Due to potential publication, the previous Blog 1 was removed until copyright procedures were completed. Blog 1 is now being re-inserted along with Blog 2. Copyright (c) 2013 Marc Kowtko. All rights reserved.
Marc Kowtko Weekly Scholarly Blog
Week 1 – 06/10/2013:
Abstract—Telehealth once derived from a simple patient to doctor consultation has now evolved into a multibillion dollar industry. New technologies in the telehealth field can assist patients in their daily livings, from managing prescriptions to monitoring their vitals. Telehealth continues to impact society and improve the quality of life for medical patients. However, increased cyber-attacks and security breaches have caused a surge in awareness and implementation in information security, especially in the Telehealth sector. Biometrics authentication is an evolving two factor authentication has been developed and implemented in the government and private sector. Telehealth professionals have taken a special interest in biometric authentication. As passwords become more complex for humans to remember as well as their inherent security vulnerabilities, many industries, including Telehealth, have turned to biometrics as a second form of authentication for its clients and employees. Few industries, however, have introduced biometrics to their users. As more medical data records become available online, patients, especially older adults, will encounter new obstacles. Older adults, including those with cognitive impairment, often cannot remember complex password metrics and are more likely to forget or choose insecure passwords that can be easily compromised. How do older adult patients, ages 65 or older, create passwords? As Telehealth begins the transition of implementing biometric authentication use to the patients, how will older adults especially with medical complications cope with the usability, enrollment, and authentication process? This research will study the interaction between older adults (ages 65 or older) and passwords, as well as the accessibility of biometric authentication systems.
Introduction & What to expect for this research:
In recent times, cyber-attacks and cyber warfare have threatened network infrastructures from across the globe. The world has reacted by increasing security measures through the use of stronger passwords, strict access control lists, and new authentication means; however, while these measures are designed to improve security and Information Assurance (IA), they may create accessibility challenges for older adults and people with disabilities. Studies have shown the memory performance of older adults decline with age. Therefore, it becomes increasingly difficult for older adults to remember random strings of characters or 12 characters or more in length passwords. How are older adults challenged by security measures, e.g., passwords, CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), etc., and how does this affect their accessibility to engage in online interactions, i.e., health insurance options, and mobile platforms?
While username/password authentication, CAPTCHA, and security questions do provide adequate protection; they are still vulnerable to cyber-attacks. Passwords can be compromised from brute force, dictionary, and social engineering style attacks. CAPTCHA, a type of challenge-response test, was developed to ensure that user inputs were not manipulated by machine-based attacks. Unfortunately, CAPTCHA is now being exploited by new vulnerabilities and exploits. Insecure implementations through code or server interaction have circumvented CAPTCHA. New viruses and malware now utilize character recognition as means to circumvent CAPTCHA . Security questions, another challenge response test that attempts to authenticate users, can also be compromised through social engineering attacks and spyware. Since these common security measures are increasingly being compromised, many security professionals are turning towards biometric authentication. Biometric authentication is any form of human biological measurement or metric that can be used to identify and authenticate an authorized user of a secure system. Biometric authentication can include fingerprint, voice, iris, facial, keystroke, and hand geometry. Biometric authentication is also less affected by traditional cyber-attacks . However, is biometrics completely secure? This research will examine the security challenges and attacks that may risk the security of biometric authentication.
Recently, medical professionals in the Telehealth industry have begun to investigate the effectiveness of biometrics. In the United States alone, the population of older adults has increased significantly. Although people are living longer, that does not mean that they are living healthier. Studies have shown the U.S. healthcare system is being inundated by older adults. As security with the healthcare industry increases, many believe that biometric authentication is the answer. However, there are potential problems; especially in the older adult population. The largest problem is authentication of older adults with medical complications. Cataracts, stroke, congestive heart failure, hard veins, and other ailments may challenge biometric authentication. Since biometrics often utilize metrics and measurement between biological features, anyone of the following conditions and more could potentially affect the verification of users. This research will analyze older adults and their impact of biometric authentication on the verification process.
