From the December 2004 Issue

The Keys to Identity

The Heart of Efficiency

Paradigm Shift in the Lab: The Solution-centric LIS

Wireless Technology Empowers Physicians

Flexibility for All

Holiday Seasoning

Finding Common Ground

The Keys to Identity

 By Phil Reynolds, Managing Editor

The need to be HIPAA-compliant and address patient privacy concerns is driving many healthcare organizations to adopt greater security standards. Passwords and personal identification numbers (PINs) are ubiquitous, as are swipeable ID cards and tokens.

But what if, instead of memorizing or possessing some form of authentication, you embodied it in one or more physical attributes unique to your being, so that it couldn’t be forgotten, lost or stolen? How would anyone else be able to claim that he was you?

That’s where biometric authentication comes into play. Biometrics involves the biological identification of a person based on the structure or action of physical characteristics such as fingerprints, hand geometry, irises, the face, voice responses and handwritten signatures. Although biometric authentication is more secure than other authentication methods, some forms of biometric technology have high failure rates, so biometric authentication is often used as one component of two-factor authentication, which requires a second method of authentication such as a password or PIN to ensure accuracy.

Nevertheless, as it has with government, law enforcement, finance, and travel and transportation, biometrics is making inroads into healthcare.

Biometrics and Healthcare
There are six biometric technologies in widespread use today. Each has pros and cons.

Hand Geometry Verification. Used almost exclusively for physical access control with a PIN or swipeable ID card, hand geometry verification is based on the physiological dimensions of the hand and fingers, such as height and width; it does not record palm prints. Available since the mid-’80s, it is the most established form of biometric technology on the market, and it is robust enough to handle a large number of users and to operate reliably under difficult environmental conditions. The downsides are the high cost and large size of hand geometry devices, and the inability to perform identification due to indistinctive and unstable physiological characteristics.

Fingerprint Verification. The most stable and proven biometric technology for one-to-one functionality, as well as the leading biometric technology in revenue generation, fingerprint verification considers the ridges, valleys and whirls of a fingerprint to verify a user’s identity. Mature matching algorithms produce false match and false non-match rates that are minimal. Fingerprint verification’s versatility makes it ideal for both access control and network access, due to its ease of use and variety of devices, and strong marketplace competition drives technology development and reduces costs. However, some users cannot be enrolled because of unreadable fingerprints, whether due to damage, age or ethnicity. Other inhibitors include the risk of technology obsolescence for devices incorporating fingerprint sensors, the susceptibility of spoofing enrollment and verification with other materials, and the general fear of fingerprinting abuse.

Iris Recognition. Since the iris is an immutable and unique physiological characteristic—more so than a fingerprint—iris recognition, which is based on the distinctive ridges, furrows and striations of the iris, offers reliable one-to-one and one-to-many functionality with low false match rates. It also provides a high match speed, due to its use of homogenous templates, and hands-free operation. On the other hand, iris recognition systems are quite expensive, have not been tested in large-scale deployments, and require significant training and attention to factors such as proper positioning of the head and eyes.

Facial Recognition. Facial recognition is designed primarily to find close matches of particular facial features such as eyes, nose, mouth, cheekbones, chin and forehead against a database of static facial images. But this technology has not proven to be reliable for one-to-one verification, due to its high false non-match rate, even with ideal lighting, distance and angles. Plus, small changes in a user’s appearance, including glasses, facial hair or aging, can reduce accuracy.

Voice Verification. Because voice verification relies on distinctive characteristics derived from spoken phrases, it needs as little background noise as possible to be accurate, so the technology is not well-suited for use in hospitals. Other key factors that affect accuracy include changes in a person’s speech habits, due to illness or emotion, and telephone quality. However, as voice recognition applications become more commonplace and healthcare organizations strive to reduce call center costs, voice verification technology will continue to garner interest.

Signature Verification. More than just capturing a handwritten image, signature verification is based on the distinctive characteristics associated with the act of signing, including stroke, pressure and speed. Thus, it is more likely to be used in situations that already require signature capture or those that adopt new practices such as pen-based computing on PDAs or tablet PCs. The other main deterrent is the need for consistency on the user’s part, since signatures frequently change over time and from signature to signature, creating a high false rejection rate.

