Biometrics' Role in EHR RolloutArizona Practice Turns to Fingerprint Scanners for Authentication
That's why Children's Clinics in Tucson, Ariz., opted to use fingerprint scanners rather than passwords. The practice, which primarily serves Medicaid patients, has only 1.5 full-time physicians on staff. Another 60 physicians offer specialty care at the clinics a few times a month.
"The major motivator was easing sign-on for physicians," says William Mayo, information systems supervisor. But the fingerprint scanners also help with HIPAA compliance, he adds.
"Biometrics addresses security as well," Mayo notes. "If you were to actually make doctors remember their passwords, they would wind up writing them down, and that would be inherently less secure."
The clinics recently implemented an EHR system from NextGen Healthcare Information Systems. Previously, the visiting doctors relied exclusively on paper records. "Faced with providers starting from scratch" when learning how to use the EHR system, the clinics determined that easing sign-on with biometrics was an essential step, Mayo says.
Physicians and others enter a user name and then use biometric technology from DigitalPersona to authenticate their identity with a fingerprint. They then gain access to the EHR and other systems through Microsoft Active Directory, which assigns role-based privileges.
Some security experts say that fingerprint scanners can sometimes prove difficult to use in clinical settings.
"Fingerprint devices have always been sensitive to dirt, grime, grease and cleaning solutions," says Mac McMillan, CEO at the consulting firm CynergisTek, Austin, Texas. "The need to wear gloves as well as sterilization issues can also impact touch devices in healthcare. The powder on some gloves for instance has proven problematic for these devices. And docs are always putting on and taking off gloves."
But Mayo says his organization has experienced only minor technical difficulties with the fingerprint readers. "Two older physicians have had problems with the reader having difficulty reading their prints," he says. "Otherwise, we've had no issues at all."
MacMillan anticipates the use of biometrics will grow in healthcare "particularly as organizations try to deal with the need to accommodate multiple users on shared systems accessing EHRs and wanting to quickly and accurately identify and authenticate them." He notes, however, "There are still lots of issues that need to be addressed such as identity management, normalization of users' identities, role-based access, etc., that will have an impact on the success of both single sign-on and biometric solutions."
Mayo advises other group practices devising an authentication strategy for EHRs to "think about all the different ways that you use your data and where it's going to end up." For a group practice that relies heavily on visiting physicians practicing at one location, biometrics is a good fit, he contends.
Other Security Steps
In another important security step, the clinics do not store protected health information on personal computers in exam rooms or public areas. Only PCs in secure locations have limited data storage. Otherwise, patient information resides on network drives.
The organization also uses the auditing function within the NextGen EHR application to track who is logging into the system and who is modifying patient records.
One major motivator of Children's Clinics' move to EHRs was a mandate from United Healthcare, a health plan that serves Medicaid patients in the state. The payer requires clinics treating its enrollees to use electronic records.
Nevertheless, the Tucson practice also plans to apply for HITECH Act EHR incentive payments through the state Medicaid program. But because the incentives are not available to contracted physicians, the organization expects to only receive incentives for its 1.5 staff doctors, Mayo explains.