Tuesday, October 14, 2014

GHC14 - Technical Talks

A few notes (as much for myself) on a couple of the technical talks that I attended.

There were three technical tracks (beside the Open Source Day) that I had some interest in: Security/Privacy, Data Science, and IoT/Wearables. Between conflicts in scheduling, making the most of "hallway sessions", seeking [allergy free] food, and pure exhaustion leading to afternoon naps, I only made it to a few of these sessions. Here are reviews of two:

Bio-metrics - Cool or Creepy?

This panel was all industry professionals. There appeared to be a higher priority on customer experience than security. They did acknowledge that there is a difference between personalization identity and authentication identity. It bugged me that they referred to these as "identity" and "authentication" instead of two types of identity. They also made a distinction between local implementation (on a phone or tablet) and cloud or remote identity and pointed out (though maybe not forcefully enough to be heard) that authentication needs multiple factors and a higher level of confidence match.

Fingers, eyes, ear shape, etc were mentioned briefly but without as much technical information on where the industry is for my tastes. There was some discussion of active vs passive enrollments for bio-metric devices. Most of that discussion focused around voice and how it does take into account twins or having a cold or other day to day changes. Basically (and not new to me),any bio-metric technology has a level of confidence match. A low confidence match is sufficient for an recognizing identity for a device used by multi persons such as then providing a custom screen on the family Ipad. One way they want to extend this is with customer service call centers. Instead of having to go through a proof of identity each time to you call in - especially with followup calls - have the computer system recognize the voice. This then extends into the Matrix versions of in store identity and personalized experience. I still vote creepy. I prefer being an anonymous shopper.

Designing secure and privacy-aware IoT and wearable technologies for healthcare.

I was disappointed with this talk based on the title and description. The content was interesting but not what I expected. There were four panelists - two from industry and two from academic research. 

The first two presenters - from FitBit and UC Berkeley - talked mostly about the research they are doing to enhance the user experience. All the ideas are about collecting more data and automating the sharing of the data. Nothing was mentioned about securing the data. I have a fitbit and I already knew that the data is transferred clear text and stored in the cloud. Also that even with my privacy settings set to "me only" for a particular field, that data is still transferred to other organizations who are allowed to sync my data. I think the "allow this company to sync" should be seen at a "friend" level of privacy not a "me" level of see everything. Nothing was mentioned about privacy settings, authentication to get data, or securing the transport of the data. The UC Berkeley professor discussed the challenges of developing wearable technologies for the elderly. Again, interesting research but nothing about privacy or security was mentioned.

The third and fourth presentations got a bit more on topic.
The professor from the University of Illinois at Urbana-Champaign commented on a review of Android apps: 63.6% of mHealth apps are sending data over the internet in plaintext and 81.8% are using 3rd party storage and hosting such as AWS. I almost tuned the whole thing out when she started with "BOYD is coming". News flash: its been an issue for years now! As solutions, she did offer some examples:
"consider auditing" - mAuditor
"consider secure storage" - datalocker
"consider authentication" - lighttouch
"consider secure data collection and transmission" - selinda

The representative from Epic discussed a few issues using EHRs to store and access data:
Problem: Transfer of data: each EHR is separate database. There is a need for more standards concerning sharing the data. Some are: HL7, HealthIT.gov, and FHIR. FHIR is new, uses REST API.
Problem: Proving identity. Some possible starting points are perapp, OpenID, oauth, healthkit
Problem: The firehose of data. How do we make it pretty with quick access for the 7 minutes Dr visit.
Problem: Who cares? A Dr needs data from the less healthy not the healthy tech runner with a fitbit. How do we get information from the right person(s)?
Problem: Legal issues. Current laws require holding all data that is collected. This can be expensive on the storage side unless there is enough value from the data and/or a change in rules that allow for disposing of certain data sets - such as historic fitbit raw data on a healthy individual.

-SML

No comments: