Re-Identifying People Through Wearable Health Data And Machine Learning
A new type of privacy attack based on wearable health data has been identified by researchers from the University of Massachusetts Lowell. Person Re-identification Attack (PRI-Attack) uses HIPAA-compliant, publicly available data from health wearables to establish the identity of individuals from heart rate, breathing and hand gesticulation data, among others.
The vulnerability is made possible in the US by the fact that the Health Insurance Portability and Accountability Act (HIPAA), while requiring that medical data remains anonymous, does not consider raw sensor data (such as skin temperature and accelerometer (ACC) data) as being privacy-sensitive, and therefore does not require that publicly-shared data of this type be encrypted or subject to the same general protections it affords to traditional forms of patient data, such as health records.
A PRI-Attack uses interpreted image data to discern common patterns that correlate to other types of health data. A person’s skin response, for instance, can be evaluated from video (photoplethysmography), and correlated to what ought to be completely anonymous vector information from health-monitoring devices such as wearable watches, and other kinds of monitoring apparatus. Photoplethysmography yields heart-rate data, which can be paired up with non-identified wearable cardiac data.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25413747/GL2ubyMWwAAXF7n.jpeg)
