J Med Syst (2014) 38:19 DOI 10.1007/s10916-014-0019-z
RESEARCH ARTICLE
Radio Frequency Identification (RFID) in Health Care: Privacy and Security Concerns Limiting Adoption Benjamin P. Rosenbaum
Received: 6 November 2013 / Accepted: 24 February 2014 # Springer Science+Business Media New York 2014
Abstract Radio frequency identification (RFID) technology has been implemented in a wide variety of industries. Health care is no exception. This article explores implementations and limitations of RFID in several health care domains: authentication, medication safety, patient tracking, and blood transfusion medicine. Each domain has seen increasing utilization of unique applications of RFID technology. Given the importance of protecting patient and data privacy, potential privacy and security concerns in each domain are discussed. Such concerns, some of which are inherent to existing RFID hardware and software technology, may limit ubiquitous adoption. In addition, an apparent lack of security standards within the RFID domain and specifically health care may also hinder the growth and utility of RFID within health care for the foreseeable future. Safeguarding the privacy of patient data may be the most important obstacle to overcome to allow the health care industry to take advantage of the numerous benefits RFID technology affords. Keywords Authentication . Medication safety . Patient tracking . Blood transfusion medicine . HIPAA
services, the food industry, and health care [1]. RFID technology can improve data reliability, access, quality, and efficiency in a cost-effective manner. Unfortunately, however, RFID has limitations in terms of data privacy and may not be an entirely secure solution in health care. RFID implementation in health care is becoming more prevalent. Health care implementations of RFID include managing patient locations, employees, equipment, medications, records, resource tracking, and authentication [2, 3]. With RFID, health care data can be transferred and stored in an automated fashion using computer software. As a result, RFID technology is useful in tracking assets as they move throughout a health care organization (e.g., equipment, employees, merchandise, medications, patients, etc.). This articles looks at various RFID implementations in health care including user authentication, medication safety, patient tracking, and blood transfusion medicine. The paper focuses specifically on privacy and security concerns for RFID technology and how health care implementation may be limited as a result. An apparent lack of security standards within the RFID domain and specifically health care may hinder the growth and utility of RFID within health care for the foreseeable future.
Introduction Radio frequency identification (RFID) is a technology that provides significant utility in society including supply chain, shipping, manufacturing, toll ways, retail commerce, library B. P. Rosenbaum Department of Medical Informatics & Clinical Epidemiology, Oregon Health & Science University, Portland, OR, USA B. P. Rosenbaum (*) Department of Neurosurgery, Neurological Institute, Cleveland Clinic, S-40, 9500 Euclid Avenue, Cleveland, OH 44195, USA e-mail: [email protected]
Background RFID technology utilizes radio frequency waves to transfer and collect data [2, 4, 5]. In an RFID system, there is typically a transponder (i.e., “tag”), a tag reader, and a database or software application. RFID tags consist of a microchip and a coupling element (e.g., antenna coil) for communication. Data transmission occurs between 10 m (for passive tags—most common) and 1,000 m (for active tags) [5]. Data stored on the tag memory are communicated along with the location of the associated asset. Tag memory may be read-only or rewritable
19, Page 2 of 6
J Med Syst (2014) 38:19
and typically contain 96 bits of storage. AutoID Labs proposed a class system to characterize RFID tags based on their function and memory capability [6]. The AutoID Labs class system demonstrates the flexibility of RFID tag technology currently available to use in various applications. In contrast to barcode technology, RFID technology does not require lineof-sight for transmitting data, which is one of its most desirable attributes. In addition, data may be read automatically through non-conducting material. Finally, multiple data points can be captured simultaneously. RFID tags are small and can be incorporated in a variety of physical form factors. A variety of computer hardware technology (e.g., smart phones, desktop computers, mobile computers, personal assistants, handheld readers, and fixed-point readers) can easily implement hardware and software to read RFID tags and store data. Data transmission is typically conducted following International Organization for Standardization (ISO) standard 15693 [7]. Beyond limited security provisions in ISO 15693, no universal validation, authentication, or encryption protocols exist to obscure data transmitted between RFID asset tags and readers. As a result of a lack of standardization, significant privacy and security concerns pervade and arguably limit the RFID domain.
Privacy and security of RFID technology A number of groups have looked at the privacy and security implications of RFID technology, particularly in the low cost domain where health care lies [8–12, 5, 13]. For example, Weis et al. published a Master thesis and manuscript on RFID privacy and security [5, 13]. Privacy concerns in RFID technology stem mainly from unauthorized data detection/ interception or counterfeiting sensitive unencrypted data contained within RFID tags. Table 1 lists specific types of privacy and security vulnerabilities and representative examples. Why have privacy and security concerns been difficult to combat thus far? In large part, the cost per RFID tag is a constraint that limits the amount of encrypted data a tag may contain. In addition, RFID tags may be subject to physical
attack and operate in insecure environments. In particular, most tags’ reliance on wireless interface opens vulnerabilities to fault induction, timing attacks, and power analysis attacks [5]. Data privacy is an important consideration in the health care domain. The Health Insurance Portability and Accountability Act (HIPAA) specifies that 18 protected health identifiers (PHI) be de-identified or anonymized when data are shared publicly. RFID implementations, for example, store patient identifiers when used in blood transfusion medicine [14–17] and patient tracking [18–20]. Utilizing RFID tags that store unencrypted patient information (e.g., name, date of birth, or medical record number) could be interpreted as a violation of the HIPAA PHI regulations given that passive RFID tag readers could be used, at the very least, to eavesdrop (Table 1). Such concerns are not unique to health care [1] with a variety of analogous contextual implications in other domains; however, the HIPAA PHI regulations mandate data privacy. Beyond RFID tag limitations, readers also pose security vulnerabilities. RFID readers may receive responses from multiple tags simultaneously with conflicting communication signals causing interference or collisions [5]. Anti-collision algorithms can and must be employed, but such algorithms are limited given restricted computing power of readers. In addition, liquid and metal materials decrease the read rate and range of devices [21]. Decoy attacks involve replacing insecure RFID tag data with data from the attacker. In data encryption attempts, power consumption of encryption engines is also an important consideration [10]. In more general terms beyond individual RFID tag and reader limitations, Ranasinghe et al. demonstrate five systematic security risks: message confidentiality, message integrity, authentication, non-repudiation, and availability [10]. Each risk represents a different point of vulnerability in the communication of a tag, its data, and the RIFD reader. A major concern in the data transmission chain is eavesdropping and current standards that do not require reader or tag authentication. Physical attacks can also be used to create fake labels for spoofing or generating numerous labs to create a denial of
Table 1 Examples of RFID privacy and security vulnerabilities [5] Vulnerability
Example
Cost The cost of manufacturing and implementing RFID tags may limit the amount of privacy and security controls incorporated Counterfeiting or decoy RFID tags may be read and identical counterfeit tags created Denial of service (DOS) With a limit to the number of RFID tags that can be read simultaneously, a saboteur can overwhelm traffic with radio frequency signals or RFID tags Eavesdropping Listening to unencrypted data transfer Physical attack Tampering with RFID tags may leave them invalid (e.g., fault induction, timing, and power analysis attacks) Spoofing RFID tags with different data can be created and replace authentic tags Traffic analysis Data transfer can be analyzed to determine location
J Med Syst (2014) 38:19
service. As a result, low-cost data encryption is a method that can combat many of the systematic limitations.