Since most biometric implementations by healthcare organizations concern network access, fingerprint verification, which can easily be deployed at desktop settings, will continue to be the most commonly used biometric technology in healthcare, according to the “Biometrics Market and Industry Report, 2004-2008” by the International Biometric Group (IBG). If iris recognition can meet this demand, then it may experience growth in this area, too. Hand geometry verification will likely hold on to its share of the healthcare market for physical access control, but once again, iris recognition’s hands-free operation and greater distinctiveness open the door for its increased usage. Other biometric technologies should play a much smaller role in healthcare settings. “Accuracy is a big issue,” says Joseph Kim, IBG senior consultant. “Unless leaps and bounds are made with voice and facial, then iris, fingerprint and hand geometry should be the primary biometric technologies in healthcare” (Figure 1).

Biometric technologies should experience rapid growth during the next four years, from revenues totaling just under $50 million in 2004 to almost $200 million in 2008, according to the IBG report. “We have hit a point where healthcare organizations are starting to pilot biometrics and try it out,” Kim says. “The biometrics market is really at an exciting stage right now. There might be incredible growth or steady growth. It depends on how people accept the technology.”

Authentication at Their Fingertips
In 2000, Jewish Hospital HealthCare Services (JHHS), a Louisville, Ky.-based regional health system of more than 50 healthcare facilities and 1,400 beds, wanted a better way for its 400-plus physicians and nurses to authenticate quickly into its network. The organization’s use of different best-of-breed clinical applications required much of the medical staff to have multiple user IDs and passwords to access the systems, each of which employed its own authentication process, and this caused numerous complaints.

After considering several single sign-on (SSO) solutions, JHHS opted for Sentillion’s Vergence product suite in the first quarter of 2002 for quick and efficient access to patient information stored across many applications. The software had already integrated a biometric authentication solution via optical fingerprint verification by incorporating BioLogon software from Identix Inc., Minnetonka, Minn. When the clinician places his finger on a BioTouch Fingerprint Reader, the scanner captures a full-size fingerprint image and determines physical attributes such as horizontal and vertical alignment, finger rotation, destroyed ridgelines and pressure. This enables the creation of a template, or a mathematical representation of the fingerprint, that is compared to enrolled templates stored in a database for future authentication.

The organization began implementing and testing the SSO feature, which required the participation of several vendors to enable their clinical applications with Vergence’s context management for viewing a patient’s records across multiple applications. This allowed JHHS to go live with SSO and fingerprint verification for physicians and nurses in January 2003, when it opened Jewish Hospital Medical Center East, a near-paperless, state-of-the-art ambulatory diagnostic, surgical and emergency center in Louisville.

Two months later, the health system deployed SSO for physicians at Jewish Hospital, a 442-bed referral center that offers acute and outpatient care with heart and lung centers. At the beginning of 2004, it rolled out fingerprint verification for physicians within the hospital’s emergency department (ED), and approximately 250 physicians have been enrolled. JHHS is now implementing SSO at the downtown hospital’s nursing stations, and the nurses there have requested use of fingerprint verification, too.

Besides adding an extra level of security without requiring a password or the creation of another user ID, fingerprint verification, coupled with SSO, allows a clinician to leave a workstation for up to 15 minutes and reactivate it again just by presenting his fingertip for scanning, assuming he was the last one to logon to the computer. “This has been very successful and well-liked by our doctors and nurses,” says Dave Pecoraro, JHHS vice president and CIO. “They like the fact that they can step away and then get back into the system quickly.” However, since a few physicians did not like the idea of being fingerprinted, JHHS gave them the choice of keeping their passwords for authentication, Pecoraro says.

Seeing an Alternative to Passwords
Needing to reduce fees to off-site IT security staff who had to reset user passwords after normal help desk hours, Lehigh Valley Hospital and Health Network (LVHHN) began searching in early 2003 for a more efficient and secure way of authorizing nearly 10,000 users’ network access. With more than 1,100 physicians on its staff and more than 800 beds on three campuses, the Allentown-based advanced acute care hospital is one of Pennsylvania’s largest teaching facilities, providing trauma, surgical, cardiovascular, women’s health, and cancer treatment services as well. LVHHN had more than 38,000 admitted patients and more than 100,000 ED cases during the past year.

The health system had already deployed Computer Associates’ eTrust Single Sign-On software to reduce multiple password problems and provide simplified network access via clinical workstations. However, LVHHN still wanted to solve the problem of people forgetting passwords in the first place. Based on recommendations from its “Wild Idea Team,” a multidisciplinary group including senior IT staff, it saw biometric authentication as the answer. “Biometrics is more secure because it logs me in as who I am, so it eliminates the need for a password,” says Michele Wagaman, LVHHN manager of clinical applications.