Week 2 – 06/17/2013:
A. General Overview of Cyber-Attacks in the Telehealth Industry:
As telehealth continues to grow in numbers and in size, the likelihood of being susceptible to a cyber-attack is more eminent. In recent times, society, industries, and government have seen a spike in cyber-attacks. These attacks have caused major outages, denial of service, security breaches, and the unauthorized access, distribution, and compromise to data. The banking and finance industry has continued to be barged with cyber-attacks and security breaches. These attacks and breaches have damaging effects in revenues, intellectual property, data protection, and brand reputation. However, the effects of a successful cyber-attack against a medical organization or facility would be devastating; not only compromising patient data but also potential risking the health and well-being of patients. Therefore, there is a strong emphasis on the information security and IA.
A. General Overview of Information Security Concepts and Goals:
Accounts and personal data must be protected from unauthorized access. Whether that unauthorized access was caused through malicious attempts or through honest-mistakes, the implementation and policies of protecting data must be put into place. Currently, there are laws in the US and abroad that protection data and the privacy of its owners . In addition, many corporations and professional organizations have created compliances that address the policy implications when protecting data and privacy. The compromise of this data caused by an incident or a breach can not only be legally devastating those who collect data, but also devastating to the owners of that data .
B. Threat Environment
To have a better sense of Information Security and the threat towards information itself, one must understand the threat environment. The threat environment is a term used to describe the potential threats that an entity (a computer network, or data) might expect. “Know you enemy” is another way to describe the threat environment. Companies and enterprises responsible for the protection of data must understand the potential attacks and attackers they will. Failure to understand your threat environment will render the inability to defend the network and most importantly, data itself.
C. Goals of Information Security:
In order for Information Security to become successful, security goals must be realistic and serve a purpose. Currently, there are three standard security goals. Confidentiality refers to ability for data to remain confidential with persons given access only on a need to know basis. Confidentiality also underlines the protection of data from unauthorized access and ensures that they cannot intercept that data over transmission on a computer network. Integrity refers to the ability for data to remain intact while in transmission. Integrity ensures that attacks cannot modify or destroy data while traveling across the network. Should data be modified or destroyed in the process, the authorized recipients should be prompted of its lack of integrity. Availability refers to the access of data to those with authorized access. Recipients should not be denied access to the data they are to receive. It is important to security and network professionals that availability of data is maintained across the network.
D. Countermeasures of Cyber-attacks
Naturally, computer attacks and attacks themselves attempt to disrupt one or more, and sometimes, all of these security goals. Security and network professional, fortunately, are armed with multiple countermeasures needed to thwart or mitigate cyber-attacks. These countermeasures are grouped in three categories. Preventative countermeasures protect networks by preventing attacks for occurring and or succeeding. Detective countermeasures protection networks by detecting threats which have attempted to exploit vulnerability, especially when those attacks are succeeding. The faster the detection, the less damage is created and the greater the chance of mitigation. Corrective countermeasures are protections that incident response and disaster recovery methods. These countermeasures ensure that compromised networks can recover and return back to normal functions.
Week 3 – 06/24/2013:
- A. Overview of Access Control:
Securing computer networks will always require authorized users to authenticate themselves to the systems. Access control is the means to protect computer systems by implementing policy controlling the access to computer systems and data. Access control revolves around the three AAA’s – authentication, authorization, and auditing. Authentication, the ability and assessment process of identifying and verifying a user’s identity and claimed permission to access that data. Authorization refers to permission given to each authenticated user. These permissions can vary from the privilege to read a file to re-modifying or executing an action from that requested file. Auditing refers to analysis of collected data representing the history of access logs from within computer or network system. For many users, accessing a user account requires a password which is a form of authentication. Authentication determines three things, what you know (password), what you have (a smart card) and who you are (a fingerprint). A secure computer system will often display two or more of these authentications. Two-factor authentication requires two of the methods needed to authenticate a user. However, passwords, the most common form of authentications carry its own problems. Passwords are vulnerable to password related attacks and the human factor. Passwords can be compromised through brute-force attacks or dictionary-style attacks. These attacks attempt to align the password syntax by either guessing a list of popular password combinations or by scaling down a list of dictionary words before the correct password and or it sequence emerges. Passwords are also susceptible to social engineering. In this case, social engineering can be seen as more sophisticated and cunning than computer based attacks. Unlike brute-force and dictionary attacks in which a rainbow table (file containing a library of potential combinations) are used to compare and brute-force the correct password combination, social engineering almost always includes the human factor. In social engineering, the attack will either directly or indirectly attempt to coerce the target recipient into giving up personal data, including passwords. The key to social engineering is trust and power. An attacker may try to impersonate a person of authority. In this case the victim is persuading by an undue influence from another to hand over sensitive personal information. The other is trust; the attacker is trying to win over trust from the target recipient. In return, the recipient is more likely to release sensitive personal information to the supposedly trusted individual. Biometric authentication is a possible alternative to this problem .
