Field of Invention
The present invention relates to an integration of capabilities associated with certain specialized software for mediation, biometric abstraction processes, and wireless communications to produce a unified result set.
The invented methods use mediation software to produce a unified result set (“result set” or “result”) by utilizing a registrant's transformed biometric data to advance query resolution, upon remote request from an application, other than one operated by the registrant, which privately seeks the registrant's personal data. Mediation integrates a number of layers of computer and network technology to transform and find data by applying knowledge about resources, search strategies, or requirements for usage. By using data communications over one or more networks that at least partly include a wireless network, a method of mediation enables a qualified requester, described hereafter as an Emergency Medical Responder or Requester (“EMR”), to request to (a) identify otherwise unidentifiable persons, or (b) verify the identity of persons to find personal information. Processing a query may be conducted for identification or verification as separate operations, as needed, or may be performed by messaging that consolidates into one operation the processes for identification and verification. In all events, such query processing may be referred to as resolution. Security may include, without limitation, secure end-to-end transmission of personal data, even over wireless facilities, under conventional practices or standards. Results or outputs may refer to personal information or data that may comprise either “profiles” that summarize registrant data, personal health records (PHRs), “in case of emergency” data, advanced directives, digital signatures, other content, or data used to retrieve information specific to a registrant. Preferably, each registrant may modify privacy rules and audit each request, access, and resolution to confirm adherence to privacy rules, as needed.
Description of Related Art
1. Biometric Character Data (“BCD”)
There are many different conventional biometric-based solutions. Some are based on matching, at the point of transaction, the information obtained by the scan of a “live” biometric sample to a pre-stored, static “match template” created when the registrant originally registered data or stored files. Some of these processes or systems simply store raw biometric sample files. This poses privacy risks associated with storage or access of both the biometric data and the content files. Others refrain from using the raw biometric samples, but rely upon some transformation or abstraction of the raw biometric data instead. Those that employ approaches that prevent reconstruction of raw biometric data are generally preferable to those that do not do so. For example, some biometric solution providers use biometric data to generate data that helps descramble an encrypted code to produce a key, often in the form of an alphanumeric string. Still other biometric solutions often use other approaches to abstract raw biometric data irreversibly, especially to advance more stringent security or privacy goals.
Physical features, such as thumbprints, fingerprints, iris, retina, hand configuration, vascular patterns, genetic or genomic data like DNA or RNA (i.e. profiling, markers, samples, etc.) or behavioral features, such as signature, voice, gait, or keystroke, must fulfill a certain criteria to qualify for use in biometric-aided identification. They must be unique, universal, acceptable, collectable, and convenient to the person, in addition, to demonstrating reliability for identification, resolution, or anti-circumvention. However, most commonly, permanence is a key feature for biometrics. The biometric character data (hereinafter generally “BCD”) typically must retain all the above features, and in particular the uniqueness, either unchanged or acceptably changed, over the lifetime of the individual.
By reusing existing technologies in new combinations, generic content delivery enablers or intermediaries should be capable of delivering content of any kind, where only the service or content metadata is used directly by enabling entities, so that delivered content, until reaching an intended recipient, may remain undisclosed, encrypted, or opaquely packaged, through the operator of the database or enabler. Computer server systems deployed to deliver content may limit access by requiring a key. The BCD may be used as a link to a key, a Unique Patient Identifier (UPI) or translated into a unique uniform identifier (UUID) code, an alphanumeric string (“string”), or a similar code, (collectively hereafter “registrant-specific identifier” or RSI). RSIs may be comprised of digital or binary data. The key or other indicator may signify either an access right or non-repudiation of the request by, or on behalf of, a registrant, or both. To reduce risks that personalized identifiers may be copied, spoofed, impersonated, compromised, or pirated by unauthorized parties, many have introduced cancelable biometric or other abstraction techniques to blend the attributes of biometrics with the cancellation and replacement properties of often less robust passwords or PIN numbers. Some related, but often distinguished, configurations, may use biometric encryption (BE) techniques. See, e.g., A. G. J. Teoh and T. S. Ong, Secure Biometric Template Protection via Randomized Dynamic Quantization Transformation; Biometric and Security Technologies, April, 2008, ISBAST (“BE has been reported by several groups of researchers with different names such as private template, BioCrypt, fuzzy commitment, fuzzy vault, BioHashing, and helper data.” (citations omitted)). [Teoh & Ong Article]
BE techniques, cancellation biometric (CB), and many newer abstraction techniques, often replace vulnerable passcodes like passwords subject to dictionary attacks, without storing biometric samples. These biometric techniques commonly rely upon biometric abstraction models, but also usually entail an enrollment phase and a verification phase. See, e.g., C. Soutar, D. Roberge, A. Stoianov, R. Gilroy, and B. V. K. Vijaya Kumar, Biometric Encryption™, ICSA Guide to Cryptography, at Chapter 22 (McGraw-Hill 1999). BE typically entails enrolling a person using biometric data to generate an identification code and a personal biometric encryption template that can be used with a live biometric sample to reproduce the identification code, even though tools for precisely replicating BCD, like fingerprints, etc., are inexact. The verifying data captured from a finger pattern or other BCD, however, may be used with increasing reliability to unscramble an alphanumeric string to release a key.
Focusing on fingerprints momentarily, for some illumination by an example, the key, or BCD-deciphered string, is irreversible to detect without the finger pattern. Since the key is decoded by a finger pattern, the unscrambling template does not have to be encrypted or kept secret in order that the key is kept secure. The key can only be descrambled by placing the correct live finger pattern with the template, such as by using the biometric sensor, like one communicably connected to a medium, database, or repository, with access to the scrambled data. The operation of successfully descrambling releases the key, typically a string of alphanumerics. The key can thereafter be used so as to verify a person's identity (i.e., upon producing a string, reproducing a private key, resolving a query with data of a key, allowing access, or generating a result set, etc.), or so as to access personal data, whether in an encrypted form or not. Hereafter “biometric” and “BCD” shall be used to encompass, without limitation, cancelable biometric (CB) techniques, or biometric encryption (BE) technologies, or one or more other biometric abstraction models as needed. BCD measurements often use statistical, averaging, or other image analyses techniques to produce accurate associations and reliable matching results.
2. Most Common Biometric Applications are Based Upon an Identity of Interest in Both Personal Control and Access to Protect Privacy Rights
Most transactional applications of biometrics have been designed for personal use only. These methods, that protect some privacy interests, have envisioned an individual actively controlling the submission of his BCD to a database with a “match template” to ensure his proper identity, or verify it, to allow him to authorize a transaction or complete another operation (i.e. entry, access, upload, download, execute, request, response, etc.). Data storage may be configured using one or more information storage units, databases, registries, repositories, and archives, network channels, as well as other techniques (hereafter collectively “databases”).
Some mobile phones and laptops were equipped with sensor plates for fingerprint extract and transmission to remote databases by the late 1990s. Similar devices continue today to support Near Field Communications and often to leverage a person's control over his BCD in electronic payment transactions. In these contexts, there is almost always an “identity of interest” between the individual who seeks to submit or use his “live” BCD, and the same individual who thereby seeks to gain access or authorization upon matching the live data extracted with a stored template.
More generally, BCD processing or matching, typically by an unattended or attended server computer system, may advance either identification (one of many, 1:N) or verification (one of one, 1:1) (hereinafter collectively “query resolution” or just “resolution”). Resolution, as used herein, may accordingly encompass identification or verification, or both, usually through data processing, transmission, or mediation. Often such resolution techniques are applied to support methods that associate, find, match, access, or retrieve an individual's data. Sometimes they are applied to transfer data subject to encryption, for instance, using cryptographic keys. Many rely upon public key, symmetric key, asymmetric key, or other secure management processing of, or retrieval of, confidential data, private content, PINs, or crytpo-keys, etc.
a. Government Security Applications as a Broad Exception
Other applications that depart from the paradigm of self-controlled use of ones own BCD, based upon the “identity of interest” premise, have recently evolved rapidly for government security, customs, or border control. These spin-off applications have expanded mainly in the sphere of certain security measures. The U.S. and other governments have deployed biometric applications to ensure security from airports to immigration, criminal matters to terrorist exclusion, in a manner where agencies demand or require an individual to relinquish control over the use of their own BCD, particularly for limited purposes or contexts.
b. Employers' Reliance on Biometrics for Security is Another Growing Exception
Another exception to the private individual control rule has expanded in private employer-employee relations. Until the U.S. instituted its US VISIT program, the Walt Disney Company was reputed to operate one of the largest and most pervasive systems to secure access to its facilities solely to its employees, who had relinquished control to their employer. Conventional biometric applications intrinsically teach away from reliance upon others, aside from exceptional ones sponsored by public agencies and employers. Other third-party applications have been sharply criticized for overreaching and breaching privacy rights.
