Security

In general, the SMS protocol is insecure because items are sent in plain text. For many situations (RSS readers, broadcast information) this is perfectly legitimate. However when interacting with private/personal information a new strategy has to be employed. Use cases for banking and commerce data should also be developed. <h2>Use Cases</h2> These use cases focus on health data used in rural HIV clinics and a strategy for keeping the information private. <ul> <li>Collect demographic information (given name, family name, location, number) without exposing this information in plain text, and or without connecting this identifying information to private/personal data.</li> <li>Submit HIV status information for a specific person identifier without allowing proximity to reveal the associated person.</li> </ul> In the first case it would be very easy to listen to insecure communications and recover names and locations of patients with specific HIV statuses. In the second, one would assume that the demographic information is secured (using unique identifiers) however if only one person enters a testing booth and the HIV status is broadcast, it would be easy to determine which person the status referred to. This suggests that not only incoming, but outgoing (source) SMS need to be secured. <h2>Strategies</h2> Assuming that no application can be deployed to the phone, an out-of-band encryption solution needs to be adopted. Possible approaches include: <ul> <li>Use of pre-printed identifiers</li> <li>Use of simplified one-time pads (http://en.wikipedia.org/wiki/One-time_pad)</li> <li>Use of biometrics (facial recognition, iris detection, fingerprinting)</li> <li>Use of a code word or pass-phrase or pin</li> </ul> <h3>Pre-printed identifiers</h3> In most public health scenarios you do not need demographic (name, number, address) information except for longitudinal identification. Typically having the name and address is useful for cross-checking identifiers and for when patients lose identifiers. Suppose that the community healthcare worker was given a set of pre-printed patient identifiers (as barcoded labels for health passports) that they took into the field. When they wanted to enter information for new patient, they would issue the health passport and utilize one of the stickers. They could then submit information for the patient based on their identifier. Pros: <ul> <li>Uses a unique identifier for longitudinal care</li> <li>Sends information against a private, unidentifiable identifier instead of demographic information</li> </ul> Cons: <ul> <li>Patients could lose their passports and identifiers which would result in loss of followup</li> <li>Crosschecking of identifiers with demographic information would not be possible</li> </ul> It is still possible that certain demographics could be collected including: gender, birthdate, location <h3>Simplified One-time pads</h3> In cryptography the only form of perfect secrecy is the use of a one-time pad. Originally these were actual pads of paper that would have a new set of keys on each page generated randomly. By entering the pad number and then using the cipher, the recipient could use the corresponding pad to decrypt the message. Typically one-time pads are time consuming to utilize manually. Simplifying this process, one could use “one-time” pads for specific sets of sensitive questions. Imagine that the following is printed and given to the community healthcare worker before they went on their visits: Pad 3452 Is the person HIV positive (Enter “a” for yes, “m” for no) and Pad 3671 Is the person HIV positive (Enter “p” for yes, “d” for no) For each patient they could be asked, “Please enter the pad number”, followed by “Is the person HIV positive?”. Or users could be trained to submit an answer like “3452m”. If pad numbers were reused by mistake the answer could be rejected. Pros: <ul> <li>Very secure, even given proximity an eavesdropper could not determine the status without the one time pad</li> </ul> Cons: <ul> <li>Confusing, may require additional training and may increase the burden of work</li> <li>Requires papers to be printed and carried by the community healthcare workers</li> </ul> <h3>Use of Biometrics</h3> In many distributed environments, the use of bio-metric information allows you to create a secure reproducible identifiers that can be replicated in the field and at the primary location. Biometrics are being used widely in sub-saharan Africa for health, micro-finance banking and the like. Newer phones have the ability to utilize their cameras to detect irises and use this as an identifier (Android). Connecting to devices to phones also provides a possibility (especially given Bluetooth). However, if you become reliant on a specific device or software for the device, you may as well implement a full encryption system and utilize traditional demographic information. Pros: <ul> <li>Reproducible identifier that the patient cannot “lose”</li> </ul> Cons: <ul> <li>Requires additional equipment or specialized phones and software</li> <li>Fingerprints for farm workers tend to be difficult to read, early infant fingerprints have been shown to change</li> <li>Facial recognition and iris scanning require high resolution and may not be suitable for patients with ocular diseases and side effects</li> </ul> Non-traditional facial recognition might be possible if it is combined with [[contacts]] syncing and semi-permanent identifiers. <h3>Use of Codewords, Pass-phrases and Pins</h3> In addition to the typical set of demographic identifiers, a pass-phrase could be employed as a mechanism of cross checking known information (such as birthdate, location, and gender). Typically these systems work best when it is a personal piece of information that will not change over time, will not be forgotten, and is not common. In the United States a common example of this to ask your “Mother’s maiden name” or “What city were you born in”. Unfortunately this information can be learned and now has gained a significant importance/privacy all its own. Many web systems have a list of questions such as “Who was your first grade teacher” or “What was your first pet’s name”. In many cases in rural Africa these questions are not applicable. Pros: <ul> <li>Would allow a person to be somewhat reliably re-identified</li> </ul> Cons: <ul> <li>Applicable questions with answers that are not common, will not be forgotten, and will not change over time are hard to find</li> <li>Possibly not useful for infants (the time-horizon of the identifier may need to be specified)</li> <li>Difficult for patients that have died</li> </ul> 2008-10-27T09:17:46-07:00 73026 security

67852

Security

2008-10-27T10:28:39-07:00

4064