B. An Introduction into Biometric Authentication
Biometric Authentication (BA) is an authentication method which uses biological characteristics and metrics (measurements) of the human body. Face, fingerprint, iris, palm print, and voice are just some of the features on the human body that are used to authenticate users. In addition, birth marks, tattoos, or other body modifications can also be used as an authenticate characteristic of a user. The key in BA is that the authentication is based on “who you are”. No other human existing on earth will have the same exact features as another individual person. The most common BA systems used in society are fingerprint, iris, and facial recognition. A first time user must be enrolled into the system.
C. Enrollment Process & Verification
When enrolling into a biometric authentication system, the users biological feature (e.g. fingerprint) will be scanned into the system. This is known as the enrollment process. The initial enrollment scan is designed to capture and extract as much details of the biological feature which is then stored into a template. A second scan (supplement) filters out any other noise or anomalies that can alter the scan. The system then rescans and compares the stored template to fresh scan. Since every scan of the same biological feature is technically different, this step ensures that key details of the feature can be re-recognized. To ensure further security and robustness of the system, templates are often encrypted or hashed (mathematical conversions). Quarterly, a user is re-enrolled into the system. The purpose for the re-enrollment is to update the user’s key features, especially when those key features may have been slightly modified due to injury, health, or age. When a user wants to authenticate into a system (verification), their scan features is compare to the stored template. Their acceptance or rejection is based on the decision criterion. Decision criterion is defined as the comparison between the error and the value. If the error is smaller to the value, there is a match resulting in an acceptance. If the error is larger, the match results in denial .
D. Accuracy & Rejection
Access control systems, in general, must be extremely accurate. For sophisticated and accurate BA systems, their equal error rate (EER), false rejection rate (FAR), and False Rejection Rate (FRR) must be taken into account. In simple terms, EER, FAR, and FRR are statistical measures that determine the accuracy of the system. If a biometric authentication system falsely rejects the right user at a high rate, the system is obsolete. If the system falsely accepts the wrong user at a high rate, the system is inherently insecure. The point in which both FAR and FRR meet is known as Equal Error Rate (EER). When evaluating such systems, it is important to find a low threshold where the false rejection and false acceptance meet. Another challenge with biometrics authentication is the inability to enroll into a system. Whether the inability to enroll was caused by injury, health, or age the system generates another error, known as Failure to Enroll (FTE).
E. Compromises & Countermeasures
Biometric Authentication is not free from deception. Hackers can use a number of methods to bypass BA. If a system requires a fingerprint to be scanned, a hacker can use a rubber latent print from the targeted user and attempt to use that print to authenticate. If a facial recognition is required, some hackers will recreate a dummy face of the target. If the biometric authentication database is insecure, a hacker might attempt to crack the hashed or encrypted values of the templates stored. Fortunately, there are countermeasures. Liveliness countermeasures may require a user to blink or smile for facial recognition . For fingerprint recognition, the system may attempt to search for a pulse, heat, or oxygen level of the user. However, it is important to note that Biometric Systems should be utilized as a supplemental authentication. It should not replace a smart card, username, or other credential that requires a user to either “have” or “know” something.