In the health field, the sharing of simple personal, but non-biometric, information has typically required prior clearance by an express waiver from a patient, with few variances. In the wake of laws like the Health Insurance Portability and Accountability Act (HIPAA), biometric applications that share data without securing a waiver from a person are often unpopular, unduly risky, or sharply criticized, if not unlawful. Still others have witnessed the upward spiral of victims of medical identity theft. This often includes impersonations to attain insurance by ones not insured, where culprits have attained medical services unlawfully, or, for instance, fraudulently, by using the private personal health information of others improperly. The FTC's 2006 Identity Theft Survey Report indicates the number of incidents reached nearly 250,000 in 2005. When hospitals use biometrics of patients who are provided health care under an agreement with the hospital, the hospital often acts as a proxy for the biometrically registered patient so as to extend the basic “identity of interest” paradigm to approve certain known and trusted medical service providers, acting on the behalf of the patient with the latter's consent.
3. Conventional Identification Methods Using Emergency Health Cards
Without elaborate technical requirements, the Red Cross offers guidance for creating an emergency health card. To customize a card, it suggests “[a]n emergency health information card communicates to rescuers what they need to know about you if they find you unconscious or incoherent, or, if they need to quickly help evacuate you. An emergency health information card should contain information about medications, equipment you use, allergies and sensitivities, communications difficulties you may have, preferred treatment and treatment-medical providers, and important contact people.” It suggests that people make multiple copies of the card and place them in places including behind the drivers license or primary identification card. On the front of the card, the Red Cross' suggestion adds, put items like name, street address, city, state, zip, phone (home, work), fax no., birthdate, blood type, social security number, health insurance carrier and individual and group number, physicians contact info, and on the back note your emergency contacts, conditions, disability, medication, assistance needed, allergies, and immunization dates. This kind of card stores a set of data often dubbed “In Case of Emergency” data (“ICE data”).
a. Universal MRA™
Similarly, some private, tax-exempt, or non-profit organizations, like Yellow Courtyard, offer expanded systems like Universal MRA™ (Medical Records Access). The latter deploys a:                “secure database (within multiple physical locations) allowing for universal access of medical records to both Explorers [members] and their authorized health care providers. With the Explorer's discretionary consent, any medical/healthcare practitioners within the Yellow Courtyard Network, or outside, will be able to review these records, allowing for true continuity of care and efficiency of collaborations. Explorers will be given a wallet-sized ID card, with access instructions for emergency medical providers offering restricted access to relevant medical information should the Explorers be unable to communicate in case of accident or disaster.”This kind of system also stores “ICE data”, like that suggested by the Red Cross, but, like others of its ilk, presupposes that a member can invariably retain and present his or her card. Sometimes, as during trauma or mass casualties, however, a member may be unable to do so.        
b. “Mobile Phone ICE”
Several variations on this approach have emerged with renewed energy since a British paramedic, Bob Brotchie, began promoting one program called “In Case of Emergency”, or ICE, in May, 2005. ICE encourages people to enter emergency contacts in their cell phone address book under the name “ICE.” Brotchie, when interview on Jul. 12, 2005, explained:                “I was reflecting on some difficult calls I've attended, where people were unable to speak to me through injury or illness and we were unable to find out who they were. I discovered that many people, obviously, carry mobile phones and we were using them to discover who they were. It occurred to me that if we had a uniform approach to searching inside a mobile phone for an emergency contact then that would make it easier for everyone.” BBC Radio 4 Today Programme,The idea of ICE is that everyone should put an emergency contact name and number into their mobile phone under the headword “ICE.” It expanded with the distribution of a “sticker” applied to convey an alert to EMRs. Still others have issued other tangible cards in an attempt to consolidate material health data or records that had not been centralized or normalized across formats for rapid access.        
c. PersonalMD Emergency Cards
Cerner, for instance, is a company that sponsors a fee-based service called PersonalMD. PersonalMD promises to “enable you to manage all your medical and health records in one convenient, secure site.” Moreover, Cerner's FirstNet offering reportedly leverages an “Electronic Medical Record” that attempts to integrate multiple records (i.e. from doctors, hospitals, laboratories, radiology, and pharmacy, etc.) into a single data repository to reduce the risk of medical errors. Cerner's suite of offerings provides clinicians with one source for obtaining vital patient information, such as allergies, medication administration records, and past medical history. In addition, it asserts that embedded data from “our network of partners help support the clinical decision making process.” Its PersonalMD Emergency Card, it claims, “serves as the vital link between our online record and medical professionals around the world. Your card includes your name and how to gain access to specifically marked ‘emergency information’” when you are unable to do so yourself.
4. “Unique Patient Identifiers” (UPI), Smart Cards, and Implantable Chips
Several organizations have sought to develop an array of new systems or stop-gap measures after the events of Sep. 11, 2001 when New York firemen were writing their badge ID numbers on their chests in case they were found injured or unconscious. As in New York, FEMA and other rescuers in New Orleans were also at a loss to help identify scores of victims during Hurricane Katrina relief efforts. FEMA had insufficient safeguards in place to identify the wounded, unconscious, or disoriented. FEMA could not identify individuals’ emergency health data in a timely manner to minimize the human suffering, even if DoD workers did attend to 700 victims within the first 24 hours. It was evident again, that emergencies do not always neatly leave victims with their voices, faculties, ID cards, wallets, HMO cards, cell phones, or drivers' license in tact to allow prompt identification. Moreover, over 25 million Americans do not even carry ID. Accordingly, there remains a critical need for better, faster personal identification and access to each individual victim's personal health information in urgent care or emergency situations.
Many of the next generation services were based upon such devices for those like security guards, without such risks of acute prior conditions, but who mainly consider themselves at risk of some accident or injury. These offered a bit of transient hope for them too on the job, but were suboptimal in practice since they required one or more layers of unnecessary hardware, software, easily lost cards, or managed services lacking in privacy or dependability.
In the private sector, some commercial services were introduced to save mainly high-risk subscribers' lives though personal identification devices, or tangible accoutrements, like ones for carrying an identification card with embedded tags, wearing medical bracelets with either GSM location capabilities or alert monitors for vital data, attaching alert systems to wallets or mobile phones, or using an implantable microchip, that providers claimed could make a difference and reduce the risk of protracted and dangerous personal identification lags. Some distress alert mechanisms have shown benefits in limited recent trials for diabetics patients. Beyond these trials, others too have promoted implantables, especially when no better alternatives existed. Many others, however, decline to use anything so invasive or tangible.
One private solution provider aptly quotes an emergency medicine physician who described the hurdles that are not uncommon                “Trying to identify unidentified patients is torture—you go through pockets, computer records, and make phone calls. It can take well over an hour. A good medical history would really expedite care.”        Joseph Feldman, MD, Chairman, Emergency Medicine, Hackensack University Medical CenterParamedics in metropolitan areas like Santa Monica, Calif., often estimate that this persistent, and sometimes severe, problem arises in nearly one-eighth of their emergency responses daily, and even without any mass casualties.5. Biometric Abstraction Approaches and Privacy Optimization Techniques        
Several biometric abstraction models are more promising because they irreversibly decouple the raw biometric data sets from their powerful properties that advance individual recognition. Some biometric-based solutions may be used as building blocks across many health and non-health applications alike. Some may rely upon BCD transformations, such as biometric cancellation solutions, or biometric encryption approaches, or other programs (See e.g. Dr. George J. Tomko, Biometric Encryption—New Developments in Biometrics, 18th International Privacy and Data Protection Conference (Sep. 19, 1996), on file with the Office of Privacy Commissioner of Canada.) Some solutions to safeguard sensitive information use either key management techniques, BCD-alphanumeric string translations, dynamically selected algorithms, bioscripts, fuzzy vault technology, image abstraction, data transformation, or other biometrics-aided techniques. Many developers of these biometric recognition advances underscore that the storage of a “biometric template” poses far higher security risks than storing of “biometric encryption templates”, for instance, that cannot expose raw biometric images or samples. The former can become vulnerable to exposing raw biometric images or samples, especially when centrally stored.