RFID adoption in health care Yao et al. note that RFID adoption in health care has not been as striking as anticipated [2]. Limitations to adoption include cost, uncertain return on investment, privacy concerns, interference with medical devices, and lack of standards [4]. An RFID reader typically provides the power source and can be a likely source of interference with other medical devices. Testing interference in multiple health care domains becomes challenging. When the RFID tag is powered, range is improved, and readers require less power and improve interference [4]. The tradeoff for powered tags is cost of implementation, however. RFID and wireless personal area networks (WPANs) share frequencies in the 915-MHz and 2,450-MHz bands, which causes limitations when numerous RFID readers are receiving data simultaneously [4]. As a result, data transfer can be slow, incomplete, or inaccurate. Until such obstacles are overcome, RFID implementation in health care may continue to be underwhelming. The following sections describe various implementations of RFID technology in the health care setting, which demonstrate potential of RFID technology should the widespread security limitations be overcome. Authentication RFID in health care authentication has the ability to improve convenience and reliability perhaps at the expense of privacy and security. User authentication is a frequent, pervasive, and timeconsuming process in the era of electronic resources in health care. A satisfactory tradeoff between convenience and privacy is necessary to improve adoption rates. Wu et al. propose an RFID authentication scheme to improve privacy and security [7]. The authors argue that existing health care environments lack secure authentication systems and RFID in the health care domain introduces concerns of confidentiality, unforgeability (tag or reader), location privacy, and scalability. The authors propose an encrypted protocol to achieve both location privacy and scalability. The solution involves an RFID tag with computational capability, atypical for most current implementations. Cost considerations are likely to be a significant hindrance in adoption of more rigorous security protocols and henceforth widespread RFID adoption in the authentication domain. Medication safety Inpatient medication administration is a critical process in health care whereby privacy and security vulnerabilities must be minimized as much as possible. Numerous examples of
Page 3 of 6, 19
RFID technology implementations for improving medication safety exist [22, 23, 19, 24–27]. Rarely is data privacy discussed in such examples of medication administration aided by RFID technology. In 2009, Huang et al. introduced a grouping proof protocol to verify RFID tags on patient bracelets and medication containers [28]. Unfortunately, the proof was later found to suffer from denial of service (DOS) and replay attacks. Yu et al. subsequently demonstrated increased security using a lightweight binding proof protocol for RFID and medication authentication and verification [29]. The protocol focuses on using existing low-cost RFID tags while increasing security measures. Additional protocols focused on privacy, security, and safety have also been proposed [30, 31]. For example, Chen et al. propose a tamper resistant prescription RFID access control protocol [32]. The protocol authenticates the RFID reader and tags with one-way hash and encrypted data. In addition, a challenge-response method is employed to avoid replay attacks. Given the importance of medication safety and associated privacy and security concerns, there is a need to create secure RFID protocols in this domain. Patient tracking Min and Yih demonstrate successful passive RFID patient tracking in an outpatient clinic [33]. The authors identify that raw data captured contain noise and missing reads, which prevents determination of tag location at a rate of 60–70 % of that of an ideal rate. A fuzzy logic method was proposed to help reduce the rates of false positives and negatives. With data uncertainty, however, patient tracking in health care has limited utility. Sandberg et al. demonstrate an RFID system used to track patients who enter the wrong operating room and alert the medical team [34]. Others have looked at similar implementations in asset tracking in the operating room [20, 35]. Sandberg et al. compared patient location with an automated RFID system to an expected process model. Using the RFID system, all wrong operating room events were detected and patients re-assigned within 30 seconds. Marjamaa et al. report improved timestamp documentation with RFIDautomated processes as compared to traditional manual process, but still with errors [20]. In such an implementation, what is acceptable? The potential for RFID to improve patient tracking in multi-disciplinary health care organizations is vast, however significant limitations must be overcome. Blood transfusion medicine RFID technology has been successfully implemented in blood transfusion medicine [36, 17, 37, 15, 16, 14, 38]. Briggs et al. conducted a feasibility study to evaluate the technical and economic feasibility of implementing RFID technology in the blood transfusion supply chain [36]. The study
19, Page 4 of 6
demonstrated that large hospitals would recover investment costs within 2 to 3 years along with reducing morbidity and mortality among patients receiving transfusions. No privacy or security safeguards were discussed, however. Hohberger et al. describe RFID acceptance by the International Society for Blood Transfusion (ISBT) and the Food and Drug administration (FDA) to integrate and augment barcode data on blood products [17]. The technology described is the first FDA-permitted implementation throughout all blood transfusion phases, from donation to transfusion. The authors describe a guiding principle in blood transfusion medicine that a blood product label should contain all key data about product in case database access is not available in a disaster or in battle. RFID technology utilized is passive and complies with 2000 ISBT Code 128 for blood product labeling. In addition, a checksum is stored on the RFID tag for data verification. Prior to implementation, safety testing verified no adverse effects on blood products from radio frequency exposure. Once an RFID tag is read and verified against a patient order, the recipient patient’s information (e.g., patient identifier and date of birth) is stored on the RFID tag. At the conclusion of transfusion, patient data are deleted from the RFID tag by the nurse or cleared if the transfusion does not occur for some reason. Unfortunately, Hohberger et al. do not describe any privacy or security precautions in the implementation of RFID technology in blood bank medicine. They might argue, on one hand, that existing bar code technology does not offer privacy protection and RFID technology is designed to augment bar codes. Unlike bar code technology, however, RFID data are easier to eavesdrop upon at much farther range without lineof-sight. Even more unique is that recipient patient data are stored on the RFID tag once the blood product is verified to the patient’s blood type and clinical transfusion order. Eavesdropping or spoofing a blood product tag would elicit significant privacy and safety concerns.
