The keys to identity: as healthcare organizations strive for greater security, some are using a very personal approach in the form of biometrics

Health Management Technology, Dec, 2004 by Phil Reynolds

The need to be HIPAA-compliant and address patient privacy concerns is driving many healthcare organizations to adopt greater security standards. Passwords and personal identification numbers (PINs) are ubiquitous, as are swipeable ID cards and tokens.

But what if, instead of memorizing or possessing some form of authentication, you embodied it in one or more physical attributes unique to your being, so that it couldn't be forgotten, lost or stolen? How would anyone else be able to claim that he was you?

That's where biometric authentication comes into play. Biometrics involves the biological identification of a per son based on the structure or action of physical characteristics such as fingerprints, hand geometry, irises, the face, voice responses and handwritten signatures. Although biometric authentication is more secure than other authentication methods, some forms of biometric technology have high failure rates, so biometric authentication is often used as one component of two-factor authentication, which requires a second method of authentication such as a password or PIN to ensure accuracy.

Nevertheless, as it has with government, law enforcement, finance, and travel and transportation, biometrics is making inroads into healthcare.

Biometrics and Healthcare

There are six biometric technologies in widespread use today. Each has pros and cons.

Hand Geometry Verification. Used almost exclusively for physical access control with a PIN or swipeable ID card, hand geometry verification is based on the physiological dimensions of the hand and fingers, such as height and width; it does not record palm prints. Available since the mid-'80s, it is the most established form of biometric technology on the market, and it is robust enough to handle a large number of users and to operate reliably under difficult environmental conditions. The downsides are the high cost and large size of hand geometry devices, and the inability to perform identification due to indistinctive and unstable physiological characteristics.

Fingerprint Verification. The most stable and proven biometric technology for one-to-one functionality, as well as the leading biometric technology in revenue generation, fingerprint verification considers the ridges, valleys and whirls of a fingerprint to verify a user's identity. Mature matching algorithms produce false match and false non-match rates that are minimal. Fingerprint verification's versatility makes it ideal for both access control and network access, due to its ease of use and variety of devices, and strong marketplace competition drives technology development and reduces costs. However, some users cannot be enrolled because of unreadable fingerprints, whether due to damage, age or ethnicity. Other inhibitors include the risk of technology obsolescence for devices incorporating fingerprint sensors, the susceptibility of spoofing enrollment and verification with other materials, and the general fear of fingerprinting abuse.

Iris Recognition. Since the iris is an immutable and unique physiological characteristic--more so than a fingerprint--iris recognition, which is based on the distinctive ridges, furrows and striations of the iris, offers reliable one-to-one and one-to-many functionality with low false match rates. It also provides a high match speed, due to its use of homogenous templates, and hands-free operation. On the other hand, iris recognition systems are quite expensive, have not been tested in large-scale deployments, and require significant training and attention to factors such as proper positioning of the head and eyes.

Facial Recognition. Facial recognition is designed primarily to find close matches of particular facial features such as eyes, nose, mouth, cheekbones, chin and forehead against a database of static facial images. But this technology has not proven to be reliable for one-to-one verification, due to its high false non-match rate, even with ideal lighting, distance and angles. Plus, small changes in a user's appearance, including glasses, facial hair or aging, can reduce accuracy.

Voice Verification. Because voice verification relies on distinctive characteristics derived from spoken phrases, it needs as little background noise as possible to be accurate, so the technology is not well-suited for use in hospitals. Other key factors that affect accuracy include changes in a person's speech habits, due to illness or emotion, and telephone quality. However, as voice recognition applications become more commonplace and healthcare organizations strive to reduce call center costs, voice verification technology will continue to garner interest.

Signature Verification. More than just capturing a handwritten image, signature verification is based on the distinctive characteristics associated with the act of signing, including stroke, pressure and speed. Thus, it is more likely to be used in situations that already require signature capture or those that adopt new practices such as pen-based computing on PDAs or tablet PCs. The other main deterrent is the need for consistency on the user's part, since signatures frequently change over time and from signature to signature, creating a high false rejection rate.