We worked for an entire year testing, making requests, testing, more requests and more testing before we were able to launch an interface between our lab and EMR, but it’s been one of the best things we’ve done. The reason it took so long is the topic of another post, but it was for good reason.

One of the best advantages to a lab interface with your EMR is that you don’t have to worry about what to do with all those paper labs that you’ve signed. Inevitably all those signed paper labs will have to be scanned and attached to a patient in your EMR.

Really, that’s why a lab interface is so much better. The interface inserts the lab info right into your EMR so you don’t have to worry about:
1. Losing your lab results (before or after you sign it)
2. No need to scan your signed lab results into your EMR
3. You can run really cool reports on the data from those labs in your EMR (ie. blood sugar change over time)
4. Most EMR will notify you that there are lab results to read, so there’s no more waiting for the paper to somehow make it to you

In our EMR, a lab result gets easily signed off with the click of a check mark. Actually our labs our grouped into batches according to labs that were ordered at the same time. This makes it so all our lab results appear on one nice lab report as opposed to one lab report per lab. All doctors have to do is highlight all the labs and click “Mark as Read” and that whole batch of lab results are signed electronically in the EMR.

Of course, many of you will probably ask how we handle abnormal results. Well, I guess you’ll just have to wait to learn about that.

Today I came across a new biometric authentication method that recognizes a person’s typing behavior. Techcrunch described it as folows:

It’s a Flash-based interface that compares your typing style against a list of known styles and logs you in based on your individual typing fingerprint. To enroll you simply type a sentence nine times and then the system senses the pauses, mistakes, and speed of your hunting and pecking. Obviously, this doesn’t work if you have a broken hand or, presumably, you’re under duress so it’s fairly hard to crack a system using physical coercion. A cool way to add biometrics to web-based forms.

They have a test on their site, but the registration process seemed a bit onerous. Haven’t they realized the first key to a website is to let me test the product with no registration. Then, let me register when I like it? Maybe if I have some free time later I’ll register and try it out.

I wonder if something like this could merge with the OpenID movement and make this one other method of authenticating yourself to an open id enabled site. Could be pretty interesting I think.

Setting the legal items aside, the technology of a digital signature is not rocket science by any means. In fact, it’s the legal questions that are harder mostly because there just hasn’t been much case law that has dealt with it. Just as a thought, I would highly suggest that whoever reads about this talks with a good legal team before implementing it.

Of course, reading the comments from my previous post made me realize that what we’re doing is really quite innovative. I’m not just talking about digital signatures. For more than two years now we’ve been collecting patients health history form in our Health Center and intake questionnaire in our counseling center electronically. These forms don’t require the patient or client to leave a signature. It’s basically just capturing information. I think most people can see why it’s valuable to have a health history form captured electronically. In our case it makes all of the necessary clinical information available in one place without dealing with the time consuming and inaccurate scanning. Even more significant for us as a state institution was the ability to do aggregate reporting on the type of patients we were seeing. How many other people can find out things like 20% of your patients have a family history of heart disease (not our actual number)?

I know there are a number of EMR companies out there that have a whole patient portal where this kind of stuff is done, but I’ve never seen any that use a kiosk at the doctor’s office to collect this information. If you are an EMR vendor that has this feature, please leave a comment. I think we’d all love to know who else does it.

Looking at it now, capturing digital signatures for HIPAA privacy forms, consents, etc is just the next step in ridding ourselves of paper. In fact, this addition means that our patients can bypass the front desk completely. They check in on the computer, fill out their necessary forms and then are directed to have a seat. This notifies the nurse that they have arrived and they are ready to be seen. No face to face contact. Privacy at its best.

Well, I got a few questions and comments in my digital signature post that prompted this post. I’ll do my best to answer them here.

Chris Kozloski said, “I like the idea. A kiosk for registration that they could fill out the paperwork online and sign the blocks on the screen would be really neat.”

See my notes above. It’s not just an idea. We’ve been having them fill out the paperwork for two years now. We also have the technology to do the signatures. Just waiting for the other signature pads to arrive and we’ll be implementing it.

One thing I’m not sure most people think about is how the computer will know which forms need to be filled out by the patient. I think that’ll have to be the topic for my next post.

Craig Briars asked, “What software are you using to do this with?”

This is a good question. We are using Medicat EMR. It’s an EMR that is focused on the College Health community, but could be used in a general practice if needed. I’m not sure how it is in a general practice, but I know that they have a ton of features that make it a solid choice for College Health offices interested in EMR.

