Multi-Factor Biometrics for Enhanced User Authentication in an E-Health System, Ghana

Download Article

DOI: 10.21522/TIJMG.2015.06.02.Art004

Authors : Lazarus Kwao, Richard Millham, David Oppong, Wisdom Xornam Ativi

Abstract:

For most existing computer systems, once the user’s identity is verified at login, the system resources are available to that user until he/she exits the system. In high-risk environments such as healthcare or where the cost of unauthorized use of a computer is high, a dynamic check of the user’s identity is extremely important. This study evaluated the feasibility of multifactor authentication with biometrics, incorporating both traditional and the time dynamics-based techniques of keystrokes (behavioural) and fingerprint swipes (user’s physical characteristics), for adoption into an eHealth system (DHIMS 2). The results indicate that individual authentication by Keystroke and Fingerprint dynamics yields acceptable results. However, when combined with the traditional methods of authentication, extremely high security is obtained than could be obtained by each paradigm acting independently. Hence, it is concluded that combining Keystroke and fingerprint dynamics with traditional authentication procedures into an eHealth system (DHIMS 2) will yield a system with improved account security and integrity of health information.

References:

[1]. Abdullah, M. D., Abdullah, A. H., Ithnin, N., & Mammi, H. K. (2008). Towards identifying usability and security features of graphical password in knowledge-based authentication technique. In Modeling & Simulation (pp. 396-403). Asia: AICMS 08.
[2]. Abomhara, M., Gerdes, M., & Køien, G. M. (2015). A stride-based threat model for telehealth systems. Norsk informasjonssikkerhetskonferanse (NISK), 8(1), 82-96.
[3]. Adaletey, D. L., Poppe, O., & Braa, J. (2013). Cloud computing for development—Improving the health information system in Ghana. In 2013 IST-Africa Conference & Exhibition (pp. 1-9). IEEE.
[4]. Alsultan, A., & Warwick, K. (2013). Keystroke dynamics authentication: a survey of free-text methods. International Journal of Computer Science Issues (IJCSI), 10(4), 1.
[5]. Anwar, S., Zain, J. M., Zolkipli, M. F., Inayat, Z., Jabir, A. N., & Odili, J. B. (2015). Response option for attacks detected by intrusion detection system. In Software Engineering and Computer Systems (ICSECS), 2015 4th International Conference, (pp. 195-200).
[6]. AuthenticationWorld.com. (2015, 02 02). Password Authentication. Retrieved from Password Authentication: http://authenticationworld.com/Password-Authentication/index.html
[7]. Awoonor-Williams, J. K., Bawah, A. A., Nyonator, F. K., Asuru, R., Oduro, A., Ofosu, A., & Phillips, J. F. (2013). The Ghana essential health interventions program: a plausibility trial of the impact of health systems strengthening on maternal & child survival. BMC health services research, 13(2), S3.
[8]. Bath, P. A. (2008). Health informatics: current issues and challenges. Journal of Information Science, 34, 501-518.
[9]. Ben-Assuli, O. (2015). Electronic health records, adoption, quality of care, legal and privacy issues and their implementation in emergency departments. Health Policy, 119(3), 287-297.
[10]. Bhardwaj, I., Londhe, N. D., & Kopparapu, S. K. (2016). A novel behavioural biometric technique for robust user authentication. IETE Technical Review.
[11]. Black, T. R. (1999). Doing quantitative research in the social sciences: An integrated approach to research design, measurement and statistics. Sage.
[12]. Bonneau, J., Herley, C., Van Oorschot, P., & Stajano, F. (2015). Passwords and the evolution of imperfect authentication. Commun. ACM, 58, 78–87.
[13]. Boujettif, M., & Wang, Y. (2010). Constructivist approach to information security awareness in the Middle East. In 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (pp. 192-199). IEEE.
[14]. Brady, J. W. (2011). Securing health care: Assessing factors that affect HIPAA security compliance in academic medical centers. In System Sciences (HICSS), 2011 44th Hawaii International Conference (pp. 1-10). IEEE.
[15]. Carstens, D. S., McCauley-Bell, P. R., Malone, L. C., & DeMara, R. F. (2004). Evaluation of the human impact of password authentication practices on information security.