RFID implementation: Lessons learned Wang et al. describe development strategy, design, and implementation of an RFID health care application [39]. The authors recognize that RFID implementation in health care is forthcoming but potential pitfalls exist given the relevant lack of experience in comparison to other domains. From an RFID implementation case study, the authors share several important lessons. First, data transmission and interference can be affected by the physical environment and sufficient testing must be performed to assess RFID tags in the local environment. Next, the authors describe how their system was designed with a modern database. Within minutes of implementation, however, the system had to be shut down because the data received were overwhelming. New rules had to be established and implemented for which data were stored.
J Med Syst (2014) 38:19
Finally, the value must be clear. RFID technology is argued to be an infrastructure technology but value comes from data captured and analyzed in underlying applications. Ting et al. describe lessons learned from implementing an RFID-enabled health care management system [40]. The authors present an 11 step framework to follow when implementing RFID technology in the health care domain. The suggestion is division into preparation, implementation, and maintenance stages. In addition, security and permissions configuration are a critical step in the design to ensure effective communication. And, importantly, ongoing system monitoring and evaluation of performance are necessary to ensure a well-functioning system. Specific lessons shared include adequate testing of hazardous interference, setting user expectations that RFID may sometimes have low readability, formulating a sound business plan, and conducting risk management and emergency planning.
Future Given the sensitive nature of protected health information in health care, RFID tags with unencrypted patient data and data transmission put organizations and patients at risk of privacy breaches by a number of the aforementioned strategies (Table 1). In addition, patient safety such as in the case with blood transfusion could also be jeopardized. The future is likely to establish a standard in RFID data storage and encryption, particularly in the health care domain. Such a standard would provide a framework upon which numerous organizations could effectively and securely utilize RFID technology to improve patient care and quality. The solution to a potential DOS attack is not readily apparent. In fact, the DOS paradigm may preclude widespread adoption of RFID technology in critical health care applications altogether. If RFID technology is the standard upon which a critical process relies, a DOS attack would have significant consequences. As a result, RFID technology may indefinitely remain a technology used to augment critical applications or fill a void in a convenience area where interruption in service could be accommodated or tolerated. In addition, any implementations in which read errors or medical device interference occur would be limiting in the health care domain unless errors could be tolerated. Lifecritical applications likely could not accommodate such uncertainty. Processes that are limited in complexity and data transfer are likely to have success with RFID technology.
Conclusion RFID technology is becoming more prevalent in health care to assist asset tracking, localization, medication safety, and user
J Med Syst (2014) 38:19
authentication. RFID technology has, however, not been implemented as quickly as anticipated likely due, in part, to privacy and security concerns [2]. Current RFID technology in health care seems to often overlook privacy and security concerns and focus on quality and process improvement [41, 3, 42]. Unknowingly, driving too quickly toward process improvement may shift the focus away from privacy and security. Such misguided focus may permanently limit the success and widespread adoption of RFID technology in health care. In addition to RFID technology assisting with process improvement, the aforementioned examples of RFID implementations and privacy and security concerns must be considered in implementations going forward. Ethicists argue to quickly focus on privacy concerns of RFID in health care [43, 44]. But cost may limit feasibility and practicality of security advances. Proof of concept of effective implementations has been demonstrated for RFID implementation in health care. Further development efforts should include privacy as a main concern. Arguably, the most important obstacle to widespread RFID implementation in health care is safeguarding the privacy of patient data [45]. Not all privacy and security issues may need to be addressed at each organization, but an awareness of the potential pitfalls and special requirements in the health care domain is required. The benefit, safety, and convenience of RFID technology must be weighed against the privacy risks and cost of effective implementation.
Conflict of Interest The author confirms he has no conflicts to report. Financial Support and Industry Affiliations The author reports no personal or institutional financial interest in medications, materials, or devices described in the manuscript.
References 1. Kumar, P., Reinitz, H. W., Simunovic, J., Sandeep, K. P., and Franzon, P. D., Overview of RFID technology and its applications in the food industry. J. Food Sci. 74(8):R101–R106, 2009. 2. Yao, W., Chu, C. H., and Li, Z., The adoption and implementation of RFID technologies in healthcare: A literature review. J. Med. Syst. 36(6):3507–3525, 2012. 3. Mehrjerdi, Y. Z., Radio frequency identification: The big role player in health care management. J. Health Organ. Manag. 25(5):490–505, 2011. 4. Ashar, B. S., and Ferriter, A., Radiofrequency identification technology in health care: Benefits and potential risks. Jama 298(19):2305– 2307, 2007. 5. Weis, S. A. Security and Privacy in Radio-Frequency Identification Devices. Massachusetts Institute of Technology, 2003. 6. Auto-ID. Auto-ID Labs. http://www.autoidlabs.org/. Accessed 6 November 2013, 2013.
