Encryption and Trusted Base: SECURE PORTAL FOR NETWORKING HEALTH

Lead Institution: Johns Hopkins University

Project Leader: Avi Rubin

Research Progress

  • Abstract
    Together with our collaborators at Networking Health we developed a patient portal for use with their EMR system at the clinics using OpenMRS. The main idea was to incorporate Knowledge Based Authentication (KBA). In this approach, we use the patient’s knowledge of their medical history and the back end database of that information to authenticate the user in such a way as to attempt to not leak any information about the patient to an imposter who attempts to authenticate. To help with this, we were given access to Networking Health’s collection of medical records.

    We developed new techniques for Knowledge Based Authentication (KBA), which we used as a secondary form of authentication. In this approach, we use the patient’s knowledge of their medical history and the back end database of that information to authenticate the user in such a way as to attempt to not leak any information about the patient to an imposter who attempts to authenticate. A secondary application, where it could potentially be used as the primary form of authentication, would be to gain access to a patient’s medical record when they are at a different doctor’s office.

  • Focus of the research/Market need for this project
    The market needs better ways to authenticate patients, and using the information that the patients already know about their medical history, in conjunction with other authentication techniques should prove beneficial if implemented commercially.

  • Project Aims/Goals
    The end goal of the project is better authentication of patients to their medical records portals.

  • Key Conclusions/Significant Findings/Milestones reached/Deliverables
    A key finding in this work was that patients do not have as good a memory of their medical histories as one would think. Thus, rather than focusing on KBA as a primary authentication means, we discovered that it is more practical to consider KBA as a secondary authentication source.

  • Materials Available for Other Investigators/interested parties
    As the code is in a research stage and is not production ready, we did not disseminate our code publicly. However, we would be happy to make it available to other researchers who want to study our techniques.

  • Market entry strategies
    The key to market entry would be to have a commercial entity that wants to set up portals adopt our KBA techniques as a secondary authentication mechanism.

Bibliography
This project did not result in any publications. We worked with Networking Health to try to deliver a medical records portal using KBA to their patients. While the work was novel and time consuming, it did not result in the type of creative research that we felt was publishable in top security or health venues