Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

An Alternate Way Of Authenticating Patients

Posted on July 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Lately, I’ve been experimenting with a security app I downloaded to my Android phone. The app, True Key by Intel Security, allows you to log in by presenting your face for a scan or using your fingerprint. Once inside the app, you can access your preferred apps with a single click, as it stores your user name and passwords securely. Next, I simplified things further by downloading the app to my laptop and tablet, which synchs up whatever access info I enter across all devices.

From what I can see, Intel is positioning this as a direct-to-consumer play. The True Key documentation describes the app as a tool non-techies can use to access sites easily, store passwords securely and visit their favorite sites across all of their devices without re-entering authentication data. But I’m intrigued by the app’s potential for enterprise healthcare security access control.

Right now, there are serious flaws in the way application access is managed. As things stand, authentication information is usually stored in the same network infrastructure as the applications themselves, at least on a high-level basis. So the process goes like this, more or less: Untrusted device uses untrusted app to access a secure system. The secure system requests credentials from the device user, verifies them against an ID/PW database and if they are correct, logs them in.

Of course, there are alternatives to this approach, ranging from biometric-only access and instantly-generated, always-unique passwords, but few organizations have the resources to maintain super-advanced access protocols. So in reality, most enterprises have to firewall up their security and authentication databases and pray that those resources don’t get hacked. Theoretically, institutions might be able to create another hacking speed bump by storing authentication information in the cloud, but that obviously raises a host of additional security questions.

So here’s an idea. What if health IT organizations demanded that users install biometrically-locked apps like True Key on their devices? Then, enterprise HIT software could authenticate users at the device level – surely a possibility given that devices have unique IDs – and let users maintain password security at their end. That way, if an enterprise system was hacked, the attacker could gain access to device information, but wouldn’t have immediate access to a massive ID and PW database that gave them access to all system resources.

What I’m getting at, here, is that I believe healthcare organizations should maintain relationships with patients (as represented by their unique devices) rather than their ID and password. While no form of identity verification is perfect, to me it seems a lot more like that it’s really me logging in if I had to use my facial features or fingerprint as an entry point. After all, virtually any ID/PW pair chosen by a user can be guessed or hacked, but if you authenticate to my face/fingerprint and a registered device, the odds are high that you’re getting me.

So now it’s your turn, readers. What flaws do you see in this approach? Have you run into other apps that might serve this purpose better than True Key? Should HIT vendors create these apps? Have at it.

A Biometrically Controlled Healthcare System

Posted on September 6, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently had a nice conversation with Brian Dubin, VP at CERTIFY, where we discussed biometrics in healthcare. Brian got me interested when he described CERTIFY as a biometrics based “big data” company. When I first started this blog, I fell completely in love with all the various biometric options. Check out one of my first posts on Facial Recognition back in April 2006. Shortly after that I even made this EMR and biometrics contribution to a healthcare IT wiki as part of a “blogposium”. [Excuse my moment of nostalgia]

While CERTIFY works with all of the major biometric fingerprints: Finger, Palm, Iris, Facial, Voice, and Signature, I was even more intrigued by a discussion we had around a healthcare system that was biometrically controlled (my word not CERTIFY’s). I realize that the word “controlled” might have negative connotations surrounding it, but I think it is fascinating to consider all of the ways that your biometric identity could be incorporated into healthcare.

Here are some examples I’m considering (some are a reality today and others will be in the future):
Arrive at the office – Imagine that when you arrive at the hospital or medical practice and a video camera grabs your image and the front desk already knows who you are and can say, “Hi John, glad to have you hear today.” Yes, this freaks out some people, but many of the front desk people remember the faces of the patients. Now they can know your name and check you in much quicker.

Positive patient identification – If you don’t like the video camera identification of a patient, you can also do positive identification of the patient using biometrics in a less big brother’s watching you way. When they sit down at the desk to check in, the patient can use a biometric device to identify themselves. Technology like the one I talk about in my post Retina Scanning vs. Iris Recongition are what can be used for this approach.

Voice recognition for a call center – Imagine when you call into a call center they used voice recognition to identify you. This could be used to access your information more quickly. Although, it could also be used to make sure that whoever the person in the call center pulled up matches the voice on the phone. This could solve them pulling up the wrong “John Smith.”

Single sign on – If your biometric identity is stored in the cloud, then that should make that identity available on any system. Plus, I’ve always been fond of single sign on with Facial recognition. The camera is always watching if you’re there or not and so if you open a new application it can immediately authenticate you since it’s constantly authenticating your biometric identity.