Page 5 of 6, 19 7. Wu, Z. Y., Chen, L., and Wu, J. C., A reliable RFID mutual authentication scheme for healthcare environments. J. Med. Syst. 37(2): 9917, 2013. 8. Hwang, M. S., Wei, C. H., and Lee, C. Y., Privacy and security requirements for RFID applications. J. Comput. 20(3):55–60, 2009. 9. Juels, A., and Pappu, R. Squealing Euros: privacy protection in RFID-enabled banknotes. In: Computer Aided Verification. Springer, pp 103–121, 2003. 10. Ranasinghe, D., Engels, D., and Cole, P. Low-cost RFID systems: confronting security and privacy. In: Auto-ID Labs Research Workshop. Citeseer, pp 54–77, 2004. 11. Sarma, S., Weis, S., and Engels, D., RFID systems and security and privacy implications. Cryptographic Hardw. Embed. Syst. CHES 2002:1–19, 2003. 12. Sarma, S. E., Weis, S. A., and Engels, D. Radio-frequency-identification security risks and challenges. Cryptobytes 6(1):1–9, 2003. 13. Weis, S., Sarma, S., Rivest, R., and Engels, D. Security and privacy aspects of low-cost radio frequency identification systems. Secur. Pervasive Comput. 2802:50–59, 2004. 14. Sandler, S. G., Langeberg, A., DeBandi, L., Gibble, J., Wilson, C., and Feldman, C. L., Radiofrequency identification technology can standardize and document blood collections and transfusions. Transfusion 47(5):763–770, 2007. 15. Knels, R., Radio frequency identification (RFID): An experience in transfusion medicine. ISBT Sci. Ser. 1(1):238–241, 2006. 16. Sandler, S. G., Langeberg, A., Carty, K., and Dohnalek, L. J., Bar code and radio-frequency technologies can increase safety and efficiency of blood transfusions. Lab Med. 37(7):436–439, 2006. 17. Hohberger, C., Davis, R., Briggs, L., Gutierrez, A., and Veeramani, D., Applying radio-frequency identification (RFID) technology in transfusion medicine. Biologicals 40(3):209–213, 2012. 18. Aguilar, A., van der Putten, W., Kirrane, F., Positive patient identification using RFID and wireless networks. In: HISI 11th Annual Conference and Scientific Symposium, Dublin, Ireland, 2006 19. Martinez Perez, M., Cabrero-Canosa, M., Vizoso Hermida, J., Carrajo Garcia, L., Llamas Gomez, D., Vazquez Gonzalez, G., and Martin Herranz, I., Application of RFID technology in patient tracking and medication traceability in emergency care. J. Med. Syst. 36(6):3983–3993, 2012. 20. Marjamaa, R. A., Torkki, P. M., Torkki, M. I., and Kirvela, O. A., Time accuracy of a radio frequency identification patient tracking system for recording operating room timestamps. Anesth. Analg. 102(4):1183–1186, 2006. 21. Sydanheimo, L., Ukkonen, L., and Kivikoski, M., Effects of size and shape of metallic objects on performance of passive radio frequency identification. Int. J. Adv. Manuf. Technol. 30(9):897–905, 2006. 22. Chien, H. Y., Yang, C. C., Wu, T. C., and Lee, C. F., Two RFID-based solutions to enhance inpatient medication safety. J. Med. Syst. 35(3): 369–375, 2011. 23. Lahtela, A., and Saranto, K., RFID and medication care. Stud. Health Technol. Inform. 146:747–748, 2009. 24. Peris-Lopez, P., Orfila, A., Mitrokotsa, A., and van der Lubbe, J. C., A comprehensive RFID solution to enhance inpatient medication safety. Int. J. Med. Inform. 80(1):13–24, 2011. 25. Sun, P. R., Wang, B. H., and Wu, F., A new method to guard inpatient medication safety by the implementation of RFID. J. Med. Syst. 32(4):327–332, 2008. 26. Wu, S., Chen, K., and Zhu, Y., A secure lightweight RFID binding proof protocol for medication errors and patient safety. J. Med. Syst. 36(5):2743–2749, 2012. 27. Wu, F., Kuo, F., and Liu, L.-W. The application of RFID on drug safety of inpatient nursing healthcare. In: Proceedings of the 7th International Conference on Electronic Commerce. ACM, pp 85– 92, 2005. 28. Huang, H. H., and Ku, C. Y., A RFID grouping proof protocol for medication safety of inpatient. J. Med. Syst. 33(6):467–474, 2009.
19, Page 6 of 6 29. Yu, Y. C., Hou, T. W., and Chiang, T. C., Low cost RFID real lightweight binding proof protocol for medication errors and patient safety. J. Med. Syst. 36(2):823–828, 2012. 30. Chen, C. L., and Wu, C. Y., Using RFID yoking proof protocol to enhance inpatient medication safety. J. Med. Syst. 36(5):2849–2864, 2012. 31. Lin, Q., and Zhang, F., ECC-based grouping-proof RFID for inpatient medication safety. J. Med. Syst. 36(6):3527–3531, 2012. 32. Chen, Y. Y., Huang, D. C., Tsai, M. L., and Jan, J. K., A design of tamper resistant prescription RFID access control system. J. Med. Syst. 36(5):2795–2801, 2012. 33. Min, D., and Yih, Y., Fuzzy logic-based approach to detecting a passive RFID tag in an outpatient clinic. J. Med. Syst. 35(3):423–432, 2011. 34. Sandberg, W. S., Hakkinen, M., Egan, M., Curran, P. K., Fairbrother, P., Choquette, K., Daily, B., Sarkka, J. P., and Rattner, D., Automatic detection and notification of “wrong patient-wrong location” errors in the operating room. Surg. Innov. 12(3):253–260, 2005. 35. Agarwal, S., Joshi, A., Finin, T., Yesha, Y., and Ganous, T., A pervasive computing system for the operating room of the future. Mob. Netw. Appl. 12(2):215–228, 2007. 36. Briggs, L., Davis, R., Gutierrez, A., Kopetsky, M., Young, K., and Veeramani, R., RFID in the blood supply chain–increasing productivity, quality and patient safety. J. Healthc. Inf. Manag. 23(4):54–63, 2009. 37. Dzik, S., Radio frequency identification for prevention of bedside errors. Transfusion 47(2 Suppl):125S–129S, 2007. discussion 130S-131S.
J Med Syst (2014) 38:19 38. Wicks, A. M., Visich, J. K., and Li, S., Radio frequency identification applications in hospital environments. Hosp. Top. 84(3):3–9, 2006. 39. Wang, S. W., Chen, W. H., Ong, C. S., Liu, L., and Chuang, Y. W. RFID application in hospitals: a case study on a demonstration RFID project in a Taiwan hospital. In: System Sciences. HICSS’06. Proceedings of the 39th Annual Hawaii International Conference on, 2006. IEEE, pp 184a–184a, 2006. 40. Ting, S. L., Kwok, S. K., Tsang, A. H., and Lee, W. B., Critical elements and lessons learnt from the implementation of an RFIDenabled healthcare management system in a medical organization. J. Med. Syst. 35(4):657–669, 2011. 41. Kumar, S., Livermont, G., and McKewan, G., Stage implementation of RFID in hospitals. Technol. Health Care 18(1):31–46, 2010. 42. Southard, P. B., Chandra, C., and Kumar, S., RFID in healthcare: A Six Sigma DMAIC and simulation case study. Int. J. Health Care Qual. Assur. 25(4):291–321, 2012. 43. Anderson, A. M., and Labay, V., Ethical considerations and proposed guidelines for the use of radio frequency identification: Especially concerning its use for promoting public safety and national security. Sci. Eng. Ethics 12(2):265–272, 2006. 44. Foster, K. R., and Jaeger, J., Ethical implications of implantable radiofrequency identification (RFID) tags in humans. Am. J. Bioeth. 8(8):44–48, 2008. 45. Fisher, J. A., and Monahan, T., Tracking the social dimensions of RFID systems in hospitals. Int. J. Med. Inform. 77(3):176–183, 2008.