[16]. Coley, S. C., Kenderdine, J. E., Piper, L., & Martin, R. A. (2015). Use of Password System for Primary Authentication. In CWE Version 2.9 (p. 601).
[17]. Dasgupta, D., Roy, A., & Nag, A. (2017). Advances in User Authentication. Springer International Publishing.
[18]. Dehnavieh, R., Haghdoost, A., Khosravi, A., Hoseinabadi, F., Rahimi, H., Poursheikhali, A., & Radmerikhi, S. (2019). A literature review and meta-synthesis of its strengths and operational challenges based on the experiences of 11 countries. Health Information Management Journal, 48(2), 62-75.
[19]. DHIS 2 Documentation. (2016, June). DHIS 2 User Manual. Retrieved from DHIS 2 User Manual: https://docs.dhis2.org/2.22/en/user/html/dhis2_user_manual_en_full.html#d5e157
[20]. DHIS2 Documentation Team. (2012). Rolling Out A Nationwide Web-Based District Health Information System, DHIMS2- The Ghana Experience. Retrieved from dhis2.org/doc/snapshot/en/implementer/dhis2.
[21]. Dinev, T., Albano, V., Xu, H., D’Atri, A., & & Hart, P. (2016). Individuals’ attitudes towards electronic health records: A privacy calculus perspective. In Advances in healthcare informatics and analytics (pp. 19-50). Springer, Cham.
[22]. Dinker, A. G., Sharma, V., Mansi, & Singh, N. (2018). Multilevel authentication scheme for security critical networks. Journal of Information and Optimization Sciences, 39(1), 357-367.
[23]. Erlich, Z., & Zviran, M. (2009). Authentication methods for computer systems security. In Encyclopedia of Information Science and Technology, Second Edition. IGI Global, 288-293.
[24]. FERREIRAabd, A., Ricardo, C. C., Antunes, L., & Chadwick, D. (2007). Access Control: how can it improve patients’ healthcare? Medical and care compunetics, 4(4), 65.
[25]. Frank, M., Biedert, R., Ma, E., Martinovic, I., & Song, D. (2013). Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Inf. Forensics Secur, 8, 136–148.
[26]. Gathogo, J. K. (2014). A model for post-implementation evaluation of health information systems: The case of the DHIS 2 in Kenya (Doctoral dissertation). Nairobi: University of Nairobi.
[27]. Gebrie, M. T., & Abie, H. (2017). Risk-based adaptive authentication for internet of things in smart home eHealth. In Proceedings of the 11th European Conference on Software Architecture (pp. 102-108). Companion Proceedings ACM.
[28]. Harris, J. (2016). Multi-Factor Authentication Gains Traction in Healthcare. SIGNiX.
[29]. Hevner, A., & Chatterjee, S. (2010). Design research in information systems: theory and practice. Springer Science & Business Media.
[30]. Iakovidis, I. (1998). Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare record in Europe1. International journal of medical informatics, 52(1-3), 105-115.
[31]. Karnan, M., Akila, M., & Krishnaraj, N. (2011). Biometric personal authentication using keystroke dynamics: A review. Applied Soft Computing, 11(2), 1565-1573.
[32]. Karuri, J., Waiganjo, P., Daniel, O. R., & Manya, A. (2014). DHIS2: The tool to improve health data demand and use in Kenya. Journal of Health Informatics in Developing Countries, 8(1).
[33]. Killourhy, K. S., & Maxion, R. A. (2009). Comparing anomaly-detection algorithms for keystroke dynamics. In 2009 IEEE/IFIP International Conference on Dependable Systems & Networks (pp. 125-134). IEEE.
[34]. Kotani, K., & Horii, K. (2005). Evaluation on a keystroke authentication system by keying force incorporated with temporal characteristics of keystroke dynamics. Behaviour & Information Technology, 24(4), 289-302.
[35]. Kreicberge, L. (2010). Internal threat to information security countermeasures and human factor with SME. Business Aministration and Social Sciences, Lulea University of Technology, 1-66.
[36]. Kuechler, W., & Vaishnavi, V. (2012). A framework for theory development in design science research: multiple perspectives. Journal of the Association for Information systems, 13(6), 395.
[37]. Li, Y., Wang, H., & Sun, K. (2016). A study of personal information in human-chosen passwords and its security implications. In INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications (pp. 1-9). IEEE.
