DISA, HHS Brainstorming Behavioral-Based Identity Pilot


The end goal would be a device that recognizes the user based on hundreds of behaviors.

Health and Human Services Department is collaborating with the Defense Information Systems Agency to develop and test using behavioral-based identity at the edge of a network to transform the way people—and particularly, first responders and health officials—log in and secure their work. 

HHS’ Chief Information Officer Jose Arrieta briefly detailed the project at Nextgov’s Emerging Technology Summit in Washington Wednesday. After the initial success of HHS Accelerate, the government’s first-ever blockchain-powered authority to operate, he said DISA insiders reached out because they were interested in the work his team was doing and wanted to possibly collaborate on an applicable idea. 

Arrieta was upfront about the complexity and revolutionary potential of the project. 

“I have to be honest with you, when we first met it really took me about 15 minutes to actually understand what we were talking about,” Arrieta said. 

Here’s the idea in layman’s terms: Instead of using passwords, usernames and other forms of complex but insecure options to authenticate identity, there is a way to create line identity on the edge of a network through a connected device and using 240 different behavioral characteristics.

“So it’s 240 behavioral-based characteristics that actually, instead of user ID and password, provide access to your network,” Arrieta said. “I am taking a record and recording behavior as I use the phone.”

The characteristics include everything from biometrics like people’s irises, fingerprints and facial scans commonly used to unlock devices, all the wireless devices they’re commonly connected to, the humidity and temperature reads from outdoors, the apps they use and when and how they access them, who they communicate with, their heart rates, and many other characteristics that define them and can, therefore, secure their identity, in a way that Arrieta thinks is much better than IDs and passwords. With that information, officials can give certain people access to certain networks based on their behavioral records.

Arrieta said they can store someone’s identity itself directly on that wireless device and use a corresponding hash to open up access to a broader network. 

“And unless you can mimic my iris, the way that I walk, the way that I talk, my facial scan, thumbprint, all those 240 different behavioral-based characteristics, you can’t get access to the network itself,” he said. 

Arrieta saw an immediate opportunity to help public health officials and first responders who use multiple devices to receive information in urgent situations, all of which have two-factor authentication that can sometimes hold them up from rapidly doing what’s needed most. 

“I thought, ‘oh geez, if I could get them a wireless device and that used behavior-based identity to provide that access that would be empowering, that would streamline the log-in and allow them to focus on their jobs,’” he said. 

And as the internet of things evolves and health professionals use more and more IoT connected and enabled tools, he also sees the potentially enhanced security that could come from having a behavioral-based device as an access point to a network. 

“I think it’s very powerful because it limits the power and I am not saying anything in particular— and you can let your imagination run wild and I am not going to answer any questions on this— but it limits the power of whoever the infrastructure provider is,” he said.

The agencies are going to do a proof, which the CIO said will be a low-cost endeavor that could really pay off through the opportunity it offers to help first responders and share broader lessons learned about innovation with America’s health community. 

The teams are currently in the brainstorming stages of how to test it with HHS’ distributed network and put it to use.