Medicat has integrated it’s software with topaz signature pads. Medicat uses the Topaz software to capture the signature. It’s actually quite neat how the signature is captured and stored in the database. We did find that the LCD signature pads with the back light were the best. The cheap $100 topaz signature pads just wouldn’t capture my signature if I did it quickly. Plus, if it isn’t LCD, then I don’t know which part of the signature it missed so that I can correct it.

Here’s a quote from his post on Microsoft Surface Computing in Health Care:

Yesterday, Microsoft officially launched the first commercial product from a group and technology known as Microsoft surface computing. The product is called Milan; a coffee-table sized PC that takes touch screen technology to entirely new levels and gives users a highly interactive experience with all things digital. For now, you’ll be seeing the technology in business environments such as hotels, casinos, and retail establishments. You can read more about that here:

I first told you about surface computing last July when I met with colleagues at Microsoft Research to produce a video segment for my House Calls for Healthcare Professionals series. In that video, Dr. Eric Horvitz and surface computing guru, Andy Wilson, and I talked about the technology and possible implications for the healthcare industry. At the time Andy’s work was going under the code name Play Anywhere. My head was literally spinning with ideas on how this new user interface could be used in radiology, physical therapy, anatomical pathology, and other disciplines. It also occurred to me that this new way to interact with a computer, manipulate screen images, and navigate through data could be immensely important to clinical work-flows demanding a more hands-free, no-touch solution such as might be desirable during surgery or certain medical procedures.

I think one area that he didn’t seem to mention, but he’s probably considered is interaction with patients. I could imagine the day that a surface computing tabletop is found in every exam room. The doctor could roll this table over to the patient and the doctor and patient could interact with all sorts of patient education. When diagnosing a hernia for example, they could show anatomical drawings or videos that actually show what causes a hernia and the process for fixing it. They could draw on the table as they describe the medical condition. Then, the patient could have the video that was shown by the doctor sent straight to their phone so they can take it home and show their family. Would be pretty neat.

I must admit that as I read about this technology I remembered a video I posted on my technology blog that showed a real life application of multiple inputs on a table top. I was amazed at the technology six months ago and I’m still amazed now. Take a look.

I brought in the director of the health center to take a look at the single sign on. I opened my EMR application and it pretty much goes straight into the application. The director of the health center pulled one of those “Ohhh!” because she was surprised at how quick it was.

I showed one of the front desk personnel and she said, “When do we get that?” As soon as possible was my answer.

I just can’t get over how smart it is. Continuous authentication is the best type of security you can have on your PC. Facial recognition constantly is looking for your face and making sure that you haven’t left. It’s the very best feature.

I only have one more thing I have to get working properly and we’ll be putting into our clinical environment. We have to still make it so that two people can use the computer. Too bad our application isn’t browser based because then it wouldn’t be an issue at all. Unfortunately, my application is in VB and so there’s a little more programming to get the facial recognition software to logoff the application if someone forgot to do that.

I’ll let you know once I have it in the clinic.

Here’s the good information from the article.

Nuance Communications says the latest version of its speech-recognition software can achieve — with some speakers — 99 percent accuracy out of the box, without a “training” session to familiarize the software with how a particular person talks.
…
The accuracy rate, or what percentage of words the software spells correctly by itself, varies depending on sound quality and how a person talks, Revis said. But Nuance has improved it by 80 percent since NaturallySpeaking 8 was introduced in 2004, according to the company.

Version 8 could reach 99 percent, but only after the user read a prepared script, Revis said. Now users can get that level of accuracy right after installing the software and starting it up, though a script is still available if a user isn’t satisfied with the results on the first try. In any case, the software can continue learning on its own just through normal use, Revis added.

The out-of-the-box 99 percent accuracy figure is for the American English version, but the new Dragon releases for other languages get similar boosts in accuracy, Revis said. The software is available for Dutch, French, German, Italian, Japanese and Spanish, as well as for Australian, Asian, Indian and U.K. English. Also with NaturallySpeaking 9, Nuance is certifying two Bluetooth wireless headsets for use with the software.

Nice to expand the product internationally. I can only imagine what new technology Nuance has come up with to be able to recognize out of the box this many languages. It would make sense if they only had listed latin languages. Howevever, Japanese, Asian(what language is that) and Indian is definitely not anything like latin languages.

A few other interesting notes:

-Dragon Naturally Speaking 9 can be used anywhere on the network including at thin clients
-New support for Nuance-approved Bluetooth headsets
-The Upgrade cost is usually a know brainer if you use Dragon Naturally Speaking 8
-The RAM and CPU requirements are of course higher
-Still requires Windows XP

Call me a skeptic, but my feeling is that despite the increase in accuracy available out of the box with Dragon Naturally Speaking 9, you are still going to want to do the “training” or “enrollment.”.

