Biometrics – Security, Password Change Policy

Posted on March 29, 2006 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Biometrics Security is pretty impressive. We’ve joked a few times about what happens if you lose your finger (the situation at Wendy’s comes to mind). Let’s just say that the chances are good that this won’t be a problem. More importantly the biometrics people have really given you quite a few options on keeping it secure. One example is that with the biometrics you can also store a pin number that people can use. If I wasn’t so lazy in this moment I would pull out the part of HIPAA that says something about dual authentication methods. Your finger and a pin number sounds like dual to me. When you add in my previous article about False Acceptance Rate and False Reject Rate, then biometrics is a great option for securing EMR.

One other really nice feature with biometrics security is that you can choose to restrict people from using a password to get into certain programs. While this could be scary if something happens to the biometrics device it is an interesting concept. Since it is all managed by group policy in active directory I could train my end users on just using their fingerprints and never having them know their password(see below for password change policy). I would of course want to be able to use a password or biometrics, but there might be a few cases where you could literally restrict access to EMR to a fingerprint. Now that’s security!

Password Change Policy
One other impressive feature that I had never considered is how does biometrics handle the wonderful password change policies required by HIPAA? It’s not like your fingerprint can be changed. The units I’m testing can take care of this for you as part of the templates you create for each application. In fact, if you don’t want to have users know the password at all you can even have the biometrics software generate a password. I think this might be a little scary since then if the biometric device breaks or some other problem then you have no way of getting into your EMR program(or other application as desired).