Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/7/2012
10:29 AM
50%
50%

Biometrics Shore Up Patient Data Security

Saratoga Hospital uses biometric technology to better manage and track health providers’ access to patient data.

9 Tablets For Doctors
9 Tablets For Doctors
(click image for larger view and for slideshow)
To tighten privacy and security measures around its protected health information (PHI), Saratoga Hospital recently announced that it has turned to biometric technology provided by DigitalPersona Inc., to verify physicians' identity and better manage the way they access patients' medical records.

Officials at Saratoga Hospital, which operates five remote care facilities with 171 hospital beds in Saratoga Springs, NY, said that because of the cumbersome login and logoff processes, the hospital had difficulty accurately tracking access to protected health information by its more than 1,700 doctors, nurses, and staff members under their old username and password authentication processes.

Furthermore, the systems would lock with one user's credentials, so the next user could not log in, forcing users to constantly reboot the computer to regain access.

According to Gary Moon, Saratoga Hospital's information systems security analyst, his organization needed a system like DigitalPersona Pro that ties an individual person to each transaction, simplifying the reporting and auditing requirements.

"We needed a solution that would encourage our staff to comply with our access control policies without limiting their ability to treat patients and be productive," Moon said in an interview with InformationWeek Healthcare. "Passwords can be cumbersome, and oftentimes the staff would stay logged in to avoid having to manually type a password each time they needed to access patient information. Thus, we could not track who had accessed information."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

To simplify the process, Saratoga Hospital has deployed DigitalPersona Pro software and U.are.U Fingerprint Readers, which physicians use to scan their finger to log into Saratoga's network. Once the physician has entered the hospital's Meditech EHR, the technology requires separate authentication, so the physician places his or her finger on the device once again.

The system even helps process documents. When physicians working in Meditech need to sign an order electronically, they're prompted for a password and a four-digit PIN. Under the new fingerprint recognition system, physicians simply place their finger on the device to be scanned.

Another advantage of the new system: The hospital has deployed over 200 computers on wheels (COWs) and each has a fingerprint reader. Nurses can move from computer to computer throughout the day, and DigitalPersona Pro allows them to quickly log in and out without having to type their username and password up to 100 times per day.

"Because of their workflow, patient information can be left on the screen and viewable," Moon said. "The speed of fingerprint unlock allows us to set a very short screen lock (five minutes) to protect that information and still let them back in quickly."

However, while biometric technology has become more accurate and less expensive and can play an increasing role in protecting health-related data from security breaches, risks still exist, according to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities.

"Biometric technology will help, but the back-end implementation is very important. Access control lists (ACL) still must reside somewhere. They must be accurate, up-to-date, and maintained securely," Berger said in an interview with InformationWeek Healthcare.

Berger added: "If a hacker can mess with the ACL, the biometrics become irrelevant. Another limiting factor is that it is still impractical to put biometric authentication on every device or in every location where PHI resides. What about laptops? iPads? Mobile storage devices? And business associate locations?"

In the meantime, Saratoga Hospital, which uses Microsoft's Active Directory, has extended the use of DigitalPersona's tool to its Hewlett-Packard thin clients using Citrix XenApp to access hospital applications, and has implemented the technology in the hospital's newly expanded emergency department.

"The primary business case for us is that we are now able to secure access and verify login information in a way that we have never been able to do before," Moon said. "We already use DigitalPersona Pro to log into our network, log into our patient records systems, and sign physician orders. We're confident that we can use DigitalPersona Pro at any authentication point."

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
M2SYS Technology
50%
50%
M2SYS Technology,
User Rank: Apprentice
3/8/2012 | 3:19:35 PM
re: Biometrics Shore Up Patient Data Security
Great article,
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.