August 6 , 2007

And the Password is ... Biometrics
By Mary Anne Gates
For The Record
Vol. 19 No. 16 P. 14

More healthcare organizations are turning to biometrics as a means to increase security and improve patient safety.

“It’s a frightening thought, but your information systems are only as secure as your least responsible user.”1

Passwords are meant to protect computer network systems from unauthorized use, but they also may provide a false sense of security. Security issues arise because people forget or share passwords or write them down and store them on or near the computer they are meant to keep secure. Some use obvious, easily guessed passwords, thus allowing unauthorized access to entire computer network systems. And four of five workers will disclose their passwords to someone in their company if asked.2

Besides security concerns, maintaining a password-based system can be expensive. For example, the Gartner Group reports the following:

• 40% of all help desk calls are for forgotten passwords.

• Each year, companies spend up to $150 per user trying to maintain secure passwords.

• Up to 15% of annual IT budgets is spent on information security.3

Despite firewalls, encryption, and other safeguards, many IT professionals bent on creating a secure information system fall short because, ultimately, the network can easily be compromised when an authorized user shares his or her password.

Current solutions for the password dilemma only aggravate the problem. Rules call for longer strings of letter and number combinations, frequent password changes, and multiple passwords, making it more challenging to comply with security because the new requirements are difficult to follow. Attempts to make passwords more secure include the following:

• requiring them to be a specified number of characters in length and containing a combination of letters, numbers, and symbols;

• changing them quarterly, monthly, weekly, or more frequently;

• having access to each application controlled by a separate password; and

• making memorization a must.4

“Passwords are not absolute. The swipe of a finger on a laptop or other peripheral can substitute for several passwords,” says Victor Lee, a senior consultant for the International Biometric Group.

Biometric Solutions
Solving the password problem and maintaining the appropriate access levels to authorized persons of private or sensitive information is a driving force propelling biometrics into the healthcare arena. A science involving the statistical analysis of biological characteristics, biometrics centers around unique, measurable human traits that enable automatic identity recognition or verification.5

For example, biometrics uses the unique features of a person’s fingerprint to allow access to a computer network. Among the various biometric technologies developed are fingerprint, iris recognition, retinal scan, hand geometry, facial recognition, voice recognition, and handwriting/signature dynamics.6

Additionally, HIPAA regulations mandating patient confidentiality have driven biometric technology that ensures only authorized personnel have access to patient information. This alone is enough to get many healthcare facilities to view biometrics as a way to ensure patient privacy by making information network systems more secure.

Making a Case for Biometrics
Eliminating end-user generated passwords as a primary source of network information systems security and instituting a unique biometric identifier before gaining access to secure information takes the responsibility for maintaining a secure network out of the individual users’ hands. Further, using a biometric such as a fingerprint is not going to be easily lost, forgotten, or shared.

A well-designed biometric solution provides healthcare organizations with at least four advantages.7 It enables them to protect patient confidentiality, eliminate passwords, lower IT support costs, reduce fraud, support HIPAA compliance, and protect investments. More specifically, the technology does the following:

• Protects patient record information with accurate authentication. The selected biometric can ensure that only those individuals permitted to see patient records gain access to them. Taking advantage of single-point login will save significant amounts of time for clinicians and administrative personnel.

• Eliminates costs for password maintenance. The Gartner Group estimates that password maintenance alone costs $150 to $200 per user per year. Using biometrics instead of passwords to provide security eliminates the password maintenance cost. Central administration ensures that changes to individuals, status, policies, and other items are implemented immediately.

• Reduces fraud. This can be accomplished in hospital business applications and workflow areas such as insurance verification systems. It enables staff to positively and accurately identify patients and determine they are properly insured. A good biometric solution can be incorporated into a smart card or central repository for maximum convenience and security.

