Risk
3/7/2012
10:29 AM
50%
50%

Biometrics Shore Up Patient Data Security

Saratoga Hospital uses biometric technology to better manage and track health providers’ access to patient data.

9 Tablets For Doctors
9 Tablets For Doctors
(click image for larger view and for slideshow)
To tighten privacy and security measures around its protected health information (PHI), Saratoga Hospital recently announced that it has turned to biometric technology provided by DigitalPersona Inc., to verify physicians' identity and better manage the way they access patients' medical records.

Officials at Saratoga Hospital, which operates five remote care facilities with 171 hospital beds in Saratoga Springs, NY, said that because of the cumbersome login and logoff processes, the hospital had difficulty accurately tracking access to protected health information by its more than 1,700 doctors, nurses, and staff members under their old username and password authentication processes.

Furthermore, the systems would lock with one user's credentials, so the next user could not log in, forcing users to constantly reboot the computer to regain access.

According to Gary Moon, Saratoga Hospital's information systems security analyst, his organization needed a system like DigitalPersona Pro that ties an individual person to each transaction, simplifying the reporting and auditing requirements.

"We needed a solution that would encourage our staff to comply with our access control policies without limiting their ability to treat patients and be productive," Moon said in an interview with InformationWeek Healthcare. "Passwords can be cumbersome, and oftentimes the staff would stay logged in to avoid having to manually type a password each time they needed to access patient information. Thus, we could not track who had accessed information."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

To simplify the process, Saratoga Hospital has deployed DigitalPersona Pro software and U.are.U Fingerprint Readers, which physicians use to scan their finger to log into Saratoga's network. Once the physician has entered the hospital's Meditech EHR, the technology requires separate authentication, so the physician places his or her finger on the device once again.

The system even helps process documents. When physicians working in Meditech need to sign an order electronically, they're prompted for a password and a four-digit PIN. Under the new fingerprint recognition system, physicians simply place their finger on the device to be scanned.

Another advantage of the new system: The hospital has deployed over 200 computers on wheels (COWs) and each has a fingerprint reader. Nurses can move from computer to computer throughout the day, and DigitalPersona Pro allows them to quickly log in and out without having to type their username and password up to 100 times per day.

"Because of their workflow, patient information can be left on the screen and viewable," Moon said. "The speed of fingerprint unlock allows us to set a very short screen lock (five minutes) to protect that information and still let them back in quickly."

However, while biometric technology has become more accurate and less expensive and can play an increasing role in protecting health-related data from security breaches, risks still exist, according to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities.

"Biometric technology will help, but the back-end implementation is very important. Access control lists (ACL) still must reside somewhere. They must be accurate, up-to-date, and maintained securely," Berger said in an interview with InformationWeek Healthcare.

Berger added: "If a hacker can mess with the ACL, the biometrics become irrelevant. Another limiting factor is that it is still impractical to put biometric authentication on every device or in every location where PHI resides. What about laptops? iPads? Mobile storage devices? And business associate locations?"

In the meantime, Saratoga Hospital, which uses Microsoft's Active Directory, has extended the use of DigitalPersona's tool to its Hewlett-Packard thin clients using Citrix XenApp to access hospital applications, and has implemented the technology in the hospital's newly expanded emergency department.

"The primary business case for us is that we are now able to secure access and verify login information in a way that we have never been able to do before," Moon said. "We already use DigitalPersona Pro to log into our network, log into our patient records systems, and sign physician orders. We're confident that we can use DigitalPersona Pro at any authentication point."

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
M2SYS Technology
50%
50%
M2SYS Technology,
User Rank: Apprentice
3/8/2012 | 3:19:35 PM
re: Biometrics Shore Up Patient Data Security
Great article,
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.