What you know, what you have, what you are: state-of-the-art biometric authentication senses living body parts to ensure positive identification

Health Management Technology,  Dec, 2005  by Mike McBride

• E-mail
• Print
• Link

Fake inspectors claiming to be from the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) attempted to gain entry into three Boston, Detroit and Los Angeles hospitals, according to an August 22, 2005 report in The Washington Post. When confronted, they presented forged JCAHO IDs, but when questioned further and asked for additional identification, the "inspectors" fled. In at least one instance, the unauthorized person was found wandering around inside the hospital's maternity ward. The incidents captured the attention of Homeland Security and sparked an ongoing F.B.I investigation. Who the perpetrators are and what they wanted has not been determined--that additional security may be needed seems clear.

Gen. Douglas MacArthur said, "There is no security on this earth. Only opportunity." Given the inevitability of RHIOs (regional health information organizations), EHRs and government mandated EMRs, and the inevitable sharing of protected healthcare information (PHI), what can ensure the security of an individual's privacy?

Physical security means controlling the point of entry to buildings and rooms, or access to a person. Logical security involves controlling the point of entry to an organization's systems from outside the network, and further, to specific files on the network from the inside. Tokens, swipe cards, passwords, passphrases and PIN numbers fall into two authentication categories--what you know and what you are--traditionally the most common forms of security identification.

A third category--the relatively new kid on the block--is biometric authentication. This involves comparing the physical or behavioral characteristics of a body part, such as a fingerprint, iris and face, and more recently palm veins and typing rhythms. To a lesser degree, voice pattern and signature recognition are also used.

Biometric authentication has become the front-line defense against everything from identity theft to terrorism and is used for both physical and logical security. Is it, therefore, also the natural choice for protecting sensitive patient information in healthcare environments? Many companies think so and are developing devices and software to secure PHI in accordance with HIPAA guidelines.

The frontrunners among such devices are fingerprint readers--a highly accurate technology, but not foolproof security. Newer developments, however, such as palm vein scanners and typing-rhythm recognition software indicate the industry is evolving, even as the public grows comfortable with biometric authentication in their everyday lives.

R.U.U.?

When electronic banking first became a reality, financial institutions thought they had an unbreakable security authentication in passwords combined with PIN numbers. Then their Web sites got hacked, private customer information raided and customer bank accounts drained. Once in possession of the stolen user IDs, enterprising criminals used computers to "guess" at ID/password combinations, found matches and broke into the restricted areas.

Later studies found that the weak links were the passwords. The common words or phrases that most people use are generally public knowledge, such as a spouse's name or birth date. Since computers can make the combinations at incredible speeds, discovering that IT director John Doe's password is his wife's middle name is relatively easy for a skilled criminal. Company executives were even found to have taped passwords to their monitors--in plain sight. Bill Gates once said in a CNET interview, "Passwords will soon be a thing of the past, replaced by biometric and smart-card technology. A major problem for identity systems is the weakness of passwords."

Biometric authentication solves that problem, to an extent. A standard fingerprint or iris reader scans the body part--which is unique to its owner--measures spaces between unchanging elements like fingerprint ridges, then converts the file into mathematical data, compresses it and encrypts it for storage. When the same biometric is presented and scanned for authentication, the system repeats the process and compares the resulting data against the previously stored file. No new data is collected or stored, and only the current and previous scans are used for comparison. This type of authentication procedure is a 1:1 comparison, as opposed to 1: many, which is similar to common F.B.I investigative procedures, where prints left behind at a crime scene would be checked against a vast national database.

In theory, this method seems infallible. Unlike passwords, a fingerprint or iris can't be lost or forgotten, and the owner doesn't have to invent a "strong" biometric. Multiple and varying types of biometrics can be required for authentication. The more fingers used in the process, the higher the accuracy and the tighter the security. Studies conducted by computer scientists at the National Institute of Standards and Technology showed that authentication scans involving four or more fingers were accurate 99.9 percent of the time, returning a false positive rate of 0.01.