© Marc Kowtko 2013
 Burling, S. (2012, August 30). Those annoying CAPTCHAs are getting harder – The Buffalo News. BuffaloNews.com. Retrieved November 2, 2012, from http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20120830/BUSINESS01/120839557/1006
 Kalra, G. S. (2012). Attacking CAPTCHAs for Fun and Profit. McAfee: An Intel Company. Retrieved from http://www.mcafee.com/us/resources/white-papers/foundstone/wp-attacking-captchas-for-fun-profit.pdf
 Burr, B. (2005, September 20). Biometrics and Electronic Authentication. NIST. G. Retrieved June 29, 2013, from http://www.biometrics.org/bc2005/Presentations/Conference/2%20Tuesday%20September%2020/Tue_%20Ballroom%20E/BurrBiomConf05.pdf
 Singer, N. (2013, February 2). Consumer Data Protection Laws, an Ocean Apart. The New York Times. Retrieved from http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html
 Hobson, D. (n.d.). The real cost of a security breach. SC Magazine. Retrieved June 29, 2013, from http://www.scmagazine.com//the-real-cost-of-a-security-breach/article/113717/
 Panko, R. (2010). Corporate Computer and Network Security (Second Edition.). Upper Saddle River, NJ: Prentice Hall.
 Jain, A. K., Bolle, R., & Pankanti, S. (1999). Biometrics: personal identification in networked society. Boston: Kluwer.
 Huntington Ventures Ltd. (2006). Biometric Authentication. Biometric Authentication. Business Consulting Firm. Retrieved June 29, 2013, from http://www.authenticationworld.com/Authentication-Biometrics/
Week 6/28/2013 – 07/05/2013:
- A. Personal Preface
In late June, I began working at my internship with IBM. As an intern at the IT Risk Office, I was responsible for the drafting and evaluation of new policies and conducting data analysis. During my internship, I was introduced through a colleague to Nalini Ratha; a leading biometrics researcher at IBM TJ Watson Research Center in Yorktown Heights. During our meeting, I discussed my project plans and he advised me on how to proceed with identifying research variables and proper data collection. As stated in the first blog, this research is intended to study the aging complications of older adults and their impact on the verification process within a biometric authentication system.
- B. Understanding Data Collection, Its Challenges, and Legal Process
During this meeting, data collection was a major topic. As with any research that involves the collection of data from a human population, risks and challenges become a major obstacle in obtaining the right amount of data. One of those obstacles is having this particular research and data collection approved by an Institutional Review Board (IRB). In any research project or initiative where the collection of data needed from a human subject, an IRB must review and approve the initiative and the collection of data. Institutional Review Boards are regulated through Federal laws and regulations; in addition, all IRBs and study administrations must meet specific requirements when data collection or research is conducted on human subjects. An important key role of an Institutional Review Board is ensuring that the research is ethical or is conforming to acceptable standards . Some of the attributes evaluated by an IRB include the balance between risk of potential harm to a subject vs. the potential gain, moral principles, legalities, and determining long term benefits of the research conducted . Data collection is also reviewed an IRB committee. In my meeting with Nalini Ratha, data collection was a concern, particularly the amount of data needed. Since the research is focusing on the impact of the verification process of a Biometric authentication system; several key details emerged. It was important to determine the research variables and multi-mortalities. Some of those variables included identifying the independent and dependent variables. Independent variables are variables controlled or manipulated by the researcher. In contract, dependent variables are observed as a result of the experiment . The potential multi-mortalities of the research may include the age of patient, the medical complications and its impact on the human body, particular body part measurements, patient time and response. For example, if a person is using fingerprint to authenticate, that person’s age, medical diagnostic, and finger measurements must be collected and compared to the hash value or biological details captured in the scanned template. If that person’s medical complication includes an ailment (e.g. congestive heart failure) or other ailment that affects the heart or fluid retention of the body, further data must be collected. This includes the bodily measurements of affected body parts as a result of the complication. In addition, data may have to be collected on a daily or hourly basis depending on the ailment and its classification. Once these variables and multi-mortalities have been identified, data analysis models must be completed to evaluate the quality of the collected data. Since this data includes biomedical data, privacy is a significant concern. Therefore, it is important that purpose and scope of use has been identified and scrutinized to reduce potential legal and privacy risks. Worst case scenario can include collecting too much data resulting in a rejection of the IRB application. Collecting too little information can compromise the value of the research and the results. In this instance, a researcher or team conducting the research must resubmit an entire new application to an IRB committee.
