Case Study: The Motivation for Biometrics

Convenience, as Well as Security, Are Key Factors
Case Study: The Motivation for Biometrics
Improved security isn't always the primary motivation for implementing biometrics for authentication.

At Phoebe Putney Memorial Hospital, for example, an ongoing rollout of fingerprint scanners, paired with single sign-on, is designed mainly to make it easier for clinicians to access clinical information systems. But the new technologies have yielded security benefits as well.

The 443-bed community hospital in Albany, Ga., is phasing in a core clinical information system from McKesson Corp. To help ease the shift to electronic health records, it's:

  • Implementing single sign-on technology from Imprivata Inc. so physicians and nurses no longer have to use as many as a dozen different passwords to access all the information they need from the various components of the EHR application and other systems;
  • Adding fingerprint scanners from UPEK Inc., linked to the single sign-on system, to enable clinicians to more quickly access systems; and
  • Equipping patient rooms with thin clients from Wyse Technology.

User convenience is the main driver for the rollout of all these technologies, says Mike Elder, director of technical services. "We were getting a lot of pushback from doctors and other users who were tired of all the passwords," he notes. In addition, nurses wanted to be able to call up records from any patient room, and the thin clients proved more cost-effective than PCs, he adds.

Security Benefits

But all the new technologies have security benefits as well. For example:

  • The single sign-on system has a time-out feature, which shuts down shared computers after five minutes of inactivity.
  • The fingerprint scanners improve authentication, helping to ensure only authorized users gain access to sensitive clinical information.
  • The shift to thin clients means all clinical information resides solely on secure servers rather than on the devices in patient rooms.

In addition, single sign-on helps with HIPAA security compliance "by allowing us to audit access to applications," says Julius Blash, a network technician.

"We are auditing usage via single sign-on to keep staff aware that we are making sure they are not accessing information inappropriately," Elder adds. "We can tell when they log in what applications they are accessing."

Growth Ahead?

More hospitals will use authentication technologies paired with single sign-on as they automate more clinical information, predicts security specialist Lisa Gallagher. She's senior director of privacy and security at the Healthcare Information and Management Systems Society.

"The drivers will be a combination of the organization's risk profile and the workflow/usability concerns expressed by system users," Gallagher says.

The HITECH Act, which toughens penalties for violations of the HIPAA privacy and security rules, is motivating hospitals to carefully assess their risks and develop plans for addressing them.

Pros and Cons

Some organizations are concluding that fingerprint scans have an edge over other authentication systems, says security expert Rebecca Herold, owner of Rebecca Herold and Associates. For example, using the scanners may be more convenient than using a smart card, which can be lost, she notes. Plus fingerprint scans are perceived by many to be less intrusive than certain other biometric options, such as iris scanners, she adds.

On the other hand, "some perceive having their fingerprints stored as an invasion of their privacy and fear the fingerprints will be inappropriately used or shared beyond authentication uses," she adds. "And some fingerprint readers are prone to comparatively easy breakage or malfunction."

When selecting an authentication method to use, the Georgia hospital chose fingerprint scanners over other biometric options and smart cards based on feedback from other hospitals in the region, Elder says.

"Fingerprint scanners seemed to be the most reliable," he says. But he stresses that the reliability is tied to the use of "high-end" fingerprint scanners that cost $120 each, rather than less expensive devices.

Progress Report

The Georgia hospital has implemented single sign-on in all its departments for 4,000 users. It enables clinicians to access all systems they're authorized to use by entering a user name and password once. The organization plans to implement the technology at two other smaller hospitals it owns and one it manages, Elder says.

So far, about 100 fingerprint scanners have been rolled out at the main hospital, primarily at nurses' stations. Eventually, all the hospitals may use the scanners on inpatient floors to accommodate the needs of physicians and nurses alike, Elder says.

The biometric devices help clinicians save time because they simply place their finger on the scanner to gain instant access to all systems they're authorized to view, thanks to the link to single sign-on.

Lessons Learned

Based on his experience, Elder advises other hospitals to:

  • Implement single sign-on in phases. The hospital introduced it in administrative areas first, then floor-by-floor in clinical areas, over the course of a full year. In this way, it could "resolve problems on one floor before going to the next one," Elder says.
  • Consider adding biometrics to improve security as well as to "build a high-tech reputation," which can help when recruiting physicians.
  • Conduct extensive tests before rolling out new technologies and provide extensive staff education. "We could have done even more training," Elder says.

Buyer Beware

Herold advises healthcare organizations considering single sign-on to "be sure to know all the systems you have that require authentication, document them, and then ask the vendor if the solution supports them all."

If the single sign-on system must be modified to accommodate access to all of an organization's systems, "be sure to find out how much extra that modification will cost you," Herold stresses. "Also, for security purposes, be sure to ask the types of logging that the solution has available.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.