• Can be seen as a long-term answer. A well-designed solution maximizes current biometric investments and enables management of future costs. Prospective opportunities include secure video conferencing, telemedicine, and home health. As newer biometric technologies become available, they could be incorporated into a facility’s current environment without having to eliminate or replace the initial investment.

Capturing Quality Images
Biometrics relies on capturing a distinguishable trait and the user friendliness of the system.8

The four-step process begins with capturing various features of the designated biometric in an “enrollment process.” Stage 2 “extracts” certain unique features of the biometric and converts the information to an algorithm or mathematical code that is then stored as a template. Stage 3 begins when a user tries to access restricted network information or gain entry into a restricted area. The final stage matches the user’s biometric by comparing the information with the template.

“Two of the most prominent types of sensors capable of capturing data are optical sensors and silicon sensors,” says Matthew Bogart, vice president of marketing at Bioscrypt, Inc.

Optical sensors are made of glass. After a fingerprint is placed on the sensor, the optical technology converts it to a picture-like image for match verification. On the other hand, silicon sensors emit a small electrical charge and look below the surface of the finger at the subcutaneous layers of skin, Bogart says.

Growth Factors
Emerging biometric technology is becoming more widespread, according to many in the healthcare industry. One technology expert claims 45,000 to 50,000 caregivers currently use fingerprint technology.9 Meanwhile, another industry expert says biometrics in the healthcare arena represent 30% of their business.10

Fingerprint Authorization in Use
The West Tennessee Healthcare system of hospitals and medical facilities began introducing fingerprint authorization in November 2000.

Reaction to using fingerprint authorization appears to have been a nonissue for employees.

“A strategic decision was made by the organization to hold people accountable,” says Jeff Frieling, executive director for information systems. “They have to [use fingerprint authorization] if they are going to work here.”

When clinicians want access to a computer network, they must type in their user name and place their finger on a fingerprint reader. A successful match allows access to authorized files. Files are accessed by employees on a “need-to-know basis,” says Frieling.

Currently, 2,000 to 3,000 employees—from nurses to respiratory therapists—must access the system via fingerprint authorization to view clinical medical records, Frieling says. “Basically, anybody who needs access to a patient’s medical chart” can gain entry, he says.

The adoption of biometrics has increased accountability through an internal audit trail created when the system is accessed.

“It [the system] gives people a message that they are being held accountable for what they are looking at,” Frieling says.

Potential drawbacks, according to Frieling, include the need to carefully place a finger in the same position every time on the reader to gain network access.

“It’s not just waving a finger across a reader. If you’re slow and methodical, it’s pretty easy. If you’re quick and sloppy, it’s harder,” he says.

Another potential and more serious drawback is a person still has to remember to physically sign off. Frieling says an automatic sign-off occurs after 10 minutes of no apparent activity. According to Frieling, during that 10-minute window, if someone has stepped away from the computer and not signed off, it is possible for an unauthorized user to gain entry to any applications the previous user could access.

A quicker automatic sign-off, he says, could inconvenience doctors who may be reading something on the computer screen or be on the phone while signed on. A screen suddenly shutting down would not be well-received, he adds.

Despite drawbacks, Frieling says, biometrics has many applications. “As the needs and wants grow with the user, we need to expand the technology,” he says.

Easy to Use
According to DigitalPersona experts, fingerprint authentication can accommodate any size operation and set-up is uncomplicated. If user needs change, deleting a particular identity to all applications can be accomplished by eliminating the user’s identity lockbox within the active directory.

Biometric Error Rates
As with other technology, biometric glitches can and do happen. Errors occur when a legitimate user is rejected and not allowed access to a network system or restricted area. Conversely, an error also occurs when an unauthorized user gains access to a secure network system or restricted area.

Some basic error rates used to describe fingerprint authentication systems are false acceptance or rejection and a failure to enroll in the system.11

The false accept rate (FAR) represents the probability that a false match will occur and an unauthorized user is granted access. The false reject rate represents the probability an authorized user is mistakenly denied access. The failure to enroll rate represents the probability that a particular finger or thumb is rejected during the initial system enrollment.

