Biometric Bracelet Lets a Medical Device Recognize its Wearer

A device that measures someone’s unique response to a weak electric signal could let medical devices such as blood-pressure cuffs automatically identify the wearer and send measurements straight to his or her electronic medical record.

For now, nurses, patients, and doctors juggle the job of keeping patients’ identities straight. But computer scientist Cory Cornelius at Dartmouth College, in New Hampshire, has developed a wristwatch-like device that measures a person’s “bioimpedance” to identify him or her to medical monitoring devices.

Cornelius and colleagues presented a prototype sensor at the Usenix Advanced Computing System Association workshop in Bellevue, Washington, on Monday. Individual impedance varies because each person’s wrist, for example, is a unique jumble of bone, flesh, and blood vessels.

As medical instruments and implants become more computerized and connected, security and authentication are becoming an issue. A number of researchers have shown that medical devices are vulnerable to hacking (see “Personal Security”).

“The idea of using bioimpedance as a biometric is clever,” says computer scientist Kevin Fu, of the University of Massachusetts Amherst, who studies medical-device security (see “Kevin Fu, TR35 Innovator of the Year”).

Authenticating users of medical devices could have various practical benefits. A household might share an exercise-monitoring device, for example, and authentication would match household members with their own results.

“We did some initial tests on ourselves,” Cornelius says, but eventually the team scaled up the experiment to include 46 volunteers. One electrode on the device sends an alternating current through its wearer’s wrist to a second electrode. While the current is passing through the wrist, the electrodes detect the wrist’s resistance and reactivity, which are components of impedance. A processor extracted seven features from the electrode pattern, and the team then used a series of five readings per user to train the processor to recognize a given user’s bioimpedance profile.

The team took 80 more impedance measurements from each subject and compared them to the composite profiles created to test the device’s ability to recognize individuals. They found that if they subdivided the pool of 46 volunteers into family-sized groups of two to five, they could correctly identify the user 80 to 90 percent of the time. Combining the bioimpedance data with a simple wrist-circumference measurement improves accuracy by a couple of percentage points.

Ari Juels, chief scientist at RSA Laboratories in Cambridge, Massachusetts, is skeptical that bioimpedance can serve as a practical biometric. “The false acceptance and false rejection rates are considerably weaker than required for any likely security scenario,” he says. Fingerprint recognition must allow less than one acceptance in 1,000 to be false, he notes, and other signals such as electrocardiograms may offer more reliable passive biometrics.

First published by Technology Review: [html] [pdf].