Exploring Proximity-aware Natural User Interfaces in Health Care Huiyuan Zhou
Bonnie Mackay
Abstract
Dalhousie University
Dalhousie University
6299 South St.
6299 South St.
Halifax, NS B3H 4R2 Canada
Halifax, NS B3H 4R2 Canada
[email protected]
[email protected]
Vinicius Ferreira
Kirstie Hawkey
In hospitals, clinics and other settings, health professionals face the challenge of aggregating, carrying, and sharing medical documents in public areas while trying to protect potentially sensitive data. As tablets become increasingly adopted by health professionals, it is important to explore ways to support privacy that are appropriate for their dynamic, mobile workflow. In this research we are exploring how spatial information can be utilized to support both individual and collaborative work in a natural way while respecting data privacy. We present the initial design of a proof-of-concept tablet interface, as well as a twophase study design to evaluate the interface. The research will extend our understanding of how to design proximity-aware privacy enhancement tools.
Federal University of Sao Carlos
Dalhousie University Rodovia Washington Luís, Km 235 6299 South St. Sao Carlos, SP 13565-905 Brazil Halifax, NS B3H 4R2 Canada
[email protected] [email protected] Thamara Alves Federal University of Sao Carlos Rodovia Washington Luís, Km 235 Sao Carlos, SP 13565-905 Brazil
[email protected]
Derek Reilly Dalhousie University 6299 South St. Halifax, NS B3H 4R2 Canada
[email protected]
Author Keywords Proxemic Interactions; Privacy; Tablet Interface; mhealth;
ACM Classification Keywords H.5.m. Information interfaces and presentation (e.g., HCI): Miscellaneous. Copyright is held by the author/owner(s).
Introduction and Background
MobileHCI 2014, Sep 23 – 26, 2014, Toronto, Canada.
It has long been recognized that there is an inherent trade-off between privacy and data utility [1,6]. For
ACM XXX-X-XXXX-XXXX-X/XX/XX.
example, in video media spaces where groups of geographically distributed people collaborate with always-connected video channels, people have to sacrifice some privacy so collaborators can gain better awareness [8]. This tradeoff is intensified in areas where both highly sensitive data and dynamic collaboration are essential for the workflow. For instance, in a hospital context health professionals need to constantly carry, share and discuss private patient data (e.g. name, medical history, etc.). As an increasing number of health professionals are using tablets for electronic health record (EHR) management and other clinical documentation [9], privacy issues in the hospital context are in the spotlight. Tools intended to promote privacy, sometimes called Privacy Enhancement Technologies (PET), focus on meeting 4 core ISO requirements: anonymity, pseudonymity, unlinkability and unobservability [5]. For example, Garson et al. addressed privacy concerns by automatically purging sensitive files as people bring their tablet out of a designated working area [3]. Tarasewich et al. proposed web browser privacy blinders, which cover sensitive information and display non-private information normally to protect data in public [10]. However, not much attention has been given to tablet screen privacy in hospitals and other health care contexts.
Figure 1. Electronic patient record with notification displayed on topright corner of the screen.
On the other hand, proximity research investigates how spatial relationships (distance, position, orientation, movement, etc.) among entities (e.g., people, devices, non-digital objects) can mediate the interaction between them. Greenberg et al. used the distance between people and devices to dynamically adjust audio and video fidelity to mitigate privacy concerns
[4]. Brudy et al. explored how proximity information can be exploited to provide awareness of shoulder surfing moments through visual cues (e.g. flashing border, 3D model) and also protect information (e.g. black out the window) on large public displays [2]. However, it is not clear how spatial information might be used to enhance privacy on more personal, movable tablets where privacy can easily be managed by existing physical mechanisms (e.g. reorienting the display or ourselves). Furthermore, since health professionals naturally maintain privacy with proximity (e.g. leaning closer to a collaborator, holding up a hand or a piece of paper to cover one’s mouth when speaking) [7], we might exploit these natural user behaviors to trigger privacy protection mechanisms. For example, the distance between collaborators might be used to anonymize patient information (e.g., names, medical conditions) displayed on the tablets. Our work builds on previous proximity and privacy work but is different in three essential ways: We focus on dynamic mobile environments and tablet interfaces.
We design the interface for health care contexts.
We explore privacy management during collaboration (e.g. while sharing documents)
In this paper we present the initial prototype design of a proximity-aware tablet interface that notifies the tablet user of potential privacy threats, and adapts screen content dynamically to protect privacy.
Prototype and Study Design To investigate how proximity information might be exploited to support privacy management by mitigating incidental tablet shoulder surfing, we implemented a proof-of-concept prototype which accepts proximity data (e.g. people’s position, looking direction as well as tablet’s position and orientation), calculates the spatial relationship between people and device (e.g. distance, relative orientation). It then notify the tablet user and adjust the content displayed on the tablet accordingly. a. Grayscale.