RESEARCH ARTICLE
Radio Frequency Identification (RFID) in Health Care: Privacy and Security Concerns Limiting Adoption Benjamin P. Rosenbaum
Received: 6 November 2013 / Accepted: 24 February 2014 # Springer Science+Business Media New York 2014
Abstract Radio frequency identification (RFID) technology has been implemented in a wide variety of industries. Health care is no exception. This article explores implementations and limitations of RFID in several health care domains: authentication, medication safety, patient tracking, and blood transfusion medicine. Each domain has seen increasing utilization of unique applications of RFID technology. Given the importance of protecting patient and data privacy, potential privacy and security concerns in each domain are discussed. Such concerns, some of which are inherent to existing RFID hardware and software technology, may limit ubiquitous adoption. In addition, an apparent lack of security standards within the RFID domain and specifically health care may also hinder the growth and utility of RFID within health care for the foreseeable future. Safeguarding the privacy of patient data may be the most important obstacle to overcome to allow the health care industry to take advantage of the numerous benefits RFID technology affords. Keywords Authentication . Medication safety . Patient tracking . Blood transfusion medicine . HIPAA
services, the food industry, and health care [1]. RFID technology can improve data reliability, access, quality, and efficiency in a cost-effective manner. Unfortunately, however, RFID has limitations in terms of data privacy and may not be an entirely secure solution in health care. RFID implementation in health care is becoming more prevalent. Health care implementations of RFID include managing patient locations, employees, equipment, medications, records, resource tracking, and authentication [2, 3]. With RFID, health care data can be transferred and stored in an automated fashion using computer software. As a result, RFID technology is useful in tracking assets as they move throughout a health care organization (e.g., equipment, employees, merchandise, medications, patients, etc.). This articles looks at various RFID implementations in health care including user authentication, medication safety, patient tracking, and blood transfusion medicine. The paper focuses specifically on privacy and security concerns for RFID technology and how health care implementation may be limited as a result. An apparent lack of security standards within the RFID domain and specifically health care may hinder the growth and utility of RFID within health care for the foreseeable future.
Introduction Radio frequency identification (RFID) is a technology that provides significant utility in society including supply chain, shipping, manufacturing, toll ways, retail commerce, library B. P. Rosenbaum Department of Medical Informatics & Clinical Epidemiology, Oregon Health & Science University, Portland, OR, USA B. P. Rosenbaum (*) Department of Neurosurgery, Neurological Institute, Cleveland Clinic, S-40, 9500 Euclid Avenue, Cleveland, OH 44195, USA e-mail: [email protected]
Background RFID technology utilizes radio frequency waves to transfer and collect data [2, 4, 5]. In an RFID system, there is typically a transponder (i.e., “tag”), a tag reader, and a database or software application. RFID tags consist of a microchip and a coupling element (e.g., antenna coil) for communication. Data transmission occurs between 10 m (for passive tags—most common) and 1,000 m (for active tags) [5]. Data stored on the tag memory are communicated along with the location of the associated asset. Tag memory may be read-only or rewritable
19, Page 2 of 6
J Med Syst (2014) 38:19
and typically contain 96 bits of storage. AutoID Labs proposed a class system to characterize RFID tags based on their function and memory capability [6]. The AutoID Labs class system demonstrates the flexibility of RFID tag technology currently available to use in various applications. In contrast to barcode technology, RFID technology does not require lineof-sight for transmitting data, which is one of its most desirable attributes. In addition, data may be read automatically through non-conducting material. Finally, multiple data points can be captured simultaneously. RFID tags are small and can be incorporated in a variety of physical form factors. A variety of computer hardware technology (e.g., smart phones, desktop computers, mobile computers, personal assistants, handheld readers, and fixed-point readers) can easily implement hardware and software to read RFID tags and store data. Data transmission is typically conducted following International Organization for Standardization (ISO) standard 15693 [7]. Beyond limited security provisions in ISO 15693, no universal validation, authentication, or encryption protocols exist to obscure data transmitted between RFID asset tags and readers. As a result of a lack of standardization, significant privacy and security concerns pervade and arguably limit the RFID domain.
Privacy and security of RFID technology A number of groups have looked at the privacy and security implications of RFID technology, particularly in the low cost domain where health care lies [8–12, 5, 13]. For example, Weis et al. published a Master thesis and manuscript on RFID privacy and security [5, 13]. Privacy concerns in RFID technology stem mainly from unauthorized data detection/ interception or counterfeiting sensitive unencrypted data contained within RFID tags. Table 1 lists specific types of privacy and security vulnerabilities and representative examples. Why have privacy and security concerns been difficult to combat thus far? In large part, the cost per RFID tag is a constraint that limits the amount of encrypted data a tag may contain. In addition, RFID tags may be subject to physical
attack and operate in insecure environments. In particular, most tags’ reliance on wireless interface opens vulnerabilities to fault induction, timing attacks, and power analysis attacks [5]. Data privacy is an important consideration in the health care domain. The Health Insurance Portability and Accountability Act (HIPAA) specifies that 18 protected health identifiers (PHI) be de-identified or anonymized when data are shared publicly. RFID implementations, for example, store patient identifiers when used in blood transfusion medicine [14–17] and patient tracking [18–20]. Utilizing RFID tags that store unencrypted patient information (e.g., name, date of birth, or medical record number) could be interpreted as a violation of the HIPAA PHI regulations given that passive RFID tag readers could be used, at the very least, to eavesdrop (Table 1). Such concerns are not unique to health care [1] with a variety of analogous contextual implications in other domains; however, the HIPAA PHI regulations mandate data privacy. Beyond RFID tag limitations, readers also pose security vulnerabilities. RFID readers may receive responses from multiple tags simultaneously with conflicting communication signals causing interference or collisions [5]. Anti-collision algorithms can and must be employed, but such algorithms are limited given restricted computing power of readers. In addition, liquid and metal materials decrease the read rate and range of devices [21]. Decoy attacks involve replacing insecure RFID tag data with data from the attacker. In data encryption attempts, power consumption of encryption engines is also an important consideration [10]. In more general terms beyond individual RFID tag and reader limitations, Ranasinghe et al. demonstrate five systematic security risks: message confidentiality, message integrity, authentication, non-repudiation, and availability [10]. Each risk represents a different point of vulnerability in the communication of a tag, its data, and the RIFD reader. A major concern in the data transmission chain is eavesdropping and current standards that do not require reader or tag authentication. Physical attacks can also be used to create fake labels for spoofing or generating numerous labs to create a denial of
Table 1 Examples of RFID privacy and security vulnerabilities [5] Vulnerability
Example
Cost The cost of manufacturing and implementing RFID tags may limit the amount of privacy and security controls incorporated Counterfeiting or decoy RFID tags may be read and identical counterfeit tags created Denial of service (DOS) With a limit to the number of RFID tags that can be read simultaneously, a saboteur can overwhelm traffic with radio frequency signals or RFID tags Eavesdropping Listening to unencrypted data transfer Physical attack Tampering with RFID tags may leave them invalid (e.g., fault induction, timing, and power analysis attacks) Spoofing RFID tags with different data can be created and replace authentic tags Traffic analysis Data transfer can be analyzed to determine location
J Med Syst (2014) 38:19
service. As a result, low-cost data encryption is a method that can combat many of the systematic limitations.
