Biometrics and HIPAA

Biometrics is the field in which devices are created that can identify individuals based on physiological or behavioral characteristics, or both. In theory it is easy to forge digital authentication such as user names and passwords, but it is very difficult to forge biometrically identifiable components, such as fingerprints. The advantage of modern biometric technology is that it is very convenient and provides for higher security than most other forms of authentication. Traditionally, these security techniques were used only in highly secure facilities; however, due to reduced costs in manufacturing and other advances, it is now affordable to bring biometrics to the corporation (and even to the mass market for some methods).

Biometrics have become interesting for the healthcare industry because they solve the key problems for security and privacy: cheap, mobile, and (relatively) very secure. To meet the requirements of HIPAA, organizations have begun to look at biometrics as a possible component. Biometrics by themselves won't solve HIPAA compliance issues. Additionally, healthcare organizations still have to create a method for nonrepudiation for digitally signed transactions. This, of course, can happen only through the use of digital certificates. By combining the access to the terminal or digital certificate with a biometric device, we have achieved good security practices and HIPAA compliance for many healthcare organizations' tasks.

Many types of biometric devices can be used to authenticate an individual, but the most popular are these

Fingerprint readers. This technique uses an individual's fingerprint to authenticate that person. One or more fingers may be required for the authentication. This method is perhaps the cheapest among all the biometric options. In fact, fingerprint devices are being incorporated into other generic devices such as keyboards. For example, HP (its Compaq division) sells a Biometric Option Kit that includes a biometric keyboard.

Hand geometry. This method relies on the user to place his or her hand in a device that can measure unique aspects of the hand, including finger length and hand dimensions, among other characteristics. These devices are easier to use among a diverse population because they force the hand to be placed on the device for proper measurement readings. This is in contrast to, say, fingerprint devices, in which the rolling of the finger, the cleanliness of the device or finger, and other factors may slow down the time for authentication. Hand geometry devices can be several hundred dollars per device and usually require custom installation in a secured area.

Voice verification. Although we've seen this method many times in the movies (remember that line "My voice is my passport" from the movie Sneakers?), voice verification is not, perhaps, the best method for authentication (it was, in fact, the point of compromise in Sneakers). Due to changes in voice (for example, from colds), background noise, and other aspects, voice verification is usually limited to verification for specific workstations or a closed environment. Voice verification is perhaps the most convenient because as long as the user can speak, other disabilities do not affect verification.

Iris/retinal scanning. In both of these methods, an aspect of the eye is scanned and verified. Retinal scanning is more intrusive because the eye must be placed directly on top of the measuring device. This slows down the authentication process and brings up hygienic issues if multiple parties are to use the same authentication device. Iris scanning is more practical because authentication can occur from a distance. These systems, though, are not cheap or as easy to use as other devices. Trials have already been done with iris scanning for automated teller machine (ATM) usage (as was done by the Bank United of Texas). The concept of using an ATM card may be a thing of the past!

Facial recognition. Perhaps the most popular in the media, facial recognition has been used for a number of years by various law enforcement agencies to pick out suspects in public places. In London, for example, cameras are mounted throughout the city, and suspects' faces are compared to a known database of felons. If the software detects a possible match, a police officer is sent to investigate. Another example is its use in U.S. casinos for detecting known cheats and ensuring that suspects are not able to enter the casino without the knowledge of security staff. In general, this type of authentication is used for large numbers of people that require nonintrusive authentication. There are a number of questions about the accuracy of this method because these systems are more accurate for verification (for example, in entering a secured facility) than for identification (for example, picking a known criminal out of a crowd).

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Google
  • Yahoo
  • Technorati

User login

Who's online

There are currently 0 users and 2 guests online.

Who's new

  • Hathcoonnorry
  • prongerieni
  • gaterfoko
  • Neptenveply
  • dkrzakaz