Biometrics Shore Up Patient Data Security

9 Tablets For Doctors

To tighten privacy and security measures around its protected health information (PHI), Saratoga Hospital recently announced that it has turned to biometric technology provided by DigitalPersona Inc., to verify physicians' identity and better manage the way they access patients' medical records.

Officials at Saratoga Hospital, which operates five remote care facilities with 171 hospital beds in Saratoga Springs, NY, said that because of the cumbersome login and logoff processes, the hospital had difficulty accurately tracking access to protected health information by its more than 1,700 doctors, nurses, and staff members under their old username and password authentication processes.

Furthermore, the systems would lock with one user's credentials, so the next user could not log in, forcing users to constantly reboot the computer to regain access.

According to Gary Moon, Saratoga Hospital's information systems security analyst, his organization needed a system like DigitalPersona Pro that ties an individual person to each transaction, simplifying the reporting and auditing requirements.

"We needed a solution that would encourage our staff to comply with our access control policies without limiting their ability to treat patients and be productive," Moon said in an interview with InformationWeek Healthcare. "Passwords can be cumbersome, and oftentimes the staff would stay logged in to avoid having to manually type a password each time they needed to access patient information. Thus, we could not track who had accessed information."

[Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs.]

To simplify the process, Saratoga Hospital has deployed DigitalPersona Pro software and U.are.U Fingerprint Readers, which physicians use to scan their finger to log into Saratoga's network. Once the physician has entered the hospital's Meditech EHR, the technology requires separate authentication, so the physician places his or her finger on the device once again.

The system even helps process documents. When physicians working in Meditech need to sign an order electronically, they're prompted for a password and a four-digit PIN. Under the new fingerprint recognition system, physicians simply place their finger on the device to be scanned.

Another advantage of the new system: The hospital has deployed over 200 computers on wheels (COWs) and each has a fingerprint reader. Nurses can move from computer to computer throughout the day, and DigitalPersona Pro allows them to quickly log in and out without having to type their username and password up to 100 times per day.

"Because of their workflow, patient information can be left on the screen and viewable," Moon said. "The speed of fingerprint unlock allows us to set a very short screen lock (five minutes) to protect that information and still let them back in quickly."

However, while biometric technology has become more accurate and less expensive and can play an increasing role in protecting health-related data from security breaches, risks still exist, according to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities.

"Biometric technology will help, but the back-end implementation is very important. Access control lists (ACL) still must reside somewhere. They must be accurate, up-to-date, and maintained securely," Berger said in an interview with InformationWeek Healthcare.

Berger added: "If a hacker can mess with the ACL, the biometrics become irrelevant. Another limiting factor is that it is still impractical to put biometric authentication on every device or in every location where PHI resides. What about laptops? iPads? Mobile storage devices? And business associate locations?"

In the meantime, Saratoga Hospital, which uses Microsoft's Active Directory, has extended the use of DigitalPersona's tool to its Hewlett-Packard thin clients using Citrix XenApp to access hospital applications, and has implemented the technology in the hospital's newly expanded emergency department.

"The primary business case for us is that we are now able to secure access and verify login information in a way that we have never been able to do before," Moon said. "We already use DigitalPersona Pro to log into our network, log into our patient records systems, and sign physician orders. We're confident that we can use DigitalPersona Pro at any authentication point."

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)