Using Biometrics Without Single Sign-OnHow a Hospital Developed an Authentication Strategy
In an interview (complete transcript below), Gary Moon, security analyst at Saratoga Hospital in Saratoga Springs, N.Y., explains why his organization chose to implement fingerprint scanners without single sign-on.
Moon outlines why the hospital:
- Concluded single sign-on would be too costly and complex to implement;
- Chose to use DigitalPersona fingerprint scanners rather than other technologies to ease user authentication and help comply with the HITECH Act;
- Decided that two-factor authentication is unnecessary and impractical;
- Is considering using fingerprint scanners for authentication of physicians who remotely access systems.
Moon has 22 years of experience in information technology, ranging from enterprise messaging to end-user training. He has focused on security issues at Saratoga Hospital for the past six years. Moon holds Microsoft, SANS, CompTIA and ISC(2) CISSP certifications in systems and security.
ANDERSON: We want to talk to you today about your authentication strategy. First, what was the motivation for implementing new authentication technology, including biometrics?
MOON: Well, we have multiple systems, as everybody does. Our healthcare information system requires a separate log-in and user account from our active directory. And a number of other applications that support our work all require different authentication. Unfortunately, they're not all made to work together. A lot of people have implemented single sign-on. Our environment makes it difficult, and a little more intense, to try to implement single sign-on. We have a technology fair every year, and we present the latest technologies and we let the nurses and doctors come through and take a look at them and vote on what they like. And when we did that and included biometrics, the response was ballistic for that. People loved the idea of biometrics and logging in with your fingerprint, so we decided to investigate it.
Choosing BiometricsANDERSON: I understand that your organization tried several different authentication approaches before settling on fingerprint scanners. What other authentication technologies and strategies did you consider and reject, and why?
MOON: We thought about token-based systems. ... Basically, all of those systems add complexity to a person's log-in. We have a hard enough time right now having people feel comfortable just logging in once, let alone having an additional PIN number and a card -- something they have to carry. So we knew that tokens would be a problem with user acceptance. They would have to carry something, and they would have to add a PIN in addition to their login. So, that wouldn't fly.
We also considered proximity badges, and implementing something on our current ID badge, but the problem there is that the users really don't value that very much. In fact, if I go down and get a cup of coffee at the cafeteria, I can, at any given time in the morning, find an employee with five or so badges on their tray, and they are buying breakfast and coffee for other employees. If you extend that, it's not too hard to see where they would actually be able to share the badge pretty easily (for system access), and not think twice about it. If someone didn't have the right kind of access, they would just give somebody their badge, so that they would have that access, and it would never be tracked. So we thought the proximity badges weren't a good idea, either. ... The fingerprints advantage is tremendous. For instance, there is nothing for them to carry, there is nothing for them to remember - they all have their finger with them, obviously.
Product SelectionANDERSON: How did you go about selecting what brand of fingerprint scanner to use?
MOON: We did look at a couple that were more involved, because they came as part of a package with single sign-on. Single sign-on wasn't going to work. We selected a company's product when we were sure that we could pilot it easily with a low cost of entry. The package we did select, which was Digital Persona, we were able to pilot in a small group with minimal disruption to our other environment, and we wouldn't have to install something that would be really heavily managed. It could actually be done on a workstation-by-workstation basis. And they had a couple of models, which included the kiosk model, which allows people to log in quickly and share a desktop, and a workstation model, intended for a person who has their own machine that they use all day long. ... And, between these two models, and the low cost of entry, we thought that was a good way to start out.
And the hardware, as it turns out, and the drivers, are also being developed to be integrated with other people's software and authentication systems. So, we felt it was also a pretty flexible way to go. Rather than having a fingerprint solution tied to a backend that tries to be a single sign-on, I think the one we selected is a lot more flexible going forward, because the single sign-on market is still kind of shaking out, and a lot of vendors are coming and going really fast. So we really aren't settled on a certain brand of single sign-on yet. We are hoping that, having selected the product that we did, it will be able to plug into whatever single sign-on we use down the road.
Skipping Single Sign-OnANDERSON: So help us to understand why a single sign-on system wasn't a good fit for you right now. And in the meantime, how does a physician use the fingerprint scanner to access the multiple systems they are authorized to view?
MOON: Single sign-on is still shaking out. The market is still unsettled. And companies are changing their products rapidly. They are getting better, but there are still a lot of companies that are coming and going. And not only that, single sign-on is a major undertaking, in terms of management and expense, and our systems also aren't very easy to implement. We are using a healthcare information system called Meditech. It is not the easiest thing in the world to integrate with other systems. So, we had those barriers to single sign-on. What our fingerprint system does is it works on the front end. It is not single sign-on, but when the sign-on is as easy as putting your finger down, I coined the term that it is "effortless multiple sign-on." So the users don't mind putting their finger down. If we add a back-end system, it needs another sign-on, and they just put their finger down again. And it is no speed barrier. They need to get in and get out of systems very fast. And this allows them to do that without the back-end single sign-on.
Single-Factor AuthenticationANDERSON: In a related question, are you using two-factor authentication, or is fingerprint scanning a single factor?
MOON: We're not using two-factor.
ANDERSON: And why did you make the decision against using two-factor?