6. Biometric Encryption (BE)
In recent Congressional testimony, Peter Swire, a former leading GAO privacy official and professor, observed that progress has been made since Dr. Tomko's earlier work on biometric encryption (BE), and Professor Swire explained:                “Fortunately, slightly more sophisticated biometric technology can greatly reduce these identity theft and other privacy risks. Ann Cavoukian, the Privacy Commissioner for Ontario, has been a global leader in promoting what is called “biometric encryption.” With biometrics expert Alex Stoianov, she has published: “Biometric Encryption: A Positive-Sum Technology that Achieves Strong Authentication, Security AND Privacy.” [(March 2007)[“Cavoukian Paper”], . . . . ] As explained by a prominent biometrics researcher:        ‘In Biometric Encryption, you can use the biometric to encrypt a PIN, a password, or an alphanumeric string, for numerous applications—to gain access to computers, bank machines, to enter buildings, etc. The PINS can be 100s of digits in length; the length doesn't matter because you don't need to remember it. And most importantly, all one has to store in a database is the biometrically encrypted PIN or password, not the biometric template.’[Id. at 16 (quoting Dr. George Tomko).]        The privacy and security advantages of this approach are large. The system owner, such as an employer, gains the advantages of traditional biometrics approaches, such as being confident that only the correct person can gain access. For the individual, there is the large privacy advantage that a breach by the system owner will not compromise the fingerprint or other biometric. Only that one PIN is lost, and the individual can generate a new PIN/password using the same fingerprint or other biometric. In the long run, systems owners also benefit, because this approach is much less likely to be based on a compromised fingerprint than under the current, flawed approach.        After careful review of the technical and policy literature, Cavoukian and Stoianov highlighted six advantages of the biometric encryption approach:                    NO retention of the biometric image or template            Multiple/cancellable/revocable identifiers            Improved authentication security: stronger binding of user biometric and identifier            Improved security of personal data and communications            Greater public confidence, acceptance, and use; greater compliance with privacy laws            Suitable for large-scale applications                        In terms of legislative action, this Committee should support a careful federal examination of this promising approach, which appears likely to be better from both a privacy and a security perspective.”        
Some approaches under the rubric of Biometric Encryption, it is worth digressing, have been developed to extend certain authentication processes, including Public Key Encryption or other security conventions. For database access, conventional systems often issue authentication assertions. Some developers of computing domains avoided complexities introduced by the advent of mobility networks by basing a requester's eligibility for authentication on conventional techniques, while relying on access for data communications solely over landline networks (i.e. these techniques may include two-stage authentication, public key management, pretty good privacy (PGP), OpenPGP, GnuPG, public key infrastructure (PKI), etc.). PKI, for instance, unlike public key encryption between two parties, typically relies upon a trusted third party (TTP) (i.e. such as a certificate authority (CA), trusted authority, etc.). The TTP has the ability to match a registrant's identity from either a PIN or another registrant-specific identifier from transformed biometric data, or some abstraction thereof, or associated metadata with that stored by a registration authority (RA), and to issue an identity certificate. These other deployments may include ones that apply biometric encryption (BE), as discussed below, so as to enable a requester acting to retrieve a registrant's private data, by descrambling a registrant's PIN accessible at runtime, on the fly, or remotely as needed, through PKI or various other configurations.
Yet, a closer look at the Cavoukian and Stoianov study further illuminates a generalized context for achieving these advantages in various scenarios including ones described in the first two exemplary case studies, as follows:                The Cavoukian Paper illustrates a basic application as follows:        “Case Study #1: Small-scale use of Biometric Encryption        To demonstrate the power of BE, we will briefly present a biometric authentication protocol (remote or local) with third party certification. We use a simplified and reworded description from Boyen's paper on Fuzzy Extractors.1 Suppose that Alice wishes to authenticate herself to Bob using biometrics. Due to privacy concerns, she does not wish to reveal any biometric information to Bob. Conversely, for the authentication to be meaningful, Bob wants some assurance that Alice is in fact in possession of her purported biometrics at the time the authentication is taking place (i.e., that no one is impersonating her). We assume that there is a third party (often called the Trusted Authority), Trent, whom Bob trusts to honestly certify Alice's biometrics, and to whom Alice will temporarily grant access to her biometrics for the purpose of generating such a certificate. Alice will want to be able to obtain as many or as few of those certificates as she wants, and to reuse as many of them with multiple Bobs, some of whom may be even dishonest, without fear of privacy leaks or risk of impersonation. The protocol is as follows: 1 X. Boyen, “Reusable cryptographic fuzzy extractors,” CCS 2004, pp. 82-91, ACM Press. (revised footnote number supplied); also on file with the Stanford Artificial Intelligence Lab. (footnote original).        Enrollment and certification: Under Trent's supervision, and using Alice's own biometric:        1. Alice creates a Biometric Encryption template from her biometric and a randomly selected PIN. Neither the biometric nor the PIN can be recovered from the template;        2. The PIN is used to generate a pair of keys called public and private keys;        3. The biometric, the PIN, and the private key are discarded;        4. If Trent is satisfied that Alice has executed the steps honestly, he certifies the binding between Alice's name and the public key, i.e., he digitally signs the pair [“Alice,” public key]. At this point, Alice may send the public key to Bob, or even publish it for all to see.        Verification: A challenge/response scheme is used to verify Alice:        1. At any time when appropriate (e.g. whenever Alice desires to authenticate herself to Bob), Bob sends Alice a fresh random challenge;        2. By obtaining her new biometric sample and applying it to her Biometric Encryption template, Alice recovers on-the-fly her PIN, which, in turn, regenerates her private key;        3. Alice signs the challenge with her private key and gives Bob the signature;        4. Bob authenticates Alice by checking the validity of the signature under her authentic public key.        The protocol does not require Alice to remember or store her PIN or her private key.        The Biometric Encryption template may be stored on a smart card or in Alice's laptop that also has a biometric sensor . . . . The system based on digital signatures may be adopted both for a remote and local access. The important point is that the most critical part of any cryptosystem, the PIN (or a password), is securely bound to the biometrics.        . . . Neither Alice's biometric nor her PIN are stored or revealed. As a result, the system is both secure and highly privacy protective.2 2 See also, Y. Wang, J. Hu, K. Xi and B. V. K. Vijaya Kumar, “Investigating correlation-based fingerprint authentication schemes for mobile devices using J2ME technology.” IEEE Workshop on Automatic Identification Advanced Technologies, AutoID 2007, Alghero, Italy 7-8 June; and F. Jan, J. Hu, L. He and Y Wang, “Generation of reliable PINS from fingerprints. Security Symposium,” IEEE International Conference on Communications (ICC), Glasgow, Scotland, June, 2007. (footnote original).        
The Cavoukian Paper illustrates another salient example involving medical records, more specifically, as follows:                Case Study #2: Anonymous database; large or medium-scale applications        Suppose that a clinic, a hospital, or a network of hospitals maintains a database of medical records. Alice does not want her record to be accessed by unauthorized personnel or third parties, even for statistical purposes. For that the latter, her record is made anonymous and encrypted (by conventional means). The only public entry in the database is her personal identifier, which may be her real name or, in certain cases (e.g. drug addiction clinic), an alias (“Jane Doe”). The link between Alice's identifier and her medical record is controlled by Biometric Encryption: On enrolment, a BE template is created from Alice's biometric and a randomly generated PIN (Alice does not even know the PIN). The PIN is used to generate a pointer to Alice's medical record and a crypto-key that encrypts the record, and also a pair of keys called public and private keys (similar to case study 1). The BE template and the public key are associated with Alice's ID and stored in the database (they can be also stored on Alice's smart card); other temporary data, such as Alice's biometric, the PIN, the private key, the pointer, and the crypto-key, are discarded.        Suppose that Alice visits a doctor, to whom she wants to grant remote access to her medical record, or part of it, if the record is structured. From the doctor's office, Alice makes a request to the database administrator, Bob. The authentication procedure using challenge/response scheme is similar to that in case study 1:        1. If Alice does not have her smart card with her (e.g. in the case of an emergency), Bob sends Alice's BE template to the doctor's office;        2. Alice applies her new biometric sample to the BE template and recovers on-the-fly her PIN;        3. The PIN is used to regenerate her private key, the pointer to her medical record, and the crypto-key;        4. Bob sends Alice a fresh random challenge;        5. Alice signs the challenge with her private key and gives Bob the signature;        6. Bob authenticates Alice by checking the validity of the signature under her public key;        7. Alice securely sends Bob the pointer to her medical record;        8. Bob recovers Alice's encrypted medical record (or a part of it, also encrypted) and sends it to Alice;        9. Using her crypto-key, which was regenerated from her PIN, Alice decrypts her medical record for the doctor;        10. Alice's biometric, the PIN, the private key, the pointer, and the crypto-key, are discarded.        In summary, Bob (the database administrator) has an assurance that Alice is, in fact, who she claims to be (she was able to unlock her BE template in the doctor's office); he is also assured that her medical record was sent to the right person. On the other hand, Alice retains full control over her medical record, so that even Bob (the database administrator) has no access to it, since he does not have the crypto-key to decrypt it. The privacy protection is embedded into the system at a very basic technological level. Id. at. pp. 26-30        
While the case studies illustrate how biometric encryption and public key management can be complementary, and mutually reinforcing, when Alice is present before her doctor, it does not adequately suggest or describe how the method may be automated so that a method using software can enable a server system to operate to advance urgent or emergency medical assistance for her any place at any time, when Alice is unidentifiable, as when she is unconscious, incoherent, or disoriented without her wallet. Specifically, an EMR may seek the support of a service or method using software and abstracted biometric data to identify her and attain her profile, but will not find any available, much less ones used as a method of first resort. When someone like an EMR, other than Alice or her primary doctor at her local hospital, is seeking her private and protected content on her behalf securely, they should be able to invoke a method using software to enable requesting it and to resolve Alice's access so as to generate certain data of her profile within authorized privileges, subject to audit under the principle of least privilege, discussed below. As Peter Swire has also noted, the solution for limited access should also be provisioned so that “[a]ccess to biometric databases should thus be subject to effective audit systems.”