RFID adoption in health care Yao et al. note that RFID adoption in health care has not been as striking as anticipated [2]. Limitations to adoption include cost, uncertain return on investment, privacy concerns, interference with medical devices, and lack of standards [4]. An RFID reader typically provides the power source and can be a likely source of interference with other medical devices. Testing interference in multiple health care domains becomes challenging. When the RFID tag is powered, range is improved, and readers require less power and improve interference [4]. The tradeoff for powered tags is cost of implementation, however. RFID and wireless personal area networks (WPANs) share frequencies in the 915-MHz and 2,450-MHz bands, which causes limitations when numerous RFID readers are receiving data simultaneously [4]. As a result, data transfer can be slow, incomplete, or inaccurate. Until such obstacles are overcome, RFID implementation in health care may continue to be underwhelming. The following sections describe various implementations of RFID technology in the health care setting, which demonstrate potential of RFID technology should the widespread security limitations be overcome. Authentication RFID in health care authentication has the ability to improve convenience and reliability perhaps at the expense of privacy and security. User authentication is a frequent, pervasive, and timeconsuming process in the era of electronic resources in health care. A satisfactory tradeoff between convenience and privacy is necessary to improve adoption rates. Wu et al. propose an RFID authentication scheme to improve privacy and security [7]. The authors argue that existing health care environments lack secure authentication systems and RFID in the health care domain introduces concerns of confidentiality, unforgeability (tag or reader), location privacy, and scalability. The authors propose an encrypted protocol to achieve both location privacy and scalability. The solution involves an RFID tag with computational capability, atypical for most current implementations. Cost considerations are likely to be a significant hindrance in adoption of more rigorous security protocols and henceforth widespread RFID adoption in the authentication domain. Medication safety Inpatient medication administration is a critical process in health care whereby privacy and security vulnerabilities must be minimized as much as possible. Numerous examples of
Page 3 of 6, 19
RFID technology implementations for improving medication safety exist [22, 23, 19, 24–27]. Rarely is data privacy discussed in such examples of medication administration aided by RFID technology. In 2009, Huang et al. introduced a grouping proof protocol to verify RFID tags on patient bracelets and medication containers [28]. Unfortunately, the proof was later found to suffer from denial of service (DOS) and replay attacks. Yu et al. subsequently demonstrated increased security using a lightweight binding proof protocol for RFID and medication authentication and verification [29]. The protocol focuses on using existing low-cost RFID tags while increasing security measures. Additional protocols focused on privacy, security, and safety have also been proposed [30, 31]. For example, Chen et al. propose a tamper resistant prescription RFID access control protocol [32]. The protocol authenticates the RFID reader and tags with one-way hash and encrypted data. In addition, a challenge-response method is employed to avoid replay attacks. Given the importance of medication safety and associated privacy and security concerns, there is a need to create secure RFID protocols in this domain. Patient tracking Min and Yih demonstrate successful passive RFID patient tracking in an outpatient clinic [33]. The authors identify that raw data captured contain noise and missing reads, which prevents determination of tag location at a rate of 60–70 % of that of an ideal rate. A fuzzy logic method was proposed to help reduce the rates of false positives and negatives. With data uncertainty, however, patient tracking in health care has limited utility. Sandberg et al. demonstrate an RFID system used to track patients who enter the wrong operating room and alert the medical team [34]. Others have looked at similar implementations in asset tracking in the operating room [20, 35]. Sandberg et al. compared patient location with an automated RFID system to an expected process model. Using the RFID system, all wrong operating room events were detected and patients re-assigned within 30 seconds. Marjamaa et al. report improved timestamp documentation with RFIDautomated processes as compared to traditional manual process, but still with errors [20]. In such an implementation, what is acceptable? The potential for RFID to improve patient tracking in multi-disciplinary health care organizations is vast, however significant limitations must be overcome. Blood transfusion medicine RFID technology has been successfully implemented in blood transfusion medicine [36, 17, 37, 15, 16, 14, 38]. Briggs et al. conducted a feasibility study to evaluate the technical and economic feasibility of implementing RFID technology in the blood transfusion supply chain [36]. The study
19, Page 4 of 6
demonstrated that large hospitals would recover investment costs within 2 to 3 years along with reducing morbidity and mortality among patients receiving transfusions. No privacy or security safeguards were discussed, however. Hohberger et al. describe RFID acceptance by the International Society for Blood Transfusion (ISBT) and the Food and Drug administration (FDA) to integrate and augment barcode data on blood products [17]. The technology described is the first FDA-permitted implementation throughout all blood transfusion phases, from donation to transfusion. The authors describe a guiding principle in blood transfusion medicine that a blood product label should contain all key data about product in case database access is not available in a disaster or in battle. RFID technology utilized is passive and complies with 2000 ISBT Code 128 for blood product labeling. In addition, a checksum is stored on the RFID tag for data verification. Prior to implementation, safety testing verified no adverse effects on blood products from radio frequency exposure. Once an RFID tag is read and verified against a patient order, the recipient patient’s information (e.g., patient identifier and date of birth) is stored on the RFID tag. At the conclusion of transfusion, patient data are deleted from the RFID tag by the nurse or cleared if the transfusion does not occur for some reason. Unfortunately, Hohberger et al. do not describe any privacy or security precautions in the implementation of RFID technology in blood bank medicine. They might argue, on one hand, that existing bar code technology does not offer privacy protection and RFID technology is designed to augment bar codes. Unlike bar code technology, however, RFID data are easier to eavesdrop upon at much farther range without lineof-sight. Even more unique is that recipient patient data are stored on the RFID tag once the blood product is verified to the patient’s blood type and clinical transfusion order. Eavesdropping or spoofing a blood product tag would elicit significant privacy and safety concerns.