MOON: User resistance, primarily. Actually, we didn't feel that the use of two-factor would be any improvement over the recognition of somebody's fingerprint as a validation that they are who they say they are.
ANDERSON: Might you move to two-factor authentication if you eventually move to single sign-on?
MOON: I really can't see the benefit. Somebody would have to convince us that two-factor provides a real security benefit for us to actually impart on the user the need to put their finger down and use some sort of PIN or password. We want to reduce barriers to access to the systems, while remaining compliant with security needs. What I like about the fingerprint authentication is it really does encourage them to be compliant. What we had was a lot of people would jump on each other's sessions to look up patient data. And that was because they didn't want the bother of logging out the one user and logging in as themselves every time. And this does that. If logging in is as easy as putting your finger on a reader -- and very fast -- people don't mind doing it. People actually enjoy using this system. And to add a PIN, I don't think that would fly, and I don't think it would gain us enough security advantage to actually be worth doing.
HITECH ComplianceANDERSON: How big a factor was compliance with the HITECH Act and HIPAA in motivating you to invest in this technology?
MOON: That was a lot of it -- the HITECH Act especially. We have a better audit trail now than we ever had before. People are using their fingerprints. A lot of the HITECH Act has to do with how we manage back-end systems, and how we monitor users. That hasn't changed. But we have a better assurance that users are only accessing records that they need to access, because we know that they are not jumping on each other's sessions now.
3,100 UsersANDERSON: How many computer devices now are equipped with the fingerprint scanners, and how many physicians and nurses are using them?
MOON: We have about 3,100 users. Currently, out of 800 PCs, 250 of them have the readers and software installed. Out of a total number of licenses, we have 641 people who are registered with fingerprints and are actively using them. So we're about half way to our goal. Our actual goal was about 1,500 users who would need this system, and a total of 700 PCs.
ANDERSON: And that goal was set because those are your heaviest users of the system, I assume.
MOON: Those are the ones we identified, yes. ... The real goal is to get everybody using this everywhere, so that then we can have the software manage their password changes completely. And what that means is there is an option in the software that when it detects a password change, it will automatically change and select a new password, based on a certain password strength. Right now, we have to rely on the least common denominator password, which is unfortunately our healthcare information system. It doesn't support password complexity. So the users can put in anything they want, and, as you know, they will select the easiest password they possibly can without restrictions. So, hopefully, when we get this (biometrics) completely across-the-board installed, we will be able to then switch on that (password change) functionality and have complex passwords across the organization. The other benefit is people won't be able to share their passwords, because after that first password change, they won't even know what their new password is.
ANDERSON: So, just to make sure I understand, I scan my fingerprint and that triggers the appropriate password going off?
MOON: That's right. It's simply a front end device which doesn't interfere with the back end. As far as the back end knows, this person has this password, and just entered it.
Biometrics Technology IssuesANDERSON: Now, as you have implemented the scanners, have you had any issues with difficulty reading any particular individual's fingerprints, or have you had to replace any of the devices that have broken yet?
MOON: Recently, we had our first problem with a collision, where one person's fingerprint brought up another person's authentication. That was easy to fix, with a parameter on the server. We had used the default false rejection rate, and we just had to tighten that up a bit, and that eliminated that problem. But out of 641 users we had our first issue recently. That's after having this in place and rolling it out for a year or more.
I should say that we do have a handful of users whose fingerprints are just so difficult to read that they have a hard time. We have to tell them to put lotion on their hands, or something like that. As far as the hardware goes, we haven't yet replaced a reader because of a failure; it has no moving parts. The LEDs are still working, and they are still accurate. We did replace the original models that we used for our pilot, because they were an older model, and the newer ones are built to be a little heavier and a little more durable. But it wasn't because of a failure; it was because we wanted to put the new ones in place. The hardware costs are actually very low.
Remote AuthenticationANDERSON: What approach to authentication do you use for clinicians who access systems remotely over your virtual private network? And how might that approach evolve in the years ahead? Might you eventually use biometrics?
MOON: We've discussed that. But right now the physicians simply log in. So they need to remember their user name and their password when they are sitting at their office and they want to remotely connect to our system. There is an option, under our current software vendor, to actually install on those remote systems the back end that supports the fingerprint reader. And we have used it internally here, so we can connect to the terminal server, and it prompts us for our user name and password, and it also brings up the little icon that allows us to put our finger down if we have a reader, and log in that way. And we could tell the physician, "All you have to do is buy this particular brand of reader, and you can log in with your fingerprint." But we haven't actually deployed that. ...
We don't want to get into using hardware tokens. We don't want to use one system for remote access and another system for when they are here. So, we would probably pursue the fingerprints for remote access, as well, if the physicians' offices were willing to purchase the readers, which are fairly inexpensive.
Viability of BiometricsANDERSON: Finally, what lessons have you learned about authentication that other hospitals might apply?
MOON: What I like about the way we did it was one size does not have to fit all; there are other solutions out there. Most people would go with a single sign-on right away, because everybody is doing it, and there is a rush to it. But I'm glad that we found another way to approach ease of entry into our systems and maintain the security of it. Biometrics really aren't a future technology any more; they're common and they're less expensive than they used to be. A lot of people are still thinking that it's down the road. Well, it's actually here.