Sunday, January 13, 2008

For Inspector Gadget

Have secrets? This is just for you. A biometric memory stick for your computer. You drag your finger twice over the little sensor (the orange strip at the bottom end), and that encodes your fingerprint. Then, only you can get access to the data in your memory stick when you plug it into a computer, by again passing your finger over the sensor. (There is a sliding door to protect the sensor.)

Am I a Luddite (don't answer that!), or is this a technology in search of a purpose? Maybe I don't have many secrets, but I think there will be limited demand for this. On the other hand, maybe I should add more intrigue to my life and find some secret data that I want to carry around with me.

Do you have secret data that you would want to protect this way? Hmm, is it HIPAA compliant to carry patient data in this manner? Perhaps our CIO, John Halamka, or others will comment on that.

(The company that makes this is call TwinMOS.)


e-Patient Dave said...

Well, it would be useful for those of us who have a hard time remembering passwords.

And a wise guy might assert that this is the first truly "digital" form of security.

I've always wondered how effective a device like this would be, in two Hollywood-like scenarios:

(1) You knock someone out (or worse) and drag the device across his/her finger;

(2) The mob (particularly Yakuza) simply *remove* your finger, so you yourself can't get at the data, but they can.

Eewww. Don't think I'll buy one.

p.s. Bloggers don't stand a chance of being mistaken for Luddites.

John Halamka said...

Happy to comment on this!

BIDMC policy does not permit USB drives to be used for the storage of employee or patient data in a non-secure way, so this device would help enforce our policy:

"Control of Media - Users having magnetic media for tape units attached to their hardware or utilizing floppy disks, zip disks, CD’s, USB drives and other removable media (collectively, “Removable Media”) will establish procedures to label, account for, and control all media containing BIDMC data or information, regardless of whether such data or information is current or obsolete. Removable Media in the possession of Users will be stored in locked cabinets or locked desk drawers and should never be left unattended. Removable Media must be disposed of in accordance with procedures provided by BIDMC policy. If removable media contains EPHI or BIDMC sensitive information, the data must be secured at a minimum with a password."

Our full set of technology policies is available at

Also,pPatients may want to transport their life long medical records on USB drives. As part of the national effort to standardize healthcare data, the US Healthcare Information Technology Standards Panel, which I chair, recently submitted standards to Secretary Leavitt for Personal Health Records, including support for life long medical records to be carried by patients on thumb drives.

A biometric thumb drive could provide a secure way for patients to ensure their personal health records are kept under their control.

John Halamka said...

Here's a comment from Dr. Larry Nathanson who oversees our Emergency Department Information Systems:

t seems like every week there are headlines about a stolen hard drive and the serious privacy and identity-theft ramifications. I am currently receiving a free credit monitoring subscription from another hospital because my professional and billing data was on a laptop stolen from a car. Considering the cost of providing this service to thousands of doctors, I'll bet they wish that data was encrypted -- I know I do.

Small portable media like USB drives are incredibly useful - one of these could easily fit the last 5 years of all my work and I could keep it on my keyring. But that convenience comes at a price -- the small size makes it very easy to misplace or steal.

I think biometric protected USB drives are a great idea -- if designed well, it would be almost impossible for anyone other than the owner to access the data on the drive. While I admire Paul's dedication to disclosure and transparency, I'm sure there are plenty of things that cross the desk of a hospital CEO that ought to be kept confidential.

Security is always a trade-off against usability. We can make our systems extremely easy to use by eliminating passwords -- but I don't think most patients would appreciate that. Conversely, we could guarantee privacy by unplugging the computers and storing them in a vault -- however they would be of no use in helping our patients. Choosing the right balance between these extremes is very challenging and can be a point of contention. Biometrics are a huge help, enabling powerful encryption without forcing users to recall impossibly complicated passwords every time they wish to use the system.

We are testing some biometrics technology in the ED, as part of a mobile computing pilot program with Intel. Users can swipe a fingerprint to access the ED Dashboard via the tablet computers. We are having mixed results -- the Omnipass product integrated well with Active Directory and it correctly identifies the users and logs them in. However, the way we use the tablets in the ED is different than the way other companies use them. We have many users who share a few tablets and use them for a few minutes each time. The Omnipass system isn't optimized for that scenario, which has limited the usefulness for us. So while I'm still looking, I believe that the right biometrics solution can make our systems both more secure AND easier to use.

Anonymous said...

Thanks guys!

Ari Herzog said...

This is a useful gadget, and thanks to John for his comments.

I have two unrelated thoughts:

1) If a person secures data with a fingerprint swipe and then experiences a burn or other qualifying event, can the data be accessed? Is there a fail-safe? Related, can toes can be used just like fingers?

2) How does BIDMC policy in this area compare to other area hospitals?

Anonymous said...

To really answer the question you need to consider the intended uses (use case analysis) and the threats (risk analysis).

For example, does it need to work when a finger is unavailable? This need not involve amputation. A physician may be gloved, the patient may be in an exam room, the USB stick may be left at home or in another city, or the finger may just be filthy. Is delegation needed? A patient may well want their healthcare proxy to be able to release the records. The device is also a potential disease vector. It is much like a doorknob. Can it be cleaned? What will damage it?

I would expect these sensor sticks to be good for some uses and bad for others.

Similarly, what are the threats? The obvious one is loss and theft. Was it targeted? If so, fake fingers can spoof most readers. For enough money and given time, the finger scanner will be penetrated. False positive rates vary, but I'm used to seeing rates like 0.0001. With the patients fingerprint (probably on the stick somewhere) I can improve my odds of breaking in to be better than 50%. For random theft, is this given to professional crackers? Again, for a fee they will target the stick.

I can react to the theft/loss risk by requiring a PIN. But now I've sacrificed the usability under normal situations somewhat. I need to get that PIN into the system. This affects interoperability, etc., unless PIN entry is part of the stick itself.

For my personal use for my own records (health and other) I favor truecrypt containers ( ) on USB sticks. It requires a keyboard and user interface, and it requires either I or my proxy be conscious to enter or reveal the passcode. That fits my needs better.

Anonymous said...

I've been using a prototype of a fingerprint-locked USB drive for about a year. Love it for transporting patient or sensitive research data...far better than emailing the stuff as an attachment. The drive allows the owner to set the level of "difficulty" for the fingerprint match, so depending on how many swipes of my finger I want to require (the hardest level usually needs several swipes before I get one that meets unlocking criteria), I can make the device very difficult to crack in the random-theft event...even if my partials are elsewhere on the drive.

Of course a targeted theft by somebody with true encryption expertise (or, say, the NSA) would mean a release of sensitive data. But no computer system is immune to targeted attack from an expert with unlimited resources...especially one willing to remove or synthesize a thumb. If such a person existed, would this drive really be the easiest target for hacking health data? My guess is no.

On the question of burned finger, etc.: the drive I have allows 10 prints. These don't all have to be fingers...toes are fine. They can also be the prints of another person (say, a spouse or research partner), if I want to code those in.

Anonymous said...

Also, encryption technologies are (so far, at least) eventually broken via the intersection of rapid increases in computing power and discovery of weaknesses in either the algorithms themselves or in their implementations.

That said, I don't think they are any better or worse than any other methods of protecting data that must be transported.