I’m really intrigued by the idea of using biometric identities across multiple systems. I’ve heard many hospital CIOs talk about the hundreds of IT systems they have to support. I’ve also heard doctors and nurses complain about the number of logins and passwords they have to remember. Could biometrics be the solution to this problem? Could a biometric identity be shared between systems or would each system need to do more of the traditional single sign on integration?

Unattended computer – Related to the single sign on, facial recognition can also identify when you’re no longer at a computer. If you leave the computer it can automatically lock the computer to ensure that the health data is kept private. You have to balance how quickly the device locks, but this can be great for security.

Location access – A lot of places already do this with fingerprint or palm scans to access private areas. Plus, this prevents the sharing of keys. You can’t really share your fingerprint very well.

Signatures – There’s certainly an art and identity in someone’s signature. However, why don’t we incorporate even more biometrics into someone’s signature? The combination of a signature plus some other biometric identity would be even more powerful. Plus, when I sign to pick up a prescription, if the pharmacy knew my fingerprint, they could indeed verify that I was the right patient.

HIE identification – I don’t know anyone that’s doing this, but I wonder if instead of trying to make a unique patient identifier, using social security numbers, or some other convoluted method of identity management, could we just use someone’s biometric identity? If we aren’t there today, I think we’ll get there eventually. I’m sure there could be mismatches when it comes to matching two biometric identities that were captured by two separate systems. However, we have plenty of mismatches using ssn, name, birthdate, etc. Maybe the real answer is a combination of biometrics and name, birthdate, etc.

A Biometric Healthcare Experience
Those are some general examples. Now let’s imagine a patient visit where they walk into the hospital and are immediately recognized as a patient seeing Dr. Jones for a surgery. The front desk knows who you and has you sign any forms using your biometrics and then directs you to room 315. When you arrive at room 315 you gain access to the room using your biometric identity. The nurse arrives to prep you for surgery and knows she’s working on the right patient because of your biometric identity.

The nurse signs into the EMR using facial recognition and that biometric identity is captured so the EMR knows exactly who is entering the data into the system. The lab arrives and attached your biometric identity to the blood draws and the results will automatically be sent to the EHR matching on your biometrics.

Your doctor writes a prescription for you which gets sent to the pharmacy. The pharmacy knows that he is indeed a doctor based on the biometric identity of the doctor. Once you go to pickup the prescription they verify your biometric identity to ensure you’re in fact the right patient for that prescription. You later go to your family doctor who’s received all of the information and reports from your surgery which were easily matched to you thanks to your biometric identity.

I could keep going, but I think you get the idea. I’m sure there are major holes in the above example, but I think it’s interesting to consider what a biometrically controlled healthcare experience would look like. Plus, to take a line from Google’s Founder, maybe I’m still thinking too small. It’s possible that biometrics will be able to do so much more. It’s not going to happen tomorrow or all at once, but I’m certain that biometrics will play a big part in the future of healthcare.

I’d love to hear your thoughts on this. Are we on the path to a biometric controlled healthcare system?

Catching up with Sensible Vision’s Facial Recognition Software

Posted on April 17, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If you’ve been reading EMR and HIPAA for a while, back in 2006 I came across a really cool company called Sensible Vision that does facial recognition software. You can read about my first experience setting up the facial recognition software and my love affair with facial recognition as the best biometric solution.

I admit that I still have a love affair with my facial recognition software. I use it every day when I sit down at my computer. I can’t imagine not having it. In fact, it’s almost time to replace my computer and I’ll be very sad if I can’t find a way to transfer the software to my new computer. It has its quirks, but I just love the added security that it gives me. I’m far too lazy to lock my computer screen myself and then log back in, but the facial recognition software does that for me. Not to mention the single sign on capabilities.

I was on a support call yesterday with my EMR vendor and when I opened the application my facial recognition single sign on kicked in and took care of the username and password typing for me. The EMR vendor told me that he was amazed at how fast I typed. I do type fast, but not that fast.

I should mention that we haven’t been able to implement this in our clinical environment. A mix of process issues and budget issues has prevented us from doing so. However, I think there are a number of places where facial recognition software could be great for security of your desktops.

I decided to go check on what’s happening with Sensible Vision since I hadn’t spoken to them in a while. Looks like they have a million devices installed and a deal with Dell to offer facial recognition with their computers. Very cool stuff. However, what I found most interesting was Sensible Vision’s reply to the Black Hat presentation about hacking facial recognition. It’s an interesting read for those looking at biometric authentication in health care. Now I just need to find the black hat presentation they’re talking about.