I also loved how the article pointed out that while Healthcare IT lags way behind in their overall implementation of technology, they are way ahead of other areas in healthcare’s use of biometrics. I think biometric vendors can thank HIPAA for the widespread use of biometrics in Healthcare.

It was also very nice to see that MD Tech Guide eDigest made EMR and HIPAA their blog of the week.

The consensus is that iris scans are superior for accuracy, followed by fingerprint scans. Hand and facial geometry, voice and dynamic signatures generally rank much lower except for the newer technologies which are designed with healthcare in mind and consider environmental conditions as part of the biometric matching.

Iris Scans
Iris scans are currently the “gold standard” for biometric accuracy. Critics, however, are likely to mention that people get edgy when asked to position their eye near any device. Critics are thinking of retinal scans, which require closer proximity (2-4 inches) to a camera and a quick, concentrated beam of light. Iris scans can be performed from farther away at a distance of up to 3 feet.
Fingerprint Recognition
Fingerprint recognition is becoming even more common as many laptops incorporate fingerprint readers into the standard laptop package. Even the new UMPC is being offered with fingerprint recognition.
Facial Recognition
Facial recognition was first implemented for identifying people of interest in large crowds. The government and casinos were the most common users. Some new facial recognition vendors have focused on the privacy and security necessary to be used in healthcare. Facial recognition’s continuous authentication creates a nice framework for ensuring security of clinical workstations. It also paves the way for true single sign on.

Operation and Performance

All of these technologies involve sensitivity trade-offs. Set sensitivity high and scanners will keep out people you want to keep out, but they’ll probably also keep out some who should be allowed in. In healthcare this could mean preventing access to a critical patient’s record. Set sensitivity low and fewer authorized people will be denied access, but so will fewer unauthorized people. This creates a large HIPAA violation.

These tradeoffs in performance of a biometric measure is usually referred to in terms of the false accept rate (FAR), the false non match or reject rate (FRR), and the failure to enroll rate (FTE or FER). The FAR measures the percent of invalid users who are incorrectly accepted as genuine users, while the FRR measures the percent of valid users who are rejected as impostors. In real-world biometric systems the FAR and FRR can typically be traded off against each other by changing some parameter.

Benefits and Problems of Biometrics

Benefits of Biometrics:
Speed of Login - Biometrics is significantly faster than a password login.
Unique Identifier for Patients - In order to avoid duplicate patients in your system a biometric match with previous patients can be used.
Lost Passwords - Costs of managing lost passwords is almost completely removed with biometrics.
Digital Signatures - Biometric authentication can be used to digitally sign electronic documents found in EMR systems. These can range from consent forms to prescriptions to privacy agreements.

Problems with Biometrics:
Register Biometric Identity - In order to recognize your biometric identity you must register your identity. Some biometric registration is done over time during login, but it still requires storing your biometric data in order to recognize you in the future.
Solution or Substance on Your Hands - Healthcare clinicians are often coming in contact with various solutions that make biometrics unable to recognize you. Lotion on your hands is one example using fingerprint authentication.
Speed of Recognition - If you move to quickly you won’t be recognized by the biometric scanner. While still faster than a password this causes relative frustration.
Remove Gloves - Gloves or other equipment may make you unable to use various biometric authentication.
Physical - Some believe this technology can cause physical harm to an individual using the methods, or that instruments used are unsanitary. For example, there are concerns that retina scanners might not always be clean.
Personal Information - There are concerns whether our personal information taken through biometric methods can be misused, tampered with, or sold, e.g. by criminals stealing, rearranging or copying the biometric data. Also, the data obtained using biometrics can be used in unauthorized ways without the individual’s consent.

Active Directory Integration

Most biometric devices can be integrated with active directory to easily manage users and profiles across multiple workstations. There are two possible methods of active directory integration with biometrics. A very common practice is to extend the schema to include new biometric attributes. After extending the schema this change can never be undone. The other method is to use existing active directory attributes for authentication.

Another new feature of biometrics directed to healthcare is shared/kiosk workstations. Active directory integration is usually necessary to create a shared workstation environment with proper security and prevent time spend logging on and off windows.

References

EMR and Biometrics

[[Category:Blogposium]]

Today they issued pricing on their FastAccess product that is very reasonable compared to other biometric devices. I’ve attached the release below and here’s a short review of the product with certainly more details to come as I continue to use it.

