Risk
3/7/2012
10:29 AM
50%
50%

Biometrics Shore Up Patient Data Security

Saratoga Hospital uses biometric technology to better manage and track health providers’ access to patient data.

9 Tablets For Doctors
9 Tablets For Doctors
(click image for larger view and for slideshow)
To tighten privacy and security measures around its protected health information (PHI), Saratoga Hospital recently announced that it has turned to biometric technology provided by DigitalPersona Inc., to verify physicians' identity and better manage the way they access patients' medical records.

Officials at Saratoga Hospital, which operates five remote care facilities with 171 hospital beds in Saratoga Springs, NY, said that because of the cumbersome login and logoff processes, the hospital had difficulty accurately tracking access to protected health information by its more than 1,700 doctors, nurses, and staff members under their old username and password authentication processes.

Furthermore, the systems would lock with one user's credentials, so the next user could not log in, forcing users to constantly reboot the computer to regain access.

According to Gary Moon, Saratoga Hospital's information systems security analyst, his organization needed a system like DigitalPersona Pro that ties an individual person to each transaction, simplifying the reporting and auditing requirements.

"We needed a solution that would encourage our staff to comply with our access control policies without limiting their ability to treat patients and be productive," Moon said in an interview with InformationWeek Healthcare. "Passwords can be cumbersome, and oftentimes the staff would stay logged in to avoid having to manually type a password each time they needed to access patient information. Thus, we could not track who had accessed information."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

To simplify the process, Saratoga Hospital has deployed DigitalPersona Pro software and U.are.U Fingerprint Readers, which physicians use to scan their finger to log into Saratoga's network. Once the physician has entered the hospital's Meditech EHR, the technology requires separate authentication, so the physician places his or her finger on the device once again.

The system even helps process documents. When physicians working in Meditech need to sign an order electronically, they're prompted for a password and a four-digit PIN. Under the new fingerprint recognition system, physicians simply place their finger on the device to be scanned.

Another advantage of the new system: The hospital has deployed over 200 computers on wheels (COWs) and each has a fingerprint reader. Nurses can move from computer to computer throughout the day, and DigitalPersona Pro allows them to quickly log in and out without having to type their username and password up to 100 times per day.

"Because of their workflow, patient information can be left on the screen and viewable," Moon said. "The speed of fingerprint unlock allows us to set a very short screen lock (five minutes) to protect that information and still let them back in quickly."

However, while biometric technology has become more accurate and less expensive and can play an increasing role in protecting health-related data from security breaches, risks still exist, according to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities.

"Biometric technology will help, but the back-end implementation is very important. Access control lists (ACL) still must reside somewhere. They must be accurate, up-to-date, and maintained securely," Berger said in an interview with InformationWeek Healthcare.

Berger added: "If a hacker can mess with the ACL, the biometrics become irrelevant. Another limiting factor is that it is still impractical to put biometric authentication on every device or in every location where PHI resides. What about laptops? iPads? Mobile storage devices? And business associate locations?"

In the meantime, Saratoga Hospital, which uses Microsoft's Active Directory, has extended the use of DigitalPersona's tool to its Hewlett-Packard thin clients using Citrix XenApp to access hospital applications, and has implemented the technology in the hospital's newly expanded emergency department.

"The primary business case for us is that we are now able to secure access and verify login information in a way that we have never been able to do before," Moon said. "We already use DigitalPersona Pro to log into our network, log into our patient records systems, and sign physician orders. We're confident that we can use DigitalPersona Pro at any authentication point."

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
M2SYS Technology
50%
50%
M2SYS Technology,
User Rank: Apprentice
3/8/2012 | 3:19:35 PM
re: Biometrics Shore Up Patient Data Security
Great article,
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.