In other words, many of the safeguards or precepts of biometric encryption are necessary but not sufficient and must be complemented with processes or provisions for mediation on behalf of registrants who need EMR support, but are unidentifiable at the crucial time when timely health care is a matter of the greatest gravity. New methods are needed to enable EMRs to indirectly use a stronger and more secure binding of Alice's user biometric and identifier, particularly via data communications over wireless facilities or mobility networks. In 1996, NTIA published a report underscoring that the use of radio spectrum for public safety requires vast improvement, and observed that: “Emergency medical providers desire the ability to transmit images and other vital statistics about the injured from the paramedic unit back to trauma centers or hospitals to aid in diagnosis and pre-arrival treatment.” Final Report of the Public Safety Wireless Advisory Committee to F.C.C. Chairman Reed E Hundt and NTIA (Sep. 11, 1996) at p. 15. Such health support information technologies must be carefully extended to anticipate the unidentifiable person in distress by galvanizing techniques of biometric transformation, wireless security, encryption, and accounting practices for audit (i.e. AAA best current practices, etc.). Multiple capabilities need to be integrated to offer a method or application in the field of remote rapid medical care support services.
6. Undue Complexity of Smart Cards, Mobile Phones, and Distress Alert Devices
Other conventional services rely primarily upon identification or smart cards. However, services using a card, in lieu of a device, again simply add a different extraneous layer of complexity and uncertainty. Many are not consonant with the principle of “zero storage and zero transmission”, described below, since they sometimes combine biometrics, but only do so in a way that stores or transmits raw biometric data or images as biometric templates. All that is truly needed is a reliable link or pointer to the registrant's ID, RSI, or relevant PHRs, which are network accessible. That simple link or pointer may be discerned elegantly from one or more irreversible transformations or abstractions or the registrant's raw BCD. Each raw BCD source is less separable, if not inseparable, from a victim's person, than is a card. Some emergencies, and often the most dangerous, again, leave persons unconscious, speech impaired, disabled, or in shock, without a driver's license, card, purse, mobile phone, ID document, or wallet in close proximity. Each year there will be still more incidents that leave victims without the ability to gain any truly informed assistance of others in real-time, such as EMRs. Often they are impaired from offering their own identification at the scene, much less any of their ICE data or PHRs content. A better approach would be to enable data access by a biometric-aided mechanisms or cascading set of biometric techniques that can perform, even if, or when, these other conventional approaches do not.
7. Supporting Customized Medical Care Responses Across Age Groups
America is aging. The aged will face special needs in urgent or emergency care. In the United States, the elderly segment of the population is growing fast. With 24 million emergency patient encounters each year, across all age groups, utilizing roughly 40,000 ambulances, there is a burgeoning need to design and use more tailored solutions for emergency responses and urgent health care particularly for the elderly. This upward spiraling demand for rapid remote access to personal data may be viewed separately from the morass of broader health care demands, health care websites, or general PHR archives, such as ones not particularly amenable to priority or privileged wireless access, nor extensible to security and privacy safeguards.
Increasingly, new emergency medical care safeguards and methods will need to be designed, implemented, and operated for specialized classes of emergency responses and treatments associated with other specific medical conditions, distinct emergency circumstances, or personalized directions. They often may need to be designed compatibly to use to build-out ancillary offering of non-emergency health or medical services, PHR archives, or support systems. Field tests for certain devices and procedures that rely on monitoring analogous vital signs for diabetes patients who require urgent care have shown some promise in their use of BCD techniques calibrated for a specialized class of emergencies associated with diabetes. As the median age in this nation rises, with the graying of Americans, it is likely that a broader approach conducive to more specialized customization is needed. For instance, the leading cause of death soon will be from strokes. A stroke is an emergency care matter.
Yet, the elderly and others susceptible to a wider range of relatively predictable or anticipated emergencies have not been afforded access to an advanced set of truly intelligent solutions for informed and personalized assistance. We are unaccustomed to having customized responses for distinct urgent care cases, which concern either identification or verification. Emergency medical responders (EMRs) responses are insufficiently driven by mobile BCD use or PHR accessibility, to deploy personalized responses tailored to registrant directives or instructions. Reliance on the “one size fits all” default response prevalent currently is ultimately inadequate, often dangerous.
9. Customizing Emergency Responses and PHR Access: An Example for Strokes
Today, stroke is the third-leading cause of death in this country, behind heart disease and cancer, killing 150,000 Americans a year, leaving many more permanently disabled, and costing the nation $62.7 billion in direct and indirect costs, according to the American Stroke Association. But from diagnosis to treatment to rehabilitation to preventing it altogether, a stroke is, according to experts, a litany of missed opportunities.
Many patients with stroke symptoms are examined by emergency room doctors who are uncomfortable deciding whether the patient is really having a stroke—a blockage or rupture of a blood vessel in the brain that injures or kills brain cells,—or is suffering from another condition. Doctors are therefore reluctant to give the only drug shown to make a real difference for some kinds of strokes, which is tissue plasminogen activator (tPA).
Although tPA was shown in 1996 to save lives and prevent brain damage, and although the drug could help half of all stroke patients, only 3 to 4 percent receive it. Most patients, denying or failing to appreciate their symptoms, wait too long to seek help—tPA must be given within three hours. And even when patients call 911 promptly, most hospitals, often uncertain about stroke diagnosis, do not provide the drug. (Many ER doctors also fear liability for risks of tPA adverse side effects, without advanced directives or waivers). Some hospitals have neither the MRI equipment nor the needed medical specialist available on staff to administer tPA.
Some elderly people are predisposed to the risk of a stroke due to smoking, diabetes, high cholesterol, coronary artery disease (CAD), or an irregular heartbeat known as atrial fibrillation. Currently, as many have noted, “emergency medical service is not able to respond in the timeframe to save stroke and heart attack victims. New drugs and therapies are available to save these individuals. However they must be administered soon after a stroke. Currently, emergency response is only able to deliver a small percentage of these patients to the emergency room within the treatment window.” See G. Kolata, “Lost Chances for Survival Before and After Stroke”, New York Times (May 28, 2007). Most folks do not want to “roll the dice” on the more general directive or community customs that concern responses, paramedic procedures, and routing for ambulances. However, without being able to support BCD-driven access by EMRs to rapidly access self-authored directives to get them to the nearest or desired stroke centers, even persons predisposed to suffer a stroke may have no meaningful choice or control when time is of the essence.
To improve the personalization of EMR services, an EMR should be enabled by methods using software to obtain a set of personal emergency health information, preferably with standardized data fields, that is accessible wirelessly, digitally, privately, securely, accurately, and rapidly upon demand. A core set of patient information may be summarized in a patient profile. A patient profile (hereinafter “profile”) would preferably be comprised of at least one of the following: the person's name, password, PIN, facial photograph, emergency personal health record file data, one or more fields of ICE data, PHR data, customized advanced directives, special ICE instructions, and other self-entered identifying health, insurance coverage, or financial information.
Current solutions are inadequate. They do not standardize the use of registrant-specific biometric indicators derived from people's physical features or bodies, such that the link between the BCD and an identifier for the rapid identification or verification can become a virtual pointer to the registrant's profile for portability, if only by default. They do not harness collaborative computing to use BCD to generate pointers to accessible files, as needed, rather than files directly and locally stored as consolidated on a single domain. The do not use distributed computing to permit biometric abstraction using software on either client or server sides of the network, as needed. Doing so could allow EMRs to identify rapidly even unknown, unconscious, speech impaired, or disoriented patients by capturing a raw BCD sample for transformation in volatile memory of an EMR's mobile or portable device, by using a biometric information input unit (BIIU), sometimes called a biometric sensor.
These portable devices may include, without limit, either a cellular phone, laptop, Personal Digital Assistant (PDA), Kindle™-like readers, or PDA, mobile terminal, etc., with a camera, image capture apparatus, BIIU, BCD extractor, sensor plate, biometric sensor, or other BCD reader. Biometric abstraction programs may be distributed to these devices, or updated, via data networks. Requests to servers that process the transformed BCD input, or reproduce cryptographic strings from BCD entry, may provoke server result sets or outputs with the patient's specific identifier. An “ID to PHRs” instruction set, or any other resolving program that associates identity and PHRs, may also proceed in two operations, or may be combined into one.