- C. Identifying other factors than can denounce or alter a hypothesis’s expected result
The key factor is using data collection to realize and determine the problem scope. Are medical complications and its effects on the human body the sole contributor to potential inability or fail for a biometric system to verify a user, or do other issues play a role in determining the inability? Ratha, however, pointed biometric systems are designed to handle compensation; meaning that as long as key features of the template can be identified, then perhaps medical complications are not compromising the system. Other factors may contribute to the problem; for example, involuntary tremors. If an older adult is tremors too much or is unable to mount their finger to a fingerprint scanner, a scanned template cannot be produced or the template may be inaccurate.
Week 07/12/2013 – 07/19/2013:
- D. Challenges and Complications
While Biometric Authentication offers advantages including greater accessibility and ease of use, aging and medical complications can compromise those advantages. Older adults will have social, physical, mental changes as they age; their surrounding can significantly impact those changes. For the majority of older adults, the most significant change is mobility. Increased arthritis, joint stiffness, and lack of exercise can lead to decreased movement and independence . Additionally, cognitive function also may be impaired as the adult ages. As older adults continue to age and experience new or worsening medical complications, the challenges amongst continue to rise.
- E. Heart Failure & Its Potential Effects on Biometric Authentication
Biometric authentication continues to increase in popularity and as an alternative to using passwords. For biological conditions, the greatest compromise can be the inability to enroll, authentication, and be verified in a biometric authentication system. Medical complications affecting the heart, lungs, and circulatory system may potential compromise the accessibility and ease of use for BA systems. Congestive Heart Failure (CHF) is one the leading cause of hospitalization for older adults ages 65 and over. CHF or Heart Failure (HF) can be caused by a multitude of ailments and other diseases including coronary artery disease, previous heart attack, obesity, ischemic heart disease, HIV, infection of the heart, high blood pressure, diabetes, and other conditions that overwork the heart. In addition lifestyle habits including addiction, smoking, and the abuse of pharmaceutical drugs can cause heart failure. Congestive Heart Failure is medically defined as the heart’s inability to properly pump blood to meet the demands of the body. Symptoms of HF and CHF include lung congestion, weakness, fatigue, nausea, change in blood pressure, and rapid or irregular heartbeat. Fluid and water retention is a significant symptom related to heart failure. Since the failing heart is unable to meet the demands of the body, other organs become affected as well. In response to CHF and HF, the kidneys often respond by retaining fluid and salts in the body . The most notable symptom is significant weight gain, chronic coughing due to fluid collection in the lungs, and swelling in the feet and ankles. Additionally, the face, hands, and fingers can also swell with fluid. The increased fluid in the body puts additional strain on the heart. While water retention can be treated with diuretics and increased exercising, the amount of water retained in the body can affect the body physically characteristics daily and sometimes on an hourly basis . For, older adults who have this condition, the ability to be enrolled, authenticated, or verified into a BA system can be compromised. The compromise can be caused by the body’s continually changing metrics (measurements). Potential biometric authentications systems that can be affected include facial and fingerprint recognition.
Week 07/26/2013 – 08/02/2013:
- F. Iris Patterns & Facial Recognition Complications
Other medical complications can also affect biometric authentication systems. Cataracts and other iris diseases can affect biometric authentication systems. In a study conducted by Brazilian researchers at the Federal University of Sao Paulo-Vision Institute and the University of Sao Paulo, researchers tested the BA verification process of 55 patients’ eyes before and after cataract surgery. Their results concluded that eyes treated after cataract surgery proved more challenging for BA iris recognition systems to authenticate and verify enrolled users. The significant change in the iris texture and pattern as a result to the surgery, led to an increase in false rejection of users. Researchers further advised that individuals who underwent cataract or other iris surgeries re-enroll into the system as a new template will be created based on the new iris pattern . Facial recognition could also be challenges as result of a stroke or hard veins in can affect the performance and verification of enrolled users.
