People are notorious for using very bad passwords, so maybe we should be using our heartbeats to unlock our sensitive data instead.
Researchers at Binghamton University in New York have found a way to use a patient's electrocardiograph (ECG or EKG) as the key to access their electronic health records. ECGs measure the heart's electrical activity via a biosensor attached to the skin.
"We wanted to find a unique solution to protect sensitive personal health data with something simple, available and cost-effective," said Zhanpeng Jin, an assistant professor in the school of engineering and applied science and one of the researchers.
You only have to look at your smartphone or wearable gadget to see how much health data (heartbeats or blood pressure, for example) can be collected by everyday technologies, Jin told me over email. These can then be transferred to a doctor's office for analysis, and to be stored in the patient's electronic health records.
"However, during this process, the data transmission is vulnerable to cyber attacks or data break, which may expose sensitive user's [electronic health record] data," he said. "The proposed solution applies one extra layer of security protection on the patient's' health data."
Instead of expensive, outsourced and bulky encryption techniques, he thought, why not just use a scan of the person's heartbeat?
"The existing studies on ECGs have proved that the ECGs are quite unique by nature among different individuals," Jin said. In other words, each person has what he called a "potential biometric identifier." A normal heart rate is about 60 to 90 beats per minute, so to get a more secure password, the scan would last for several beats to match the original pattern.
But hearts are fickle, and ECGs are vulnerable to variations, which is why more accurate—and stable—identifiers like fingerprints (or, let's say, iris scans) have been used more commonly for recognition.
Heartbeat scans contain "liveness detection," Jin said—people have to be alive to provide an ECG, so it's harder to fake.
The primary goal of Jin's research, which he presented at the IEEE Global Communications Conference in Washington D.C. at the end of 2016, is to "reduce the computational overhead" in storing health records, he said.
Right now, Jin and his co-authors are focused on developing algorithms and haven't yet tested it on patients.
"My point of view is, at [this] stage, ECG itself is less likely to become a robust biometric identifier alone to be used on phones or computers," he added. "But it holds great potential … for certain scenarios that demand a higher security level."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.