“As more business moves online, it’s gravely important for us to look for new and stronger methods to positively identify consumers, online,” says Robert Capps, VP of business development at NuData Security.
“The use of bioinformatics for online human identification (such as heart rate, or body temperature, oxygen saturation, etc.) is a promising area of study, that would provide a unique way of strongly identifying individuals while reducing the opportunities for online criminals to impersonate a legitimate user.”
“As with all data collected and compiled on individual consumers, there is a risk of theft and misuse. This is especially important when we are dealing with HIPAA (Health Insurance Portability and Accountability Act of 1996, a US law that set data privacy and security standards for safeguarding medical information) protected data such as health diagnostics information.
“These types of solutions are promising and along with physical biometrics will have a place in strengthening online consumer identification as part of a multi-factor response.”
Capps also believes passive behavioural biometric technologies, whereby the user’s behaviour is tracked without their knowledge, “have the benefit of having an extremely limited shelf life of usefulness – making theft and successful reuse of raw behavioural signals nearly impossible.”
The research team’s findings have been published in a report called “A Robust and Reusable ECG-based Authentication and Data Encryption Scheme for eHealth Systems.” And presented at the IEEE Global Communications Conference (GLOBECOM 2016) held in Washington, in December 2016.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
