Tuesday, February 12, 2008

Biometric Authentication

Last week, my BIDMC CEO Paul Levy posted a question in his blog about the utility of fingerprint biometrics for USB storage drives. This raises the more global issue of the usefulness of biometric authentication in hospitals.

Today, authentication at BIDMC and Harvard Medical School is done with a strong username and password - the usual alphanumeric/mixed case password which must be changed frequently, cannot be repeated, is not an English word etc. Using complex passwords is great on desktops, but works less well on mobile devices without keyboards or in crisis situations. Trying to type an 8 character password on a tablet while the patient is crashing can be very anxiety provoking.

Over the past 5 years, I've worked with various biometric technologies including fingerprint scanning, iris scanning, hand geometry, and facial recognition. My experience has been mixed. In general, biometrics have been

-immature, hard to support technology
-challenged by false positive (granting access inappropriately) /false negative issues (denying access inappropriately), impacting user acceptance of the technology
-characterized by lack of integration with existing enterprise security systems

However, new products are being introduced which have caused us to re-evaluate biometrics.

Clinicians find the fingerprint an easy to use authentication method when they are in a hurry. It has 3 positive attributes
-you're unlikely to forget your finger at home
-although identify theft of a fingerprint is theoretically possible, we can "reset" the password by selecting another finger (it's like having 10 different passwords)
-Since laptop data theft is a highly visible problem, protecting laptop logins with a fingerprint scan seems like a good security practice.

There are issues
-As we further deploy this technology, we'll have to review our policies and procedures. For example, if biometrics were used to encrypt corporate issued laptops, the employee termination procedures would need to be changed to ensure access to the “finger” is available to recover the system.
-Recovery of a "lost" fingerprint (due to injury or absence) can be problematic for an institution. -Non-contact biometrics might be better in healthcare settings for infection control

We've tested Omnipass in the Emergency Department as a way to accomplish authentication using multiple methods - fingerprint or username/password, all linked to our enterprise Active Directory (AD). Omnipass supports central storage of fingerprint scans and maps them to AD users. It also provides secure authentication of web pages.

The issue we had in our pilot is the multi step process to log into Omnipass, then log into our ED dashboard application, then log out of Omnipass. For a workflow where the user has the tablet for hours, this wouldn't be a problem. For Emergency Department workflow, the user picks up the tablet, uses it for 3-5 minutes, then puts it down. A 1 minute login/logoff process eliminates the time savings of using a portal device.

For those seeking early experimentation with biometrics, I recommend a pilot of fingerprint scanning. Iris scanning requires more expensive hardware, hand geometry is harder to deploy, and facial recognition is much more experimental technology.

8 comments:

jay said...

It seems to me that 10 passwords isn't enough (I know I often wish I had more hands and fingers).

As you mentioned, current password policy is to "change them frequently" (however often that is defined). Even if it's every 3 months that's both hands in just over 2 years.

But the fundamental concern I see is that you can't just wave away the risk by saying "Oh, we can always pick a new finger".

To my, it seems fair to assume that if an attacker can steal 1 of my fingerprints they have a good chance at getting 80% of the total. Even a wineglass would get almost 50% and I can imagine the security risk a large cup of coffee would pose.

Why not an RFID bracelet or similar physical device? Sure it can be lost or even sniffed & spoofed, but it is also a heck of a lot easier to swap.

Martin said...

We have just gone through a full deployment of a single sign on / biometrics solution at the Ceentre hospitalier de l'Université de Montréal.

User acceptance has been tremendous, but we indeed have had quite a few technical glitches, especially on the client computers.

We currently have over 5000 users and are yet to have false positve reported to us. There are a dozen users that experience frequent false negative.

The technical support needs are greater than first evaluated, but user support is simpler than we had thought.

We had to set up a large operation to enroll doctors, nurses, health professionalsand residents on our 3 sites, but now, just a few weeks after the end of the deployement, it's already a tool users couldn't work withtout.

Henryhbk said...

One major issue for healthcare use, is that we are frequently putting alcohol cleaning gel on our hands (now Pump-in/Pump-out is the standard of care), and most of us do that, and then again before sitting down with the computers. The nurses who do use devices with fingerprint authentication have found that a film builds up on the scanner and on their hands over time from the gel. Not insurmountable. Infection control is of course a second concern as John mentions.

Unknown said...

While iris identification has traditionally been more expensive, it is a far more accurate, more reliable technology than fingerprint identification. Iris ID can identify staff members using a handheld camera without physical contact and without the need to remove gloves or masks. It is virtually impossible to gain access through an iris ID system without using the actual live eye.

The biometrics industry is developing a variety of new products, and our company recently introduced a low-cost iris identification system designed from the ground up for clinical applications. Biometrics, especially iris recognition, will be an increasingly useful solution to health care ID issues, including both staff and patient identification.

Evan Smith
CEO - Eye Controls

John Halamka said...

Thanks everyone for your great feedback. I'll do another post on Iris identification technologies, since I've recently read several papers about them and can appreciate their advantages for spoofing, infection control, and accuracy.

Henryhbk said...

Of course Wesley Snipes in Demolition Man might disagree on the inability to spoof. But the whole pen-eyeball thing is quite messy.

JGF said...

Can you comment on why Active Badge presence technologies haven't caught on?

Football Matches said...

The biometrics industry is developing a variety of new products, and our company recently introduced a low-cost iris identification system designed from the ground up for clinical applications. Biometrics, especially iris recognition, will be an increasingly useful solution to health care ID issues, including both staff and patient identification.

Recep Deniz MD
DoktorTR.Net