Team members considered three biometric technologies: fingerprint, retina and iris. They saw fingerprint technology as limited to one-to-one verification and providing a less distinctive image than the other biometric methods. Also, users first had to logon by typing a user ID and then placing a finger on a scanner, and the team wanted to simplify authentication. Team members thought retina scanning was too complex and intrusive, requiring controlled lighting and greater user patience as the retina was scanned during each authentication attempt. Moreover, retina scanning was expensive to implement. Iris recognition, however, needed only a flashless photo for authentication, generated greater distinctiveness than retina scanning and provided a one-to-many verification process, so it seemed a better fit for the health system’s workflow, Wagaman says.

Through Computer Associates’ partnership with Politec, an IT services provider, LVHHN purchased PrivateID camera software and a KnoWho authentication server, both developed by Moorestown, N.J.-based Iridian Technologies Inc., as well as a Panasonic Authenticam camera. When enrolling a user, the iris recognition system takes four photos of each iris of the user, selects the best image, creates a mathematical representation of the image as an IrisCode record and stores the IrisCode in a database. When authenticating a user, the system goes through the same process, except it compares the current IrisCode with all those in the database.

LVHHN tested the biometric system for six weeks during the summer of 2003, using nearly 50 people from its IT department. After working out bugs in the enrollment process—for example, asking people to remove their glasses to reduce glare from fluorescent lights, and using a larger camera to obtain the best possible iris images—the health system began a two-month pilot project in the fall of 2003 involving 100 physicians, nurses and per diem employees in its behavioral health unit. IT staff visited the controlled unit daily to monitor the project’s effectiveness. “Participants said it seemed faster, and they liked not having to remember their passwords,” Wagaman says.

In February, LVHHN conducted a two-week pilot in its wound care unit. Both the behavioral health and the wound care units continue to use the iris recognition system, which, as the beginning of a full rollout to the entire health system, was deployed this fall in the ED.

Improved Security Hands Down
Poudre Valley Health System (PVHS), a private, nonprofit, 275-bed organization based in Fort Collins, Colo., wanted to protect against child abductions from its newborn nurseries and also comply with JCAHO recommendations. Six years ago, the organization set out to improve the security system for access to its facilities, particularly highly restricted areas. PVHS has a medical staff of more than 400 physicians and about 2,800 employees, and it annually experiences approximately 17,000 discharges and 35,000 ED outpatient visits.

The health system had required staff to enter their PINs on keypads outside of doors, but PINs alone were not a secure gatekeeper, since sometimes they were told to another staff member, written down or stolen, which allowed access by unauthorized personnel. ID cards with swipeable bar codes were insufficient, too, because they could easily be stolen.

PVHS chose to complement use of PINs with a biometric technology as part of its new “have something, know something” security philosophy, says Chuck Perry, C.H.P.A., Security Services program manager. By requiring a staff member to present a unique physical attribute when entering his PIN, the organization made access to highly restricted areas by unauthorized personnel a virtual impossibility. Security Services recommended HandKey HandReaders by Recognition Systems Inc., Campbell, Calif., because the department considered it the best available biometric security device for physical access, and “not everyone wants to put their eye up to a scanner or use voice recognition,” Perry says.

Instead, after entering his PIN and having it accepted, the staff member places his hand in the HandReader, which analyzes more than 31,000 points of the hand and records almost 100 measurements, including finger length, width and height. The measurements are converted by a mathematical formula to a template that is compared with previously captured hand templates of enrolled personnel. Verification of the staff member’s identity takes less than a second.

PVHS initially deployed eight HandReaders for the newborn nurseries, and based on their success, later rolled out HandReaders for the OR, ED, birthing center and the part of the cafeteria where money is kept. Of the approximately 4,400 people enrolled in the entire security system, about one-third of them use the 24 HandReaders now in place.

Although integration of the HandReaders into PVHS’ security system wasn’t a problem, the organization experienced a small challenge getting some personnel onboard with the new devices. “We had to train people to understand that security is not what it used to be, and every time you change something in security, you have a two-to-three-month stretch for people to accept it. People are averse to making changes, and there’s a learning curve involved,” Perry says. “But if you really want to look at securing your facility, you have to take the next step. We