RFID implementation: Lessons learned Wang et al. describe development strategy, design, and implementation of an RFID health care application [39]. The authors recognize that RFID implementation in health care is forthcoming but potential pitfalls exist given the relevant lack of experience in comparison to other domains. From an RFID implementation case study, the authors share several important lessons. First, data transmission and interference can be affected by the physical environment and sufficient testing must be performed to assess RFID tags in the local environment. Next, the authors describe how their system was designed with a modern database. Within minutes of implementation, however, the system had to be shut down because the data received were overwhelming. New rules had to be established and implemented for which data were stored.
J Med Syst (2014) 38:19
Finally, the value must be clear. RFID technology is argued to be an infrastructure technology but value comes from data captured and analyzed in underlying applications. Ting et al. describe lessons learned from implementing an RFID-enabled health care management system [40]. The authors present an 11 step framework to follow when implementing RFID technology in the health care domain. The suggestion is division into preparation, implementation, and maintenance stages. In addition, security and permissions configuration are a critical step in the design to ensure effective communication. And, importantly, ongoing system monitoring and evaluation of performance are necessary to ensure a well-functioning system. Specific lessons shared include adequate testing of hazardous interference, setting user expectations that RFID may sometimes have low readability, formulating a sound business plan, and conducting risk management and emergency planning.
Future Given the sensitive nature of protected health information in health care, RFID tags with unencrypted patient data and data transmission put organizations and patients at risk of privacy breaches by a number of the aforementioned strategies (Table 1). In addition, patient safety such as in the case with blood transfusion could also be jeopardized. The future is likely to establish a standard in RFID data storage and encryption, particularly in the health care domain. Such a standard would provide a framework upon which numerous organizations could effectively and securely utilize RFID technology to improve patient care and quality. The solution to a potential DOS attack is not readily apparent. In fact, the DOS paradigm may preclude widespread adoption of RFID technology in critical health care applications altogether. If RFID technology is the standard upon which a critical process relies, a DOS attack would have significant consequences. As a result, RFID technology may indefinitely remain a technology used to augment critical applications or fill a void in a convenience area where interruption in service could be accommodated or tolerated. In addition, any implementations in which read errors or medical device interference occur would be limiting in the health care domain unless errors could be tolerated. Lifecritical applications likely could not accommodate such uncertainty. Processes that are limited in complexity and data transfer are likely to have success with RFID technology.
Conclusion RFID technology is becoming more prevalent in health care to assist asset tracking, localization, medication safety, and user
J Med Syst (2014) 38:19
authentication. RFID technology has, however, not been implemented as quickly as anticipated likely due, in part, to privacy and security concerns [2]. Current RFID technology in health care seems to often overlook privacy and security concerns and focus on quality and process improvement [41, 3, 42]. Unknowingly, driving too quickly toward process improvement may shift the focus away from privacy and security. Such misguided focus may permanently limit the success and widespread adoption of RFID technology in health care. In addition to RFID technology assisting with process improvement, the aforementioned examples of RFID implementations and privacy and security concerns must be considered in implementations going forward. Ethicists argue to quickly focus on privacy concerns of RFID in health care [43, 44]. But cost may limit feasibility and practicality of security advances. Proof of concept of effective implementations has been demonstrated for RFID implementation in health care. Further development efforts should include privacy as a main concern. Arguably, the most important obstacle to widespread RFID implementation in health care is safeguarding the privacy of patient data [45]. Not all privacy and security issues may need to be addressed at each organization, but an awareness of the potential pitfalls and special requirements in the health care domain is required. The benefit, safety, and convenience of RFID technology must be weighed against the privacy risks and cost of effective implementation.
Conflict of Interest The author confirms he has no conflicts to report. Financial Support and Industry Affiliations The author reports no personal or institutional financial interest in medications, materials, or devices described in the manuscript.
References 1. Kumar, P., Reinitz, H. W., Simunovic, J., Sandeep, K. P., and Franzon, P. D., Overview of RFID technology and its applications in the food industry. J. Food Sci. 74(8):R101–R106, 2009. 2. Yao, W., Chu, C. H., and Li, Z., The adoption and implementation of RFID technologies in healthcare: A literature review. J. Med. Syst. 36(6):3507–3525, 2012. 3. Mehrjerdi, Y. Z., Radio frequency identification: The big role player in health care management. J. Health Organ. Manag. 25(5):490–505, 2011. 4. Ashar, B. S., and Ferriter, A., Radiofrequency identification technology in health care: Benefits and potential risks. Jama 298(19):2305– 2307, 2007. 5. Weis, S. A. Security and Privacy in Radio-Frequency Identification Devices. Massachusetts Institute of Technology, 2003. 6. Auto-ID. Auto-ID Labs. http://www.autoidlabs.org/. Accessed 6 November 2013, 2013.