[38]. Manya, A. B., Øverland, L. H., Titlestad, O. H., Mumo, J., & Nzioka, C. (2012). National roll out of District Health Information Software (DHIS 2) in Kenya, 2011–Central server and Cloud based infrastructure. In IST-Africa 2012 Conference Proceedings (Vol. 5). IIMC International Information Management Corporation.
[39]. March, S. T., & Smith, G. F. (1995). Design and natural science research on information technology. Decision support systems, 15(4), 251-266.
[40]. Miller, R. H., & Sim, I. (2004). Physicians’ use of electronic medical records: barriers and solutions. Health affairs, 23(2), 116-126.
[41]. Missaoui, C., Bachouch, S., Abdelkader, I., & Trabelsi, S. (2018). Who Is Reusing Stolen Passwords? An Empirical Study on Stolen Passwords and Countermeasures. In International Symposium on Cyberspace Safety and Security (pp. 3-17). Springer, Cham.
[42]. Montalvão, J., Freire, E. O., Bezerra Jr, M. A., & Garcia, R. (. (2015). Contributions to empirical analysis of keystroke dynamics in passwords. Pattern Recognition Letters, 52, 80-86.
[43]. Nyonator, F., Ofosu, A., & & Osei, D. (2013). District Health Information Management System DHIMS II: The Data Challenge for Ghana Health Service. Retrieved from NetHope Solutions Center Case Studies: https://solutionscenter.nethope.org/assets/collaterals/dhims2_crs_presentation.ppt
[44]. Obaidat, M. S., & Sadoun, B. (1997). Verification of computer users using keystroke dynamics. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), 27(2), 261-269.
[45]. Ozair, F. F., Jamshed, N., Sharma, A., & Aggarwal. (2015). Ethical issues in electronic health records: a general overview. Perspectives in clinical research, 6(2), 73.
[46]. Peffers, K., Tuunanen, T., Rothenberger, M. A., & Chatterjee, S. (2007). A design science research methodology for information systems research. Journal of management information systems, 24(3), 45-77.
[47]. Pinkas, B., & Sander, T. (2002). Securing passwords against dictionary attacks. In Proceedings of the 9th ACM conference on Computer and communications security (pp. 161-170). ACM.
[48]. Poppe, O. (2012). Health Information Systems in West Africa: Implementing DHIS2 in Ghana (Master's thesis). Accra, Ghana: UNIVERSITY OF OSLO.
[49]. Prabhakar, S., Pankanti, S., & Jain, A. K. (2003). Biometric recognition: Security and privacy concerns. IEEE security & privacy,, (2), 33-42.
[50]. Rajamäki, J., & Pirinen, R. (2017). Towards the cyber security paradigm of ehealth: Resilience and design aspects. In AIP Conference Proceedings (Vol. 1836, No. 1) (p. 020029). AIP Publishing.
[51]. Rindfleisch, T. C. (1997). Privacy, information technology, and health care. Communications of the ACM, 40(8), 92-100.
[52]. Shen, C., Yu, T., Xu, H., Yang, G., & Guan, X. (2016). User practice in password security: An empirical study of real-life passwords in the wild. Computers & Security, 61, 130-141.
[53]. Stamatian, F., Baba, C. O., & Timofe, M. P. (2013). Barriers in the implementation of health information systems: a scoping review. Transylvanian Review of Administrative Sciences, 9(SI), 156-173.
[54]. Wang, D., & Wang, P. (2015). Offline dictionary attack on password authentication schemes using smart cards. In Information Security; Springer, (pp. 221–237). Berlin, Germany.
[55]. Wash, R., Rader, E., Berman, R., & Wellmer, Z. (2016). Understanding password choices: How frequently entered passwords are re-used across websites. In Symposium on Usable Privacy and Security (SOUPS), (pp. 175-188).
[56]. Wood, C. C., & Banks Jr, W. W. (1993). Human error: an overlooked but significant information security problem. Computers & Security, 12(1), 51-60.
[57]. Yu, E., & Cho, S. (2003). Novelty detection approach for keystroke dynamics identity verification. In International conference on intelligent data engineering and automated learning (pp. 1016-1023). Berlin, Heidelberg: Springer.
[58]. Yu, E., & Cho, S. (2004). Keystroke dynamics identity verification—its problems and practical solutions. Computers & Security, 23(5), 428-440.
[59]. Zaeem, R. N., Manoharan, M., Yang, Y., & Barber, K. S. (2017). Modeling and analysis of identity threat behaviors through text mining of identity theft stories. Computers & Security, 65, 50-63.
[60]. Zheng, Z., Liu, X., Yin, L., & Liu, Z. (2009). A stroke-based textual password authentication scheme. In Education Technology and Computer Science, (pp. 90-95).