10. Building Upon Related Arts
To surmount such inadequacies, new solutions may build upon certain know-how, or “building blocks”, widely used in the prior art. These building blocks may include, without limitation, conventional know-how that concerns either wireless networks, access networks, network security, mobility networks, biometric analyses, pattern recognition, biometrics, image analysis, biometric techniques (i.e., extraction, matching, measurement, cancellation, indexing, encryption, cryptography, classification, etc.), authentication challenges, key management, security measures, or failure recovery mode safeguards, or some combination thereof. Some biometric approaches rely on specialized analyses of samples, and several use pattern recognition or image analyses at one or more stages.
a. Wireless Networks
Wireless networks typically comprise one or more of either the Global System for Mobile Communications (GSM), Universal Mobile Telecommunications System (UMTS), Personal Communications Service (PCS), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), or General Packet Radio Service (GPRS). Often web services for mobility workers are supported by enterprise computing domains that are logically centralized but physically distributed using Wireless Local Area Network (WLAN) technologies, and typically additional wireless network management software. See, e.g., R. Kilan Kehr, et al, U.S. Pat. No. 7,391,060, Mobile exchange infrastructure (Jun. 24, 2008). Still, the artisan in the field could include other mobile networks, mobility networks, cellular systems, RF frequencies, white spaces, or other wireless transmission technologies as well.
b. Access Networks
More generally, an access network may be used for communications with a secure computing environment controlled by a server system. An access network may transport requests from outside the core domain with a connected network that is controlled by a server system. Access networks may be communicable with wireless networks, or more conventional telecommunications systems such as the Internet or the public switched telephone network (PSTN) used for plain old telephone service (POTS), integrated services digital network (ISDN), or virtual private network (VPN). Other access networks are provided, in the form of public or private networks, that are communicably connectable with one or more wireless networks, and include without limit networks compatible with GPRS, such as GSM network, UMTS network, the Internet, VPNs (i.e., mobile VPN, OpenVPNs, provider provisioned VPNs or customer provisioned VPN, etc.), PLMN (Private Line Mobile Network), and PSTN or ISDN. A server system in a domain may communicably connect with wireless communication devices through one or more kinds of networks that also include without limitation many other networks (i.e., OpenVPN, IPv4, IPv6, Ethernet, LAN, WiFi, WAN, etc.). Some IP network software programs that secure data and manage handoffs between networks use IPsec as a security protocol. For other networks, IPsec is not always sufficient as in some OpenVPNs, etc., and further conditioning is required for security.
c. Cryptography and AAA Key Management
Cryptography may be conventional, progressive, or interactive with variables that include, without limitations, time-synchronized data elements, spectrum-specific data structures, data interfaces, or algorithms, whether biometric or not. The AAA Key Management History, in the Appendix to RFC 4962, included by reference herein, reflects how a welter of different and improving Protocols for Authentication, Authorization, and Accounting (AAA) were originally developed to support deployments of Network Access Servers (NASes). [The 4692 Appendix] The RFCs show that there are a growing number of Extensible Authentication Protocol (EAP) methods that may be deployed to wirelessly access database, websites, or other connectible resources. EAP is a universal authentication framework often used in wireless networks, which defines message formats. See, e.g., RFC 3748. Various technologies used with EAP methods are better than others in reducing the risks of impersonators requesting data.
The 4692 Appendix confirms that “[i]n theory, public key authentication mechanisms such as EAP-TLS [RFC 2716] are capable of supporting mutual authentication and key derivation between the EAP peer and NAS without requiring AAA key distribution. However, in practice, such pure two-party schemes are rarely deployed. Operation of a centralized AAA server significantly reduces the effort required to deploy certificates to NASes, and even though an AAA server may not be required for key derivation and possibly authentication, its participation is required for service authorization and accounting.”
Many modern commercial platforms rely upon a recent generation of Advanced Encryption Systems (AES). Since Housley wrote RFC 4962 and its appendix, he has proposed “Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS), under RFC 5083 and 5084. (November 2007). Similarly, X. Boyen, cited in the Cauvokian Paper above, proposed an “Identity-Based Cryptography Standard (BCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems.” (December 2007).
The debate over the optimal improvements will likely continue to rage on, but many upgrades tend to obsolete earlier standards. See, i.e. RFC 5280 Internet X.509 Public Key Infrastructure Certificates and Certificate Revocation List (May 2008). The area is fragmented leading those who rely upon such techniques for patentable methods or devices often to discuss them as a class of interchangeable AAA key management techniques, with certain exceptions in specialized contexts. Where backward compatibility is desired, many Wireless LAN (WLAN) Security configurations apply WPA-2 as the touchstone, or use Advanced Encryption System (AES) with Remote Authentication User Dial-In Service (RADIUS), to protect against rogue access points, man-in-the-middle attacks, and the most common of wireless vulnerabilities.
d. Protecting Customer Data Over Wireless Systems
Using state of the art systems, that are extensible to use with customized software, there are a wide range of Wireless LAN platforms that have improved security to enterprise levels. Some have modular architecture that support 802.11i or WPA-2 Security. Security at this level is generally maintained by ensuring that all equipment is also provisioned for compliance with these or more advanced standards. While allowing operators of such LANs or Mobility Networks to unify communications over certain personal, private, or public networks, the protection of customer data over a variety of wireless systems is commonly managed by employing stronger encryption, authentication, and prevention techniques. By using AES, added safeguards arise including ones that are associated with longer encryption keys and frequently changed keys. Many conventional LANs deploy RADIUS servers that ensure a dynamic IP address may be given to a requester at login time, and deploy one of the more popular EAP types, often to ensure security across the transport or other layers. See, White Paper, ‘EAP-TLS Deployment Guide for Wireless LAN Networks’ by Cisco, on file with Cisco under as a technologies white paper number 09186a008009256. Many of these measures, along with further Security policies, including special security procedures for wireless transport, in turn, help to avoid putting registrant data at risk by denial of server attacks, eavesdropping, and rogue access points. See also, Krishna Sankar, Wireless LAN Security (Cisco Feb. 16, 2008). Modern enterprise security levels are generally security measures at least as robust as AES with either 802.11i or WPA-2 Security. The artisan in the field of Wireless LAN Security will also appreciate that there are several other configuration choices that offer similar security protection.
e. Conventional Registration Through Storing Files, Pointers, or Metadata, Etc.
The registration storing task for many enterprise computing environments or configurations that use database extraction mechanisms presuppose that prospective registrants can avail themselves of conventional or new technologies, especially ones that are backwardly compatible with operating personal computers, telephones, and other workstations, etc. These configurations envision prospective registrants using a registration or enrollment client program (i.e. browser, FTP client program, other application, etc.) to register personal information, or securely upload other data or files, via a remote server or database using the Internet, Web, VPN, or another communication network. The other data or files may include encrypted profile data, links to heath records, robust PINs that can only be descrambled or deciphered using extracted biometric information, biometric patterns, or BCD-related data strings that contain or are derived from some of the registrant's captured data.
f. Fragmented Approaches to Authentication, Authorization, and Accounting (AAA) Systems of Key Management
In certain other security spheres, where systemic intrusion at response delivery time poses a more serious risk to data, (i.e., spoofing, impersonations, etc.) some have raised the conundrum of securing content passed through untrusted intermediaries under more stringent assumptions like those common in Homeland Security or financial account scenarios. Special security measures, designed mainly for such untrusted data brokers, intermediaries, and conduits, are highly likely to remain extraneous in most contexts when a medical-oriented or PHR platform is envisaged primarily to enable or enhance rapid health record retrieval remotely. Ordinarily, as far as health profile access is concerned, certain public key methods, other cryptographic methods for communications between two or more parties, or public key infrastructure (i.e. using a trusted authority for certification of signatures, etc) may help provide security which is satisfactory to most prospective registrants, especially when raw biometric samples are neither transmitted from client to server nor stored via the server system.
This is especially so when either a trusted enabling entity may assume the role of the intermediary. The content may remain, for instance, confidentially handled under key management techniques, as when one such as a primary health provider (already entrusted with a registrant's health records or reliably able to bring another intermediary under its privacy policies, etc.) may ensure adherence to privacy policies as a condition precedent to content service. Similar the content may be safeguarded autonomously or under applicable law by the intermediary if it is (a) encapsulated and encrypted but accessible while so opaquely packaged only by a requester with metadata or a cryptographic key, or (b) otherwise transcoded between source and requester. Compare, Nagel, “System and Method for Secure Three-Party Communications”, U.S. Pat. No. 7,181,017 (Feb. 20, 2007).
In July, 2007, a consensus on the “best current practice” was memorialized as RFC 4962, entitled “Guidance for Authentication, Authorization, and Accounting (AAA) Key Management, by R. Housely, B. Adoba, et al. RFC 4962 contains an Appendix entitled “AAA Key Management History.” It notably reflects that certain reliable conventional authentication processes also exist beyond those AAA Key management techniques surveyed under the rubric of “best current practices.” While RFC 4962 did not necessarily alter certain discretely and sole managed security realms or independently controlled solutions that were already conforming to the newly heralded best current practice (i.e., implementing methods applying the “least privileged principle” without plaintext passwords, etc.) it ushered in a new paradigm for better ensuring secure interoperability between distinctly owned, secured or managed domains or realms. Yet, care needs to be taken to ensure personal consent for onward transfers of personal data, beyond a registrant's consent for access or use, in many scenarios.