- G. Cost Complications
There are other challenges regarding biometrics. Accessibility to these systems can prove challenging to older adults due to increased economic hardship. On a low cost end, fingerprint scanners/readers can vary between $100 and $150 USD . However, more sophisticated BA systems can cost well into the thousands of dollars. For older individuals, even $100 USD can be expensive, especially if they received social security, subsidized compensation, or locked within a fixed budget. Other expenses also contribute to the economic hardship; medical co-payments, housing fees, and prescriptions can affect an older adult’s monthly income. In some cases, biometric authentication systems can be seen as unnecessary and unaffordable. Facial recognition can be implemented through using a laptop or mobile tablet camera; however, the camera quality could affect the feasibility of facial recognition. It is not only the physical BA devices that can be costly; software, service, and technical support are also contributing to the rising costs.
Week 08/09/2013 – 08/16/2013:
- H. Implementation Concerns?
Implementation and availability are additional concerns. While the ownership and use of computers and mobile tablets are increasing, there is still a significant of older adults who do not own a computer or mobile device. With the inclusion of technology, one may think those tasks are easier, but that is incorrect. Computers and the Internet today may be simple to use for the average individual, but they differ for people with disabilities. Operating systems, Internet web pages, and other computer components often contain menus and navigations bars with many icons and other services. People with disabilities are intimidated by this, they would rather prefer simple menus, but unfortunately, the World Wide Web is dominated by difficult page organization and setup. Other problems within IT today, are the interaction with computer components. Mice and keyboards are shrinking, screens that are either large or small, often display text can be unclear, and buttons with unclear meanings often frustrate individuals. Currently, people cannot use technology components without referring to manuals, and yet, these manuals contain page after page of small print and sophisticated text .
- I. Moving Forward into the Future
The Research conducted during this semester along with the help and experience from IBM has given me a better stance at successfully collected and analyzing data with the potential of determining my hypothesis. In the previous weeks, several modifications were made to the IRB and a new data analysis spreadsheet was formed to assist in the identifying of potential data to be collected. In addition, this research will also be assisted by Pace faculty including a speech pathologist and experts in the biometrics field. We are expected to resubmit the revised IRB with the data analysis model with the anticipation of approval. We have already found community partners who are willing to work with this team and Pace University and provide us with a medical population needed to collect our results. This research is intended to extend into Fall Semester with publication of our results in the following spring semester. In addition, we are also working on creating a community web portal and intranet that will serve a communication point for our researchers and participants. We look forward to the future and its endeavors.
 Hanover Regional Medical Center. (2013, August 15). What is an IRB and it’s purpose? Wilmington, North Carolina (NC) – New Hanover Regional Medical Center. What is an IRB and it’s purpose? Retrieved August 17, 2013, from http://www.nhrmc.org/what-is-an-irb
 ASH. (1979, April 18). The Belmont Report. Retrieved August 17, 2013, from http://www.hhs.gov/ohrp/humansubjects/guidance/belmont.html
 National Service-Learning Clearinghouse. (2013, August 15). Defining Research Variables (Operationalization) | National Service-Learning Clearinghouse. Retrieved August 17, 2013, from http://www.servicelearning.org/service-learning-research-primer/defining-research-variables-operationalization
 Hooyman, N. R., & Kiyak, H. A. (2008). Social gerontology: A multidisciplinary perspective. Pearson Education.
 WebMD. (2013, August 16). Congestive Heart Failure Symptoms, Causes, and Treatment. Retrieved August 17, 2013, from http://www.webmd.com/heart-disease/guide-heart-failure
 Heart Failure Society of America. (2010). Section 7: Heart Failure in Patients With Reduced Ejection Fraction. Retrieved August 17, 2013, from http://www.heartfailureguideline.org/diuretic_therapy/81
 Roizenblatt, R., Schor, P., Dante, F., Roizenblatt, J., & Belfort, R. (2004). Iris recognition as a biometric method after cataract surgery. BioMedical Engineering OnLine, 3(1), 2. doi:10.1186/1475-925X-3-2
 BIOMETRICS: Prepare to be scanned. (2003, December 4). The Economist. Retrieved from http://www.economist.com/node/2246191
 Kowtko, M. (2012). Open Source Assistive Technology Website. Columbia College Undergraduate Student Research Journal, 1-4 unpublished.
© Marc Kowtko 2013