Page 5 of 6, 19 7. Wu, Z. Y., Chen, L., and Wu, J. C., A reliable RFID mutual authentication scheme for healthcare environments. J. Med. Syst. 37(2): 9917, 2013. 8. Hwang, M. S., Wei, C. H., and Lee, C. Y., Privacy and security requirements for RFID applications. J. Comput. 20(3):55–60, 2009. 9. Juels, A., and Pappu, R. Squealing Euros: privacy protection in RFID-enabled banknotes. In: Computer Aided Verification. Springer, pp 103–121, 2003. 10. Ranasinghe, D., Engels, D., and Cole, P. Low-cost RFID systems: confronting security and privacy. In: Auto-ID Labs Research Workshop. Citeseer, pp 54–77, 2004. 11. Sarma, S., Weis, S., and Engels, D., RFID systems and security and privacy implications. Cryptographic Hardw. Embed. Syst. CHES 2002:1–19, 2003. 12. Sarma, S. E., Weis, S. A., and Engels, D. Radio-frequency-identification security risks and challenges. Cryptobytes 6(1):1–9, 2003. 13. Weis, S., Sarma, S., Rivest, R., and Engels, D. Security and privacy aspects of low-cost radio frequency identification systems. Secur. Pervasive Comput. 2802:50–59, 2004. 14. Sandler, S. G., Langeberg, A., DeBandi, L., Gibble, J., Wilson, C., and Feldman, C. L., Radiofrequency identification technology can standardize and document blood collections and transfusions. Transfusion 47(5):763–770, 2007. 15. Knels, R., Radio frequency identification (RFID): An experience in transfusion medicine. ISBT Sci. Ser. 1(1):238–241, 2006. 16. Sandler, S. G., Langeberg, A., Carty, K., and Dohnalek, L. J., Bar code and radio-frequency technologies can increase safety and efficiency of blood transfusions. Lab Med. 37(7):436–439, 2006. 17. Hohberger, C., Davis, R., Briggs, L., Gutierrez, A., and Veeramani, D., Applying radio-frequency identification (RFID) technology in transfusion medicine. Biologicals 40(3):209–213, 2012. 18. Aguilar, A., van der Putten, W., Kirrane, F., Positive patient identification using RFID and wireless networks. In: HISI 11th Annual Conference and Scientific Symposium, Dublin, Ireland, 2006 19. Martinez Perez, M., Cabrero-Canosa, M., Vizoso Hermida, J., Carrajo Garcia, L., Llamas Gomez, D., Vazquez Gonzalez, G., and Martin Herranz, I., Application of RFID technology in patient tracking and medication traceability in emergency care. J. Med. Syst. 36(6):3983–3993, 2012. 20. Marjamaa, R. A., Torkki, P. M., Torkki, M. I., and Kirvela, O. A., Time accuracy of a radio frequency identification patient tracking system for recording operating room timestamps. Anesth. Analg. 102(4):1183–1186, 2006. 21. Sydanheimo, L., Ukkonen, L., and Kivikoski, M., Effects of size and shape of metallic objects on performance of passive radio frequency identification. Int. J. Adv. Manuf. Technol. 30(9):897–905, 2006. 22. Chien, H. Y., Yang, C. C., Wu, T. C., and Lee, C. F., Two RFID-based solutions to enhance inpatient medication safety. J. Med. Syst. 35(3): 369–375, 2011. 23. Lahtela, A., and Saranto, K., RFID and medication care. Stud. Health Technol. Inform. 146:747–748, 2009. 24. Peris-Lopez, P., Orfila, A., Mitrokotsa, A., and van der Lubbe, J. C., A comprehensive RFID solution to enhance inpatient medication safety. Int. J. Med. Inform. 80(1):13–24, 2011. 25. Sun, P. R., Wang, B. H., and Wu, F., A new method to guard inpatient medication safety by the implementation of RFID. J. Med. Syst. 32(4):327–332, 2008. 26. Wu, S., Chen, K., and Zhu, Y., A secure lightweight RFID binding proof protocol for medication errors and patient safety. J. Med. Syst. 36(5):2743–2749, 2012. 27. Wu, F., Kuo, F., and Liu, L.-W. The application of RFID on drug safety of inpatient nursing healthcare. In: Proceedings of the 7th International Conference on Electronic Commerce. ACM, pp 85– 92, 2005. 28. Huang, H. H., and Ku, C. Y., A RFID grouping proof protocol for medication safety of inpatient. J. Med. Syst. 33(6):467–474, 2009.
19, Page 6 of 6 29. Yu, Y. C., Hou, T. W., and Chiang, T. C., Low cost RFID real lightweight binding proof protocol for medication errors and patient safety. J. Med. Syst. 36(2):823–828, 2012. 30. Chen, C. L., and Wu, C. Y., Using RFID yoking proof protocol to enhance inpatient medication safety. J. Med. Syst. 36(5):2849–2864, 2012. 31. Lin, Q., and Zhang, F., ECC-based grouping-proof RFID for inpatient medication safety. J. Med. Syst. 36(6):3527–3531, 2012. 32. Chen, Y. Y., Huang, D. C., Tsai, M. L., and Jan, J. K., A design of tamper resistant prescription RFID access control system. J. Med. Syst. 36(5):2795–2801, 2012. 33. Min, D., and Yih, Y., Fuzzy logic-based approach to detecting a passive RFID tag in an outpatient clinic. J. Med. Syst. 35(3):423–432, 2011. 34. Sandberg, W. S., Hakkinen, M., Egan, M., Curran, P. K., Fairbrother, P., Choquette, K., Daily, B., Sarkka, J. P., and Rattner, D., Automatic detection and notification of “wrong patient-wrong location” errors in the operating room. Surg. Innov. 12(3):253–260, 2005. 35. Agarwal, S., Joshi, A., Finin, T., Yesha, Y., and Ganous, T., A pervasive computing system for the operating room of the future. Mob. Netw. Appl. 12(2):215–228, 2007. 36. Briggs, L., Davis, R., Gutierrez, A., Kopetsky, M., Young, K., and Veeramani, R., RFID in the blood supply chain–increasing productivity, quality and patient safety. J. Healthc. Inf. Manag. 23(4):54–63, 2009. 37. Dzik, S., Radio frequency identification for prevention of bedside errors. Transfusion 47(2 Suppl):125S–129S, 2007. discussion 130S-131S.
J Med Syst (2014) 38:19 38. Wicks, A. M., Visich, J. K., and Li, S., Radio frequency identification applications in hospital environments. Hosp. Top. 84(3):3–9, 2006. 39. Wang, S. W., Chen, W. H., Ong, C. S., Liu, L., and Chuang, Y. W. RFID application in hospitals: a case study on a demonstration RFID project in a Taiwan hospital. In: System Sciences. HICSS’06. Proceedings of the 39th Annual Hawaii International Conference on, 2006. IEEE, pp 184a–184a, 2006. 40. Ting, S. L., Kwok, S. K., Tsang, A. H., and Lee, W. B., Critical elements and lessons learnt from the implementation of an RFIDenabled healthcare management system in a medical organization. J. Med. Syst. 35(4):657–669, 2011. 41. Kumar, S., Livermont, G., and McKewan, G., Stage implementation of RFID in hospitals. Technol. Health Care 18(1):31–46, 2010. 42. Southard, P. B., Chandra, C., and Kumar, S., RFID in healthcare: A Six Sigma DMAIC and simulation case study. Int. J. Health Care Qual. Assur. 25(4):291–321, 2012. 43. Anderson, A. M., and Labay, V., Ethical considerations and proposed guidelines for the use of radio frequency identification: Especially concerning its use for promoting public safety and national security. Sci. Eng. Ethics 12(2):265–272, 2006. 44. Foster, K. R., and Jaeger, J., Ethical implications of implantable radiofrequency identification (RFID) tags in humans. Am. J. Bioeth. 8(8):44–48, 2008. 45. Fisher, J. A., and Monahan, T., Tracking the social dimensions of RFID systems in hospitals. Int. J. Med. Inform. 77(3):176–183, 2008.