Without verifiable assurances for common adherence to a standard set of best current practices of authentication, authorization and accounting (AAA), before July 2007, Nagel and others proposed solutions that were commonly designed to surmount some hurdles of untrusted intermediaries, by using multiple communication protocol security mechanisms. With the recent advent of baseline AAA best practices last year (2007 August), discussed below, service providers and database operators alike may now often extend networks more openly, more simply upon verification of security using authentication and related safeguards compliant with such AAA practices of the primary service provider to render qualified corresponding nodes as benign or trusted, to an extent sufficient for encrypted content like profiles and biometric abstraction data.
g. Biometric Analysis: Multiple Techniques for Each Biometric Sources and Pattern Recognition
Biometric analysis is one of the building blocks of the new set of methods. Many techniques have evolved to design or use corresponding methods for the automated recognition of a pattern, or, when appropriate, image analysis. Included hereunder are systems that transform an image for the purpose of (a) enhancing its visual quality prior to recognition, (b) locating and registering the image relative to a sensor or stored prototype, or reducing the amount of image data by discarding irrelevant data, and (c) measuring significant characteristics of the image. Image analysis, when utilized, may be extended to encompass certain systematic operation or series of operations performed on data representative of an observed or observable image with the aim of measuring a characteristic of the image, detecting variations and structure in the image, or transforming the image in a way that facilitates its interpretation.
Unlike the limited range of image analysis in some references, our expanded scope of image analysis, however, extends images obtained by a camera, scanner, or image detector), wherein the image represents the actual scene, to the presentation or generation of images that are (a) computer generated or otherwise artificial, or (b) a combination of computer-generated images and real images, including for computer graphics and control of data presentation with creation or manipulation of graphic objects or text performed by a computer or processor, and operator interfaces. Similarly, in this context, image analysis also extends to reading or sensing of coded indicia, which does not include the recognition of any alphanumeric character or pattern, including coded indicia that are designed specifically to facilitate reading by machine and are not intended to be read by humans. Moreover, we include under the extended rubric of image analysis certain adjacent arts that pertain to the processes that concern pattern recognition or the encryption of data, including character data.
While the artisan of ordinary skill is aware of the more extensive range, it is helpful to point out features of some of the related arts that are associated with the “building block” of pattern recognition methods or image analysis applications that may support the purpose of recognizing an individual or verifying a person's identity while protecting privacy and maintaining security.
A pattern is any form in an image having discernable characteristics that provide a distinctive identity when contrasted with other forms. Pattern recognition is any procedure for ascertaining differences, or similarities, between patterns under observation. It may entail partitioning the patterns into appropriate categories based on these perceived differences or similarities; or any procedure for correctly identifying a discrete pattern or class of patterns, such as an alphanumeric character or coded indicia associated with pattern or characteristic, as a member of a predefined pattern category. As to biometric patterns, biometric character data may evince patterns that manifest themselves to detection by human senses, computers, sensors, or other machines, or a combination thereof, in various ways, and are often subject to classification in some original or transformed state or format using metadata, with or without an ontology.
In biometric processes, including many used to support identification, verification, or authentication, it has been shown that algorithms designed for 1:1 verification traditionally scaled poorly when used for 1:N identification tasks. See e.g., R. Cappelli, D. Maio and D. Maltoni, “Indexing Fingerprint Databases for Efficient 1:N Matching”, in proceedings Sixth International Conference on Control, Automation, Robotics and Vision (ICARCV2000), Singapore, December 2000.
While many experiments have been conducted to perfect biometric pattern recognition, with ever-increasing performance capabilities and higher confidence levels, the studies have tended to show a trade-off between accuracy and rejection rate. Still, biometrics is rapidly replacing traditional token and password methods. There is insufficient space to survey all the biometric sources, recognition applications, or techniques here. Many are functionally interchangeable for health care support purposes with the most universally deployed ones like fingerprints. Of all the biometric modalities, fingerprints have emerged as a popular choice due to their universality, distinctiveness, permanence and acceptability. Another reason for their popularity is the wide range and variety of implementations of recognition algorithms that are already available. A limited summary of thumbprint or fingerprint biometrics, below, is useful to exemplify how biometrics may provide support for certain acts of the mediation processing, and particularly when reliance upon some biometric abstraction model advances a result. The artisan in the field will appreciate that further citations of the crowded field of biometric techniques, that may be used in place of fingerprints, and beyond the citations included herein, would be of diminishing value, since salient principles of functionality in the inventive context are common to most biometric sources, but may vary as to degree, acceptability, or ease of use.
The website of the Biometric Systems Laboratory, DEIS—University of Bologna, Italy (BSL), explains that “Fingerprint recognition is a complex pattern recognition problem; designing algorithms capable of extracting salient features and matching them in a robust way is quite hard, especially in poor quality fingerprint images. There is a popular misconception that automatic fingerprint recognition is a fully solved problem since it was one of the first applications of machine pattern recognition almost fifty years ago. On the contrary, fingerprint recognition is still a challenging and important pattern recognition problem.” See, e.g., Zhengmau Yo, Yongmao Ye, H. Moamadian Biometric Identification via PCA and ICA Based Pattern Recognition, ICCA 2007, IEEE Int'l Conf. on Control and Automation.
The BSL explains that “[a] fingerprint is the reproduction of a fingertip epidermis, produced when a finger is pressed against a smooth surface. The most evident structural characteristic of a fingerprint is a pattern of interleaved ridges and valleys; in a fingerprint image, ridges (also called ridge lines) are dark, whereas valleys are bright. Ridges and valleys often run in parallel; sometimes they bifurcate and sometimes they terminate. When analyzed at the global level, the fingerprint pattern exhibits one or more regions where the ridge lines assume distinctive shapes (characterized by high curvature, frequent termination, etc.).” These regions (called singularities or singular regions) may be classified into distinct typologies, which include the loop, delta, and whorl.
The BSL continues: “At the local level, other important features, called minutiae, can be found in the fingerprint patterns. Minutia refers to various ways that the ridges can be discontinuous. For example, a ridge can suddenly come to an end (termination), or can divide into two ridges (bifurcation). Although several types of minutiae can be considered, usually only a coarse classification is adopted to deal with the practical difficulty in automatically discerning the different types with high accuracy. At very-fine level, intra ridge details can be detected. These are essentially the finger sweat pores whose position and shape is considered to be highly distinctive.” The BSL also explains associated advances in feature extraction through conventional techniques of binary representation and thinning using various algorithms, as well as newer techniques like gray-scale Minutia Detection Approach.
Today, even in the sub-field of biometrics dedicated to fingerprints, there are scores of algorithms available to support identification or verification. In U.S. Patent Application No. 20070297653, dated Dec. 27, 2007, Bolle; Rudolf Maarten, et al, have proposed, for instance, a “Fingerprint representation using localized texture features” and they describe many of the kinds of algorithms and key deficiencies of conventional analytic techniques, as follows                “Existing fingerprint matching algorithms may be broadly classified into the following categories based on fingerprint representation.        1. Correlation based: In this representation, the fingerprint image itself is used as a template. Matching is performed by measuring the result of cross correlation between the two images. This . . . is very fast, since correlation may also be implemented through optical techniques . . . .        2. Minutiae Representation: Minutiae represent local fingerprint ridge discontinuities and mark the position where a ridge comes to an end or bifurcates into two. Given target and reference fingerprints and their corresponding minutiae features, the process of matching is a point pattern matching problem. This is by far the most popular approach to fingerprint recognition . . . .        3. Texture Descriptors: A fingerprint image can also be viewed as a pattern of oriented texture formed by the gray scale variation of the ridges. Therefore, texture descriptors provide a good representation for the ridge content in the image. A global texture descriptor scheme called ‘finger code’ utilizes both global and local ridge descriptions.”In fact, numerous comparison processes have relied upon the aforesaid characteristics as well as others like the observance of motifs such as deltas, bifurcations, terminations, pores, ridges, and valley, and others. Often motifs are measured in relation to one another or some estimated center of the thumb.        