Setup
Setting up the FastAccess was a piece of cake. I got the box with only 15 minutes before I had to be somewhere. I unboxed the product, read the instructions(yes I always feel I must read the instructions on new products) and installed it on my computer. In 15 minutes I had it recognize my face and automatically log me in. The other nice part is that the set was really nothing but plug the camera in and run the CD install file. On restart it starts learning who you are when you log in. Couldn’t have been simpler. I repeated this process on my laptop so I could show my wife and had it set up in 5 minutes(booting my computer took longer than setup).

Facial Recognition/Training
Training facial recognition is much different than other biometrics. Fingerprint biometrics requires you to “train” it to know your fingerprint. Facial recognition(at least with FastAccess) is continually updating every time you login. In fact, it stores 90-100 different biometric “faces” that identify you. The biggest fault with this model is that initially the recognition is poorer than fingerprint recognition. However, with time I’ve seen that it actually is more reliable and recognizes you quicker than fingerprint. Not to mention it recognizes you just coming into view. No need to reach and hold your finger or eye to something. The lazy part of me loves that.

Active Directory Integration
FastAccess has very nice integration with active directory. The best part is that they have two methods of implementing active directory integration. First, they can extend the active directory schema. While this is a common practice, it is difficult to convince my system administrator to do since it can’t be rolled back if we decide we don’t want to do it anymore. Second, FastAccess can be implemented using existing active directory fields. This means that you can test the active directory implementation without extending the schema. I plan on doing this in the near future and you can expect a review of it soon.

Strong Audit Controls
Looking over the audit logs they are pretty standard for what you would need to satisfy HIPAA. Having active directory manage this type of audit control would be key to me.

Continuous Security
The biggest advantage to facial recognition is that it is continuously verifying your access. My biggest problem with fingerprint biometrics had to do with not having a way to easily lock the workstation. Facial recognition biometrics is constantly monitoring to see you are the authorized person. If you leave then it locks the computer. This really changes the way you deal with authentication since it can create a true single sign on.

Security Screen Capture
This idea is inegnious. Since you have a camera you might as well capture a picture of the person that was signed on to a machine. Imagine them saying they didn’t log in and you can show them the picture taken when they did log in. Fantastic!! There is also talk of using this technology as a digital signature. I’d love that with my EMR.

Pictures and Twins
I tried to see what I could do to fool the camera and nothing really worked. I imagine this is theoretically possible, but it would have to be a picture in the exact same place as the biometric match. FastAccess tells me that they add in environmental variables(such as light) which makes it much more difficult to fool. So far so good. The idea of twins is addressed in the documentation. I’ll be testing it on my wife and her twin sister to see how that goes. Sometimes it freaks me out how much they look alike.

Accuracy
In an EMR or healthcare environment FastAccess has designed it properly. Sometimes it didn’t recognize me and so it required me to enter my password and then after logging in, it stores another biometric image. While this could be annoying to some doctors, I see this as an essential key to proper authentication.

Instant Desktop Switching
This seems like it is a somewhat new module being developed by Sensible Vision. The idea is that multiple people can log in to the same account and have a different desktop. This currently works espescially well with Internet Explorer and a few other selected applications. I imagine this list will grow over time. They offered to make it work for my favorite apps. One interesting note is that they have it working for Cerner’s EMR. I’ll be having them develop it for Medicat EMR(my EMR)

Random Points
Since FastAccess is constantly checking for facial recognition, when you answer the phone that changes what your face looks like. This isn’t really a problem since they store 90-100 different biometric “prints”. You just have to “train” it to know what you look like with a phone in hand.

One nice feature is that you can turn off continuous facial recognition when you have a presentation. It lets you disable the recognition for a specified period of time. It also recognizes any keyboard or mouse input and disables locking when it sees either.

Here’s the Press Release:
Sensible Vision Innovates Biometric Facial Recognition for Continuous Computer Access Control and Authentication

FastAccess Virtually Eliminates Passwords, Makes Computer Easier to Use and Ensures Privacy Compliance and Identity Management

Introductory Pricing of $99 per Desktop License

Covert, Michigan, April 3, 2006 – Sensible Vision, an innovator of continuous authentication solutions, today revolutionized computer access control and authentication by replacing a user’s password with their face. Sensible Vision’s FastAccess™ is a powerful yet simple solution that uses patent-pending biometric facial recognition to automatically and continuously authenticate user log-in and instantly secure the computer when the user leaves. This virtually eliminates login passwords, makes the computer significantly more secure and easier to use, and strengthens access control auditing for privacy and identity management policies.

“Because a person’s face is unique and always with them, it is ultimately the ideal password and the best way of continuously ensuring who is accessing the computer,” said George Brostoff, CEO of Sensible Vision. “This is a new paradigm for secure and simplified computer access that goes well beyond initial log-in and inactivity timers. FastAccess identifies and authenticates users in less time than it takes to enter a password and knows the second they leave their computers. These breakthroughs make it a simple, secure and low-cost approach for securing the computer and network.”