In general, the number of errors encountered using biometric fingerprint authentication depends on the level of system security settings.10 For example, one system may have a lower security setting and a higher FAR while another system may have a higher security setting with a lower FAR.

Cost and Return on Investment
A primary goal for healthcare facilities is to continue looking for ways to increase security while keeping costs down. Determining the cost of changing how users access an information system network involves taking a close look at a myriad of day-to-day operations.

For example, signing in and out with passwords when multiple users share the same workspace PC takes time. It delays access to hospital medical records and ultimately to medical care.

Another involved cost is retrieving forgotten passwords. Between 25% to 50% of calls into help desks are for password resets, and each of those calls costs $20 to $38 per reset. In many cases, the actual cost of a password reset goes beyond the support costs.12

The Future of Biometrics
Recent comments from newly appointed Bioscrypt CEO Robert Douglas indicate biometric technology will adapt to the times. “Biometric authentication of users into the enterprise and into the network is definitely on the road map,” he said, “and it wouldn’t surprise me at all in the next one to three years that using biometrics as authentication on a mobile device becomes very commonplace.13

“Some future things we’re digesting include fingerprint technologies in a laptop, maybe on a key fob, or even on a mobile device,” Douglas continued. “There could be a day when I authenticate myself to this BlackBerry I use so that I could access an enterprise location right from the BlackBerry itself or any mobile device you use.”13

Network authentication using fingerprint biometrics is also growing. “The logical access market is growing very quickly, but it’s a smaller market today,” said Douglas. “The physical access market is growing at a lesser rate, but it is a much larger market today. From where we sit, both are quite material to us.”13

Douglas is not alone in his optimistic view of biometrics’ future. In recent comments made to Healthcare IT News, Gregg Malkary, founder of Spyglass Consulting Group, predicts a rosy future for biometrics in many sectors.

“Healthcare organizations are focused on patient safety, privacy, and cost reduction,” he says. “HIPAA compliance, security issues, [Joint Commission] auditing requirements, and the push toward electronic medical records are all motivating factors. What’s more, greater penetration in other markets, such as national security, border patrol, and transportation is driving the price points down, making it more affordable for healthcare.”

— Mary Anne Gates is a medical writer based in the Chicago area.

References

1. Bjorn V. “Solving the Weakest Link in Network Security: Passwords.” May 2007. Available here.

2. “Solving the Weakest Link in Healthcare Security: Passwords.” DigitalPersona. February 2002. Available here.

3. “Solving the Weakest Link in Healthcare Security: Passwords.” DigitalPersona. February 2002. Available here.

4. “Solving the Weakest Link in Healthcare Security: Passwords.” DigitalPersona. February 2002. Available here.

5. Hoffherr G. “Biometrics in Healthcare — An Introduction.” Politec, Inc. Available here.

6. Hoffherr G. “Biometrics in Healthcare — An Introduction.” Politec, Inc. Available here.

7. Hoffherr G. “Biometrics in Healthcare — An Introduction.” Politec, Inc. Available here.

8. Hoffherr G. “Biometrics in Healthcare — An Introduction.” Politec, Inc. Available here.

9. Andrews J. “Biometrics leaves imprint on healthcare.” Healthcare IT News. May 1, 2006. Available here.

10. Andrews J. “Biometrics leaves imprint on healthcare.” Healthcare IT News. May 1, 2006. Available here.

11. Fidelica Microsystems, Inc. “Interpreting Fingerprint Authentication Performance — Technical White Paper.” December 18, 2001. Available here.

12. Bjorn V. “Solving the Weakest Link in Network Security: Passwords.” May 2007. Available here.

13. Kohl G. “Talking Biometrics with Bioscrypt’s New CEO.” Securityinfowatch.com. June 8, 2007. Available here.