The BSL also properly frames how some of the remaining challenge are being surmounted using classification: “The identification of a person requires the comparison of his/her fingerprint with all the fingerprints in a database, which in large scale applications may be very large (several million fingerprints). A common strategy to reduce the number of comparisons during fingerprint retrieval and, consequently, to improve the response time of the identification process, is to divide the fingerprints into some predefined classes. Fingerprint classification means assigning each fingerprint to a class in a consistent and reliable way, such that an unknown fingerprint to be searched needs to be compared only with the subset of fingerprints in the database belonging to the same class. While fingerprint matching is usually performed according to fingerprint micro-features, such as ridge terminations and bifurcations (minutiae), fingerprint classification is usually based on macro-features, such as global ridge structure. All the classification schemes currently used by police agencies are variants of the so-called Henry's classification scheme. Five classes (Arch, Tented arch, Left loop, Right loop and Whorl) are commonly used by today's fingerprint classification techniques. In reality, fingerprints are not uniformly distributed among these five classes: the proportions have been estimated as 3.7%, 2.9%, 33.8%, 31.7% and 27.9% for Arch, Tented arch, Left loop, Right loop and Whorl, respectively. Aside from the Tented Arch, each of the others usually has a center or “core.” Notably one variant of the Whorl, called a Whorl (Twin Loop) has a double core. Biometric System Laboratory, DEIS-University of Bologna, Fingerprint Classification, on file with Biometric System Laboratory. See also, ISO/IEC 19794-2, et seq., on Fingerprint standard templates, revisions thereto at ISO/IEC WD 19794-2; and compare, ISO/IEC 24713-1 (2008) [Biometric profiles for interoperability and data interchange]; ISO/IEC 19795-4(2008) [Biometric performance testing and reporting—Interoperability Performance testing.]. Many approaches embrace either all five variants while other rely on distinctions primarily among four kinds.
Fingerprint classification may take a variety of forms, and many draw a general line between Exclusive Classification and Continuous Classification. Exclusive Classification entails several approaches that include, without limit, fingerprint classification (a) by means of inexact graph matching; (b) using dynamic masks to partition the directional image, or (c) based on MKL by relying on subspaces well suited for representing fingerprints belonging to the class under Henry's scheme, above. Continuous Classification, typically seeks to surmount the constraints of low number of classes and skewed distributions hampering these other approaches, by associating each fingerprint in a multidimensional space through a similarity-preserving transformation, such that similar fingerprints correspond to close points, using radius measurements.
The BSL website also explains: that “[t]here has been a substantial amount of work done on the multimodal fusion approaches: the key is the combination of the various biometric characteristics at the feature extraction, match score, or decision level. Feature level fusion (also known as pre-classification fusion) combines feature vectors at the representation level to provide higher dimensional data points; match score level fusion and decision level fusion (post-classification fusion) combine the individual scores from multiple classifiers and the accept or reject decisions of each biometric system, respectively.” See also, M. A. Ferrer, A. Morales, et al., “Low Cost Multimodal Biometric Identification System Based on Hand Geometry, Palm and Finger Texture”, 2007 41st Annual IEEE Int'l Carnahan Conf. on Security Tech. Another approach takes the multimodal approach in another direction to combine biometrics with a secret sequence code. “See, e.g., Pu, et al., U.S. Pat. No. 6,229,906, “Biometric sequence codes.” (May 8, 2001). Rather than combine fingerprints, vascular, or iris data with other one another or other biometric modalities, the '906 patent offers an identification system using biometric information of human body parts and a secret sequence code. In particular, biometric information of human body parts is used to form the secret sequence code. Specifically, a combination entry device recognizes user's fingerprints which are entered as a sequence. The fingerprints must be entered in the proper sequence in order to be recognized by the system.
As was true with multimodal biometric techniques, some have used combined methods of classification, or beneficially deployed other alternative approaches. See, e.g., R. Cappelli, D. Maio and D. Maltoni, and L. Nanni, “A two-stage fingerprint classification system”, in proceedings ACM SIGMM Multimedia Biometrics Methods and Applications Workshop (WBMA03), Berkeley, pp. 95-99, November 2003. In this paper they “describe a fingerprint classification system based on a two-stage sequential architecture: an MKL-based classifier is first used to select the two-most-likely classes and then a second classifier (specifically trained to discriminate between the two classes) is then adopted for the final decision. The experimentation performed on NIST Special Database 4, which is one of the most important benchmark in this area, shows that the new approach yields an error rate lower than previously published in the literature. In particular, the error rate is 4.8% and 3.7% for the five-class problem and four-class problem, respectively.” Some studies show that classification systems using a combination of minutia, orientation image, and finder code, may often enhance performance by reducing error rates, especially at lower penetration levels. See, e.g., slide 20, R. Germain et al, IEEE, Fingerprint matching using transformation parameter clustering; G. Bebis et al, IEEE Fingerprint Identification Using Delaunay Triangulation, IEEE International Conference on Intelligence, Information, and Systems (ICIIS 1999).
Further advances have been achieved in biometric identification by using techniques that combine approaches, or use indexing to exclude the vast majority of records in the universe of potential matches, to establish a narrowed candidate list. See, e.g., Fengling Han, Jiankun Hu, and Xinghuo Yu, A Biometric Encryption Approach Incorporating Fingerprint Indexing in Key Generation, Lecture Notes in Computer Science (Springer 2006). In turn, the process may then apply a 1:1 verification test or set of examinations, using one or more algorithms, to rank candidates or isolate a match, if any exists. See, e.g., Lo, U.S. Pat. No. 7,313,256, entitled “Progressive fingerprint matching system and method”, Dec. 25, 2007; see also, Reisman, James G.; et al., United States Patent Application No. 20030169910, Fingerprint matching using ridge feature maps Sep. 11, 2003. As to combined approaches, Reisman asserted “[w]hile a ridge flow pattern is generally used for classifying fingerprints, it is seldom used for matching. The [inventors] provide[ ] a fingerprint matching method that uses ridge flow information to represent and match fingerprints.”
While accuracy and performance will continue to be the subject of many unforeseeable improvements in biometrics and image analysis, the art is already at a state that offers promise in certain adjacent art that concerns mediation that uses biometrics or image analysis, or both, as one building block. For example, the techniques that offer a combination of biometrics with identification, verification, authentication, cryptography, classification, or indexing, etc, will continue to bourgeon. See, e.g., Setlak, U.S. Pat. No. 6,795,569, “Fingerprint image compositing method and associated apparatus” Sep. 21, 2004; Ziesig, U.S. Pat. No. 6,941,003, “Method of fast fingerprint search space partitioning and prescreening” Sep. 6, 2005; Thomas, et al. U.S. Pat. No. 7,237,115, “Authenticating concealed private data while maintaining concealment” Jun. 26, 2007. For each of these techniques the field of know-how is already crowded, and in most cases the maturity suggests that newer innovations present a third or latter generation. As such, they now offer configuration choices to those creating methods or application in reliance upon various permutations of their principle features, functionalities, or capabilities.
Accuracy and performance reside in the sphere of quality of service parameters, that are often relevant to the value of an operable system using the invented method, but not essential to the architecture or functionality of the far more fundamental method of mediation. Accordingly, given the wide choices available to mediator operators, we take them as a variable array of interchangeable alternatives, whether for fingerprints, irises, or other biometric sources, which appear to be sufficient and improving. Numerous biometric techniques are surveyed, for instance, in a number of books, texts, and other resources, like one by John R. Vacca, Biometric Technologies and Verification Systems, Butterworth Heinemann (Mar. 16, 2007). The mediation methods, described below, do not purport to disclose the means of optimizing all biometric or image analysis techniques, but instead mate the steps of using a wider class of either biometric or image techniques with steps of novel mediation methods that are transformative for rapid health-care support methods. The present invention may rely upon or encapsulate even novel biometric or image analyses techniques or biometric abstraction models that are trade secrets, without disclosing any new biometric identification methods of general applicability (i.e. outside rapid EMR class-accessible remote health-support, etc.).
Because conventional health support services that rely upon tangible devices or cards, may now be superseded by solutions that utilize biometrics, there is a growing appreciation of the need to protect both the personal health information and the raw biometric data, which individuals can little afford to lose or relinquish control over. To ensure that raw biometrics may not be diverted to unauthorized uses, certain biometric approaches offer the promise to safeguard the privacy of the raw biometric data by decoupling the raw data from their associative properties by utilizing abstraction. These approaches increasingly use one or more biometric abstraction models that leverage the power of raw biometric data, without exposing raw biometric data to risk of misuse or loss. The integrating approaches taught below therefore do not transmit via network, or store in non-volatile storage, the person's biometric data in any form, unless it has been transformed to prevent against reconstruction of raw biometric data by eavesdropping persons or imposters. These offer query resolution virtually “risk-free of reconstruction.”
10. A Health-Support Method Using Software May Employ Query Processing, but May Differ from Conventional Security Applications in Other Sectors of Commerce or Governance
Unlike many security scenarios, we are usually dealing with friends, not enemies. For rapid health care support, we should usually provide relevant information expeditiously under the principle of least privilege, especially since one of the following assumptions is applicable: a) it may be possible to rigorously classify the data, a priori, by potential recipient for privacy; b) the collected information may be organized according to the needs of a privacy protocol; or c) it may be fully determined from the queries submitted by potential recipients whether the results might improperly risk including information that should be withheld. RFC 4949 notes in a tutorial under the definition of “authentication information”, how conventional services often use two-stage authentication. Already a number of services will not process a request unless a party seeking data can qualify using two of the three requirements below to authenticate identity: (i) something he possesses; (ii) something he knows, and (iii) something he is. See, RFC 4949 at p. 5. Another form of two-stage authentication could require a smart card and a PIN derived from a biometric encryption template.