Automatic Authentication and Continuous Access Control

Sensible Vision has innovated biometric facial recognition to provide a convenient and fast way to securely submit a user’s account credentials to Windows and applications. Users simply approach the computer equipped with a standard web camera, and FastAccess biometrically authenticates them and logs them on. Once they step away, the computer automatically secures. When they return, FastAccess automatically unlocks the computer and their desktop is returned as they left it. Advantages include:

* No More Passwords, Better User Productivity: Users focus on their jobs rather than time-consuming and frustrating processes of constantly entering passwords 20, 50 or 70 times a day.
* No More Unsecured, Unattended Computers: Computers instantly secure when users leave.
* Improved Access Control and Auditing: Provides an accurate audit of computer access for privacy and compliance – a true audit log of who’s been at the computer and when.
* Simple Setup and Administration: Unlike other security and biometric solutions, no special enrollment procedures or ad ministration is required to distribute and manage ongoing support for lost or damaged tokens. Administrators can configure FastAccess locally or remotely through Microsoft’s Active Directory or Novell eDirectory.
* Support for Shared Computers: FastAccess features Instant Desktop Switching for multiple users who need quick access to shared workstations, such as in healthcare and manufacturing environments. Access is granted to each user almost instantly, without the usual delay logging into the network account.

Optimizing Productivity and Security

“It’s imperative for security solutions to complement user workflows and mitigate interruptions while simultaneously meeting the most stringent tests for identity, privacy and regulatory compliance,” said Rob Alger, director of IT strategy at Kaiser Permanente and Sensible Vision Technical Advisory Board member. “By guarding computer access from log-in until users walk away , Sensible Vision is addressing a critical hurdle in persistent data protection and access control that optimizes user workflow and productivity.”

FastAccess has innovated facial recognition with its patent pending Continuous Adaptive Sensing™ (CAS) technology to provide fast and accurate recognition to a computer. CAS takes a dramatically different approach to facial recognition than traditional solutions targeted at homeland security. FastAccess sets a much higher standard for accuracy. While most existing facial recognition technologies have false acceptance rates of several in 100 matches, CAS typically achieves a false acceptance rate of several in 1,000,000 matches. FastAccess accuracy is superior to existing security solutions where passwords are written down, shared or easily guessed.

“Minimizing disruptive computer login procedures continues to be a pain point for organizations,” said Cyrus Azar, CTO of Sensible Vision. “Passwords are difficult to enforce and ineffective in practice. Tokens can be shared or lost while previous biometrics have proven expensive, inconvenient to use or unreliable. Most importantly, none of these approaches offers continuous security: they simply authenticate the user at initial login. Not only does FastAccess simplify user access, but, finally IT staff can spend less time on administering security processes and focus on other critical business tasks.”

Introductory Pricing & System Requirements

FastAccess is comprised of client software installed on the PC, a standard web camera, and a management application installed on a domain controller. The client software can be part of an organization’s standard image and can be automatically distributed to remote PCs via existing software management tools.

Sensible Vision announced today special introductory pricing for FastAccess of $99 per desktop license through June 30, 2006. FastAccess may also be purchased under a service-based model with a two-year subscription price of $49/year for each license. Web cameras are also available for $25.00.

About Sensible Vision

Headquartered in Covert, Michigan, Sensible Vision Inc. (www.sensiblevision.com) is an emerging provider of continuous access control solutions for securing computers using facial recognition. Sensible Vision’s flagship product, FastAccess™, is an insider firewall that provides quick and continuous authentication and access control for computers and workstations. Using patent-pending biometric facial recognition, it speeds and simplifies access to the computer in a way that is economical and easy to deploy.

One other really nice feature with biometrics security is that you can choose to restrict people from using a password to get into certain programs. While this could be scary if something happens to the biometrics device it is an interesting concept. Since it is all managed by group policy in active directory I could train my end users on just using their fingerprints and never having them know their password(see below for password change policy). I would of course want to be able to use a password or biometrics, but there might be a few cases where you could literally restrict access to EMR to a fingerprint. Now that’s security!

Password Change Policy
One other impressive feature that I had never considered is how does biometrics handle the wonderful password change policies required by HIPAA? It’s not like your fingerprint can be changed. The units I’m testing can take care of this for you as part of the templates you create for each application. In fact, if you don’t want to have users know the password at all you can even have the biometrics software generate a password. I think this might be a little scary since then if the biometric device breaks or some other problem then you have no way of getting into your EMR program(or other application as desired).