Protocols for Protecting Patient Information within a Biometric

Analysis

Steven A. Israel2, Dong P. Jang1, Brenda K. Wiederhold1, Mark D. Wiederhold3, Shannon B.

McGehee1, Lauren W. Gavshon1, Rodney Meyer2, John M. Irvine4

1
The Virtual Reality Medical Center
6160 Cornerstone Court East
San Diego, CA 92121-3725, USA
Human123@bme.hanyang.ac.kr
+1-858-623-2777 ext. 415
fax: +1-858-642-0285
2
SAIC
4001 North Fairfax Drive: Suite 450
Fairfax, VA 22203, USA
3
SAIC
10260 Campus Point Drive
San Diego, CA 92121, USA
4
SAIC
20 Burlington Mall Road
Burlington, MA 01803, USA

Protocols for Protecting Patient Information within a Biometric Analysis 1

ABSTRACT

The Virtual Reality Medical Center (VRMC) and SAIC are assessing the uniqueness of several
non-imaging biometrics. The focus of this paper is to show how information security is
maintained without losing of information for analysis or increasing labor costs. We describe the
protocol setup and subject management as essential elements for performing biometric analysis.
The procedures were developed prior to any data collection and followed as required by US law.
Preliminary results show that the patients are comfortable with the protocol and information
passed among researchers is completely free of information that can be directly associated with a
specific individual. The results from the data analysis will be presented in the near future.

IMPORTANCE OF INFORMATION SECURITY FOR HUMAN BIOMETRICS

Information security of human biometrics has both a legal and an ethical requirement. In the
United States, specific guidelines must be met prior to any human data collection. Though these
guidelines cover everything from the patients physical and emotional safety, our focus here is on
the privacy aspects of the data. Ethically, our subjects are entitled to the assurance of privacy.
As long as unique identifiers are ascribed to the datasets, the analysis of the biometrics can be
performed in a robust quantitative manner.

EXPERIMENTAL GOALS

In our experiment, we quantified the uniqueness of ECG, speech, pulse oxymetry, breath rate,
and pressure pulse varied within an individual and among a population. The questions to answer
were how do these measures vary within an individual at a given state of anxiety, how do they
vary within an individual across multiple states of anxiety, and how do these measures vary
across a population. Doctors have long used ECG and pulse oxymetry information to understand
a patient’s cardiac output, extremity circulation, and health. Breath rate and skin resistivity are
used as part of polygraph data. A variety of stressors were applied by asking the subject to
perform simple tasks, such as reading and subtraction.

PATIENT MANAGEMENT PROCEDURES

In order to gain permission to collect human biometric data, the US government requires a test
plan to include procedures for patient management and data handling. The outline of these
procedures follows: The subjects were scheduled for appointments. Prior to the data collection,
the subjects were given information about what to expect from the testing procedures and the
types of data that were being collected. In the discussion, the patients were provided a
description of possible discomforts, the benefits of their participation, and also an opportunities
to ask questions, . All verbal discussions had written analogs to insure that the subject was fully
aware of the experimental regimen. They were given opportunities to withdraw at any time
during the discussion and were told they could stop the testing at any time. After the procedures
were explained, they were asked to sign a consent form. In our case, an additional form was
required to allow us to video tape the subjects during the session.

Protocols for Protecting Patient Information within a Biometric Analysis 2

Patient Identifiers
The patients were given unique subject numbers that followed them during their session. The
identifier was a number starting at 001 and identifier numbers proceeded serially. It is important
that the identifier had no reference to personal identifiers such as in the US a driver’s license
number of Social Security number. Any possible references between subject identifiers and
personal identification was locked in a secure facility separate from the data and data analysis.

In addition to the patient identifiers, the group developed improved protocols and tasks. It was
essential to keep track of the protocol and trial number in which a subject participated during the
session. The session is the number of times that subject repeated the experiment. To do this,
identifiers were concatenated with protocol value, session number, and task. An example of a
unique data set is 001-01-01-01, or <subject number>-<protocol>-<session>-<task>. None of
the numbers assigned to either a protocol session or task were ever reassigned.

Diversity Issues and Data Validity

The biggest issue with our data analysts was determining the validity of our collected data. The
patients were identified from the student body at the California School of Professional
Psychology in San Diego. The school is known for its clinical work in psychological assessment
and research. Though the subject population contained a common aspect, the subjects varied in
ethnicity, age, and gender. In the end a total of 100 sessions were performed over a total of 50
subjects, two sessions each for 30 subjects and 3 sessions each for 20 subjects. This provided
more than enough data to assess the relevance of the individual biometrics.