In all events, the best current practices of AAA for interoperability of distinctly owned or controlled domains, servers or applications, along with key management improvement, may at least in some cases be used to obviate the convention of classifying between domains or systems that are trusted, benign, or untrusted. See, e.g., RFC 4962, Internet Security Glossary Version, 2. R. Shirey (August 2007)(under the definition of “trust” (1)). After RFCs 4949 and 4962 were issued, new proposed standards were published under RFCs 5191 and 5193 that concerned the “Protocol for Carrying Authentication for Network Access (PANA) Framework”, dated May 2008. Notably, the term “authorization” in certain RFC contexts denote “network authorizations” parameters (i.e. limited number of entries, bandwidth constraints, etc.), in contrast to network-agnostic “authorization” to gain application access, or data with content (i.e. profile payloads, PHR envelopes, advanced directive cryptolope, etc.), or other use privileges, as used elsewhere herein.
11. Server Platforms May Use Request-Response Messaging Over Wireless Networks
Current conventional methods do not adequately integrate or loosely couple software that can control a process to galvanize conduit (i.e. communication networks, wireless access protocols, request/response messaging, etc.), computer processing (i.e. server systems, CPU, processing units, etc.), base resources (i.e. content, updates, databases, etc), and layers of applications (i.e. programs to handle or manage connectivity, authentication, unscrambling registrant-specific identifiers using biometrics, registration, authorization, security, policy, auditing, etc.) Accordingly, EMRs, and particularly ones seeking profiles of persons not readily identifiable, will need “something more” to improve upon conventional methods that are designed mainly to serve hospital networks or health care providers, rather than enable protecting patients rapidly.
In other contexts, computer scientists call that “something more” a mediator. Usually, a “mediator consists of general hardware and specialized software to implement a high-level concept in providing added-value services . . . .” A mediator, however, also may be a software module that exploits encoded knowledge about some set or subsets of data (i.e., by value-added processing, etc.) to create information for a higher layer of application. A software architect or systems integrator may specify a mediator. Separately, the mediator may be implemented or used by an entity called a mediator server operator to attain query resolution at runtime. In some open mediation methods that rely upon request-response messaging, a server system provides trade-support by enabling messaging so that unaffiliated “service providers” may enter service listings and unaffiliated “service consumers” may query databases, communicably connectable to the mediator server system (“mediator server”), to match or retrieve selected data. Compare, Hoffer, U.S. Pat. No. 5,799,151, An Interactive Electronic Trade Network and User Interface (August 1998)
Using other techniques common for providing pervasive or wireless system security to digital assets (i.e., public or symmetric key management, etc.), a server may be configured to provide access control management whenever queried by a client program that requests access to private or secured data. Since request-response messaging may describe message flow patterns between client programs and server programs simply to acknowledge or handle message exchanges to transmit data of query, any reliance on this kind of message pattern does not imply that every result set produced by a server need be transmitted as response message to anyone. Any discretionary enablement of a response coupled with a result set is to be comprehended in a distinct context of what ordinarily occurs above the Application Layer of a data network.
Some earlier mediation methods that ensure security consist of steps or modules that perform the following tasks: processing of query (pre-processing); communication with databases (submission of query and retrieval of results); processing of results (post-processing); and writing into a log file. See, G. Wiederhold, U.S. Pat. No. 6,226,745, Information sharing system and method with requester dependent sharing and security rules (May 1, 2001). See also, G. Wiederhold, Interoperation, Mediation, and Ontologies, (Nov. 9., 1994), (Nov. 9, 1994), also on file with the InfoLab, Stanford University.
Such security methods may employ a rules system, view-based access controls, a combination of pre- and post-processing constraints, or one or more queries. As with many conventional methods using software to enable message exchange, a successful query of verification to retrieve personal data or of identification, may only fruitfully follow a compatible enrollment or registration. To process such a query, beyond the adjacent art of security mediators, certain modern mediators may usually initiate a message flow to invite a peer, like an EMR using a mobile client application, to authenticate credentials and preprocesses a request of resolution. A mediator's server system and software use data of request as data of a query. The mediator processes a query, in view of an authentication assertion, and once the subject identification or verification is to be accomplished, if at all, the mediator typically looks up a mediated object, file, or pointer in accessible storage, where the mediator expects to get the stored data of the registrant, and applies privacy rules to retrieve the result set. The mediator may or may not be configured to package the result set into a response to send it encrypted over some network.
If the enrollment module is native to such a modernized mediator, and external storage services are extraneous, then the mediator can substantially govern any compatible interoperations between the requester's service model and the provider's service model, since the mediator alone controls the latter model at both enrollment and query time. Other possible solutions, where external provider service models can play a role in query resolution, often rely more upon process mediation than data mediation. A mediator may enable execution of a query as if it were operating under at least one provider's service model to access data stored during enrollment. Often that model may encapsulate a biometric abstraction model. See generally, R. Vaculin, K Sycara, Towards automatic mediation of OWL-S process models, (Robotic Institute, Carnegie Mellon University), also on file with the Robotics Institute, Carnegie Mellon University. These provider's service models commonly control message flow patterns.
A mediator, such as one without a native enrollment module, may be tasked with discovering a provider service model externally, which may be compatibly invoked by the requester's service model. To this end, the mediator may need to use certain process mediation techniques, to reconcile different message flow patterns of either one or more non-native models or to reconcile other distinctions. See, e.g., Web Services Execution Environment (WSMX) (WC3 Jun. 3, 2005) also on file with the W3 organizations, a technical standards setting body. Sometimes, the mediator may adapt request-response messaging patterns to reconcile the different service models of requesters and providers. Some process mediation anticipate reworking the message flow toward a harmonized pattern by either splitting messages, unifying messages, inverting messages, omitting messages, or creating acknowledgements, etc. Some approaches to support process mediation include, without limitation, combining or compositing processes by using control constructs such as: sequences, any-order choice, if-then-else, split, split join, repeat-until, or repeat-while, etc. Process mediation also may, as a preliminary measure, require using as an input for results certain output of data mediation. Data mediation, as explained herein, could reconcile two related biometric abstraction models, utilized in separate service models of a requester and a mediator. In turn, a translation could be used in certain instances to permit adaptation of the query, data, or message flows, as needed, to iterate through a database of either the local mediator or an autonomous external service.
Among health care systems, which are aided by biometric technologies today, there has been inadequate attention paid to satisfying the urgent needs of EMRs seeking data from remote facilities or locations, often when time is routinely a true matter of life or death. The adjacent art does not appear to suggest or teach how a mediator may be composed or run to enable a requester to rapidly attain a registrant's profile or health records privately and securely over networks, including one that is at least partly wireless, by using biometrics, but without either persistently storing or transmitting the raw biometric data. Nor do conventional methods approach how to compose a mediator for health care support to enable resolving how a requester may do so promptly, when the identity of the registrant remains unknown to the EMR. Most biometric systems for sharing private health data remotely entail verification or a predetermined identification, by using centrally stored raw biometric data. Yet, progress is developing in highly lucrative financial and transport applications relying upon transformation biometrics (i.e. cancelable biometrics, biometric encryption, biometric indexing, or other biometric methods, etc.), and key management techniques. Even if a registrant is unidentifiable prior to query time, better techniques using biometric abstraction models can help empower the registrant to control the anticipated access, use, privacy, and secure remote transmission of his profile or associated data, under a new set of secure health-support mediation methods using software, with zero-storage and zero-transmission of raw biometric sample data.
When a person is in need of health support services, and especially when in urgent need, either (a) he or she is readily identifiable without biometric techniques, or (b) he or she is not so readily identifiable. In the latter event, it is commonly desirable for qualified EMRs to be able to identify the person or to use an individual-specific identifier to request that person's data or profile. To this end, a method using software may be enabled to process remote requests to ascertain identification or other personal data, such as profiles, securely and privately, by harnessing the associative, disambiguating, or distinguishing capabilities of biometric data techniques. The methods may rely on conventional access or wireless networks to transmit a request over data networks and via server facilities to convert a request into a query. Ordinarily mediation is invoked when an EMR presupposes that a person is a likely registrant, and seeks to substantiate this assumption. Conversely, the participation by a registrant in any of these mediation methods indicates the registrant's consent, express or implied, to permit limited disclosure or transfer of personal data like profile content to some remote EMRs under applicable rules.
One of the goals of the invention is to enable mediation of such a request, and processing thereof, entirely free of material risks of any compromise of an actual or potential registrant's raw biometric sample data. The set of methods described below are designed using acts without any sharing of data that may be traced back to, or may be reversible into, raw biometric data. Reliance by a server system upon data that is reversible, directly or indirectly, into any registrant-specific part of a raw biometric data would raise untenable or avoidable risk that privacy-sensitive biometric data may be detected, deciphered, misused, or reconstructed by others, who are without registrant-granted privileges to do so.