Risk
3/7/2012
10:29 AM
50%
50%

Biometrics Shore Up Patient Data Security

Saratoga Hospital uses biometric technology to better manage and track health providers’ access to patient data.

9 Tablets For Doctors
9 Tablets For Doctors
(click image for larger view and for slideshow)
To tighten privacy and security measures around its protected health information (PHI), Saratoga Hospital recently announced that it has turned to biometric technology provided by DigitalPersona Inc., to verify physicians' identity and better manage the way they access patients' medical records.

Officials at Saratoga Hospital, which operates five remote care facilities with 171 hospital beds in Saratoga Springs, NY, said that because of the cumbersome login and logoff processes, the hospital had difficulty accurately tracking access to protected health information by its more than 1,700 doctors, nurses, and staff members under their old username and password authentication processes.

Furthermore, the systems would lock with one user's credentials, so the next user could not log in, forcing users to constantly reboot the computer to regain access.

According to Gary Moon, Saratoga Hospital's information systems security analyst, his organization needed a system like DigitalPersona Pro that ties an individual person to each transaction, simplifying the reporting and auditing requirements.

"We needed a solution that would encourage our staff to comply with our access control policies without limiting their ability to treat patients and be productive," Moon said in an interview with InformationWeek Healthcare. "Passwords can be cumbersome, and oftentimes the staff would stay logged in to avoid having to manually type a password each time they needed to access patient information. Thus, we could not track who had accessed information."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

To simplify the process, Saratoga Hospital has deployed DigitalPersona Pro software and U.are.U Fingerprint Readers, which physicians use to scan their finger to log into Saratoga's network. Once the physician has entered the hospital's Meditech EHR, the technology requires separate authentication, so the physician places his or her finger on the device once again.

The system even helps process documents. When physicians working in Meditech need to sign an order electronically, they're prompted for a password and a four-digit PIN. Under the new fingerprint recognition system, physicians simply place their finger on the device to be scanned.

Another advantage of the new system: The hospital has deployed over 200 computers on wheels (COWs) and each has a fingerprint reader. Nurses can move from computer to computer throughout the day, and DigitalPersona Pro allows them to quickly log in and out without having to type their username and password up to 100 times per day.

"Because of their workflow, patient information can be left on the screen and viewable," Moon said. "The speed of fingerprint unlock allows us to set a very short screen lock (five minutes) to protect that information and still let them back in quickly."

However, while biometric technology has become more accurate and less expensive and can play an increasing role in protecting health-related data from security breaches, risks still exist, according to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities.

"Biometric technology will help, but the back-end implementation is very important. Access control lists (ACL) still must reside somewhere. They must be accurate, up-to-date, and maintained securely," Berger said in an interview with InformationWeek Healthcare.

Berger added: "If a hacker can mess with the ACL, the biometrics become irrelevant. Another limiting factor is that it is still impractical to put biometric authentication on every device or in every location where PHI resides. What about laptops? iPads? Mobile storage devices? And business associate locations?"

In the meantime, Saratoga Hospital, which uses Microsoft's Active Directory, has extended the use of DigitalPersona's tool to its Hewlett-Packard thin clients using Citrix XenApp to access hospital applications, and has implemented the technology in the hospital's newly expanded emergency department.

"The primary business case for us is that we are now able to secure access and verify login information in a way that we have never been able to do before," Moon said. "We already use DigitalPersona Pro to log into our network, log into our patient records systems, and sign physician orders. We're confident that we can use DigitalPersona Pro at any authentication point."

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
M2SYS Technology
50%
50%
M2SYS Technology,
User Rank: Apprentice
3/8/2012 | 3:19:35 PM
re: Biometrics Shore Up Patient Data Security
Great article,
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.