DATA COLLECTION AND POST COLLECTION FEEDBACK

The subjects were observed during each session. A clinician made notes in the subject-protocol-
session database. Any distinguishing descriptors were removed or mitigated, such as referring to
the subject as male or female rather than name. In addition, the patients were videotaped. These
tapes were only used to explore unusual values or anomalies within the data. The clinician
reviewed the video tapes at the request of a data analyst. The separation of the clinical and
analysis functions by using different personnel was an additional privacy measure and minimized
the analysis bias.

During the post-data-collection feedback, the subjects were asked about their stress levels during
each of the tasks. Stress was a subjective measure between 1 and 10. They were also asked to
provide information about current health, medications, and recent dietary intake. This metadata
were compiled to understand possible variances between the same subject over different sessions.

DESIGN OF THE EXPERIMENT

This experiment collected data on heart rate using several contact sensors, including ECG
electrodes, an infrared pulse oximeter, and pressure transducers. Subjects performed a variety of
tasks designed to stimulate various mental and emotional responses that could alter the observed
physiological responses. The laboratory set up supports the simultaneous acquisition of heart rate

Protocols for Protecting Patient Information within a Biometric Analysis 3

and respiration data from several contact sensors (Figure 1). Multiple measurements permit an
assessment of data consistency, as well as indications of how the signal of interest might appear
to other sensors. For example, two ECG measurements confirm the timing of the QRS complex.
In a sense, this is the purest measure of heart rate variability. Other measurements that confirm
heart mechanics include a pressure transducer sensor, that records heart sounds; the pulse
pressure measurement at the finger, which correlates with the arterial pressure wave; and the
pulse oximeter, which senses the pulse waveform and level of blood hemoglobin oxygenation.
We observed strong correlations among these measurements, as expected. Time lags between
certain signals relate to the specific physiological processes and the locations of the sensor on the
body. The QRS complex in the ECG is correlated with the mechanical activity of the heart,
which precedes the pressure waveform in the extremities (Figure 2).

Nasal Sensor Respiration

2 ECGs

Finger Sensor

Figure 1. Illustration of the Data Collection Concept.

It is well known that heart rate can vary with a person’s mental and emotional state. In order to evaluate
the effect of various physiological conditions on biometric parameters, a commonly used stress-inducing
protocol was administered to the subjects (Table 1). In general there are four stages of mental condition
that can be evaluated in the lab: baseline phase, meditative phase, stressor phases, and recovery. Seven
different tasks were given to participants to measure these stages. Participants initially had physiological
parameters monitored and recorded while in a relaxed, but not meditative, condition. Next, participants
were asked to relax as fully as possible with eyes remaining open and room lights dimmed. Next, they
were asked to read non-provocative material (Declaration of Independence) and then perform a simple
mathematical task. Following these two procedures they were allowed to recover and physiological
signals typically returned to near baseline levels. After this initial recovery period, they participated in a
simulated driving task where a variety of stressors were sequentially added, making the driving task
progressively more difficult. Following this stressor exposure, they were allowed to relax and data were
obtained during the final recovery phase.

Protocols for Protecting Patient Information within a Biometric Analysis 4

 0.05

0
0 500 1000 1500 2000 2500 3000 3500

-0.05

Signal
-0.1

Chest Sensor
Finger Sensor
-0.15
ECG #1
ECG #2

-0.2
Time

Figure 2. Multiple Measurements Show the Relationship and Time Delays Among Electrical
Activity of the Heart (ECG), the Heart Beat, and the Pulse Measured at the Finger

Task Protocol
Task 01 Initial Baseline
Task 02 Meditation
Task 03 Reading Task
Task 04 Arithmetic Task
Task 05 Initial Recovery
Task 06 Driving Task
Task 07 Final Recovery
Table 1. Time sequence of data to be collected.

FINDINGS

The data management protocol developed provided a procedural basis for communicating
information among the project investigators. The patients were comfortable that the procedures
were in their best interest and no expressions of remorse were expressed by any of the
participants. In fact, most subjects were genuinely interested that their information was being
quantitatively analyzed and wanted to have progress results for our research. The data analysts
found no limitation with the algorithmic procedures they were applying to the datasets. The
partners have not uncovered any information that the personal names and the data have been
linked in any manner.

Protocols for Protecting Patient Information within a Biometric Analysis 5