Tracking technology We use a high precision (with update rate of 120Hz per sensor) 6 degree-of-freedom electromagnetic motion tracking instrument (Polhemus G4TM) to keep track of proximity data. Sensors are attached to a tablet or the back of a user’s head. The sensor’s position and orientation is precisely measured as it is moved and wirelessly transmitted to the prototype.
b. Brightness.
c. Selective hiding.
Notification The notification system will appear as the potential intruder is getting closer to the tablet and is looking towards the screen to provide the tablet user awareness of privacy intrusion (Figure 1). We designed notification mechanisms with different granularities (from simple all-or-none mode, to coarse/discrete levels, to more fine-grained opacity levels, to a detailed radar map which displays an onlooker’s relative position and field of view in real time) to explore the impact of notification granularity on users’ perception of privacy threats. We want to understand whether there is a tradeoff between information richness and distraction caused to the current task.
Privacy control Four privacy controls have been designed and are under study: grayscale, brightness, selective hiding, and selective showing (see Figure 2). A privacy enhancement mechanism will be triggered as the potential intruder is getting closer to the tablet (implicit control) or as the tablet user takes explicit actions (e.g. tilts the tablet, uses the body to shield the screen) to protect screen privacy (explicit control). We want to explore how varying certain visual attributes of the content might facilitate privacy enhancement (Figure 2). Study design We plan to evaluate the interface with a two-phase study design: In the first phase, we will use 3 typical privacy sensitive scenarios (online banking, chatting and viewing a photo album) to collect feedback on the general understandability, usefulness and usage scenarios of the notification and privacy enhancement mechanism designs. In the second phase, we will recruit students in health-related professions to perform role-playing tasks in a simulated hospital context to investigate the usefulness of the interface in an applied area where a high level of privacy and confidentiality is required.
Discussion With the advancement of tracking technology, mobile devices can see what we see, “be aware of” context and our privacy needs, and better support our work. Proxemics serves as a relatively new way to mediate how people and devices might interact with each other to help manage privacy.
Nevertheless, our work is limited in several ways. The
tracking accuracy of the technology we are using can
be affected by metal distortion, requires bulkly wireless nodes to be attached to people and objects we wish to track, and has a limited tracking range; as such it is not feasible to deploy in a field study. In addition, the participants we will recruit will not typically have a lot of experience in health care settings. In the meantime, several open questions need to be included into considerations of future system design. For example, how might the role of identity change the system?
What are the other cues (e.g. sound, vibration) that might be integrated into the system? How can we strike a balance between adaptively protecting privacy and attracting unwanted attention that might compromise privacy? We presented a proximity-aware tablet interface to support collaboration in healthcare contexts. We believe the research could shed light on designing proximitybased privacy enhancement mobile applications.
d. Selective showing.
References Figure 2. Different Privacy control mechanisms. a) remove colour to grayscale. b) turn down screen brightness. c) selectively anonymize sensitive pictures, name, address, number (e.g. phone, SIN, money amount). d) Selectively display a certain shape area while masking the rest of the screen
[1] Boyle, M., Neustaedter, C., & Greenberg, S. (2009). Privacy factors in video-based media spaces. In Media Space 20+ Years of Mediated Life (pp. 97-122).
study on the blood transfusion service. In Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining (pp. 1285-1294).
[2] Brudy, F., Ledo, D., & Greenberg, S. (2014, April). Is anyone looking?: mediating shoulder surfing on public displays (the video). In CHI'14 Extended Abstracts on Human Factors in Computing Systems (pp. 159-160).
[7] Murphy, A., Reddy, M, & Xu, H. (2014). Privacy practices in collaborative environments: a study of emergency department staff. In Proceedings of the 17th ACM conference on Computer supported cooperative work & social computing.(pp.269-282).
[3] Garson, K., & Adams, C. (2008, March). Security and privacy system architecture for an e-hospital environment. In Proceedings of the 7th symposium on Identity and trust on the Internet (pp. 122-130).
[8] Parkin, J. K., Austin, S. A., Pinder, J. A., Baguley, T. S., & Allenby, S. N. (2011). Balancing collaboration and privacy in academic workspaces. Facilities, 29(1/2), 31-49.
[4] Greenberg, S., Marquardt, N., Ballendat, T., DiazMarino, R., & Wang, M. (2011). Proxemic interactions: the new ubicomp?. interactions, 18(1), 42-50.
[9] Report: Half of clinicians use tablets for EHR, documentation. http://www.fiercemobilehealthcare.com/story/reporthalf-clinicians-use-tablet-ehr-documentation/2013-0810
[5] Mitseva, A., Imine, M., & Prasad, N. R. (2006, September). Context-aware privacy protection with profile management. In Proceedings of the 4th international workshop on Wireless mobile applications and services on WLAN hotspots (pp. 53-62). [6] Mohammed, N., Fung, B., Hung, P. C., & Lee, C. K. (2009, June). Anonymizing healthcare data: a case
[10] Tarasewich, P., Gong, J., & Conlan, R. (2006, April). Protecting private data in public. In CHI'06 Extended Abstracts on Human Factors in Computing Systems (pp. 1409-1414).
