IT Compliance Institute, August 23, 2005:

Best Practices

Bio-security: Healthcare Firm Uses Fingerprints for HIPAA Compliance

To comply with HIPAA security requirements in an environment with many public terminals, many different applications and databases, and many offsite users, West Tennessee Healthcare exchanged passwords for fingerprints. That was five years ago, and the company's CIO hasn't looked back.

By Mathew Schwartz

Fed up with passwords? Try using fingerprints instead. That's what West Tennessee Healthcare did in October 2000, when it ditched passwords for fingerprints. The company hasn't looked back.

West Tennessee Healthcare, based in Jackson, Tenn., is one of the 10 largest public, not-for-profit healthcare systems in the United States. Most of its 6,000 employees now gain access to IT systems using only a fingerprint scan.

The healthcare system's use of fingerprint-based authentication sprang from concerns about remote access to sensitive information. In the late 1990s, "we started to experiment with doctors using technology at the house, but then we started wondering, 'well what happens if a son, daughter, etc., gets on and starts roaming through information?'" says Jeff Frieling, West Tennessee Healthcare's CIO.

The organization began requiring all healthcare system-affiliated personnel to use fingerprint scans to access information. Now most of the physicians who work with the healthcare system, plus their staff, also use the technology, and over 70 physicians also use the technology to log in from home. One physician's office even uses tablet PCs with built-in fingerprint scanners.

Several of the West Tennessee Healthcare's six hospitals, as well as satellite medical facilities, have standardized on Trusted Space from Computer Consultants & Merchants Inc., based in Kissimmee, Fla., which includes a version of Zvetco Biometrics‚ plus fingerprint readers from Verifi.

When it comes to adopting biometric authentication, West Tennessee Healthcare isn't alone. Other hospitals employ different technology. "To ensure security and patient privacy," says research firm IDC, healthcare organizations are increasingly adopting "single sign-on, clinical context management, and fingerprint authentication." Improving HIPAA compliance is often the driver.

In 2004, an IDC survey of 220 US healthcare providers found that 13 percent already used fingerprint authentication technology, almost double the 6.8 percent using it in 2003. In addition, 41 percent of organizations reported they were evaluating or piloting the technology.

Beyond satisfying regulations, fingerprint-based authentication can support daily routines endemic to healthcare, where there are multiple, public terminals, many different applications and databases containing vital information, and where speed is critical. "To me, reliability and speed, that's the important thing. It's got to work, and it's got to work quickly," says Frieling. So using a fingerprint is "a heck of a lot quicker than me having to pull a piece of paper out of my wallet with all my passwords on it."

Today at West Tennessee Healthcare, fingerprints can be used to sign documents, view records, access the PAX (an in-house intercom system), and view x-rays and lab values. In addition, "We're right on the cusp of rolling out a clinical information system," says Frieling, which will give personnel such things as the daily documents they need, and an order-entry system.

Yet regulations aren't the only reason organizations are turning to biometrics; password management costs are also a consideration. For example, 2003 research from the Aberdeen Research Group put the labor costs for configuring and maintaining password systems, including responding to help desk calls, at up to $350 per user every year.

Password management was a particular concern for West Tennessee Healthcare, since doctors aren't on staff, per se. "When West Tennessee Healthcare approaches IT, it faces realities enterprise IT managers might not face," notes Frieling. "In a community healthcare setting as we have here in Jackson, the docs work with us, not for us."

Managing Fingerprints

How does the healthcare system manage its fingerprint records? Every time a new doctor or employee joins the staff, they meet with IT, sign forms acknowledging their responsibility to safeguard patients' information, and get their fingerprints scanned. "We really don't have their fingerprint on file; we have data points from their fingerprints," notes Frieling. "We can't send what we have to the FBI to do a background check."

One benefit of biometrics is it reminds personnel that, when they access a computer system, they're dealing with sensitive information. "Someone consciously puts their fingerprint on a device to open a document. They assume the responsibility," says Frieling. Part of that means logging out when they're done with a system. Just in case, however, logins are also set to expire automatically if they're inactive for too long.

On the IT front, if the biometric management software fails, the hospital has backups, notes Frieling. "We've got dual computers down in the data center with the failover technology, and we have a break-the-glass process, where if the system gets hung up, there's a way to get doctors to the data without compromising patient care."

Fingerprint Drawbacks

Despite the ease of using a fingerprint instead of multiple passwords, however, fingerprint scanners don't function in all situations. One well-documented problem: scanners won't work for some people of Southeast Asian heritage, owing to the machines' inability to read relatively small fingerprint ridges. However, this affects a "very small percentage" of the health system's personnel, notes Frieling. This group gets passwords, instead.

Scanners also have difficulty with fingerprints on hands worn down by manual labor, or when a finger is scratched or cut. Because of that, "we've registered one finger on each hand, so if they cut a finger working in the back yard, we haven't shut down their ability to practice medicine," notes Frieling.

Newer biometric technology helps overcome some of these problems. For example, first-generation equipment relied on CCD cameras, and illuminating fingerprints with laser light. Unfortunately, this technology was prone to spoofing, especially since an image of the fingerprint was left on the scanner. Second-generation capacitive devices improved accuracy and were more difficult to spoof, but they sometimes suffered errors from static discharge. (Dealing with such errors falls to the biometric management software.)

The very latest, third-generation fingerprint scanning technology is based on a radio-frequency capturing technique, which "allows the sensor to reconstruct the image of the structure of the skin layers underneath the skin surface," says Cohen, with much-improved accuracy.

Last year, West Tennessee Healthcare began replacing its optical fingerprint scanners with second-generation digital readers. "Since we put these new devices in, it has solved a lot of [recognition] problems," notes Frieling. The new readers, numbering 400 so far, are also smaller, and USB-connected, so if the PCs they're attached to are upgraded, the IT department won't have to purchase new readers.

Users' Reactions

In general, West Tennessee Healthcare's users are happy with the biometric technology, since it means they don't have to remember myriad passwords. "It's been a good success here," states Frieling. "Some of the docs, I do get complaints from time to time," though they usually relate to the number of tries it takes to get the fingerprint scanner to read their fingerprint.

Fingerprints do sometimes just stop working, he notes. "For some reason, every once in a while a fingerprint will go bad, and we'll have to re-image them, but we can do that— remotely image them from the help desk."

Authentication difficulties can also be the result of rushing—not lining up the finger correctly. Even if users are careful, however, it might take two or three tries. "Summers it works better than winters. When your skin gets dry, it doesn't work as easily," notes Frieling. It turns out, oil helps; so, if a scan doesn't work, the IT department offers some decidedly low-tech advice: rub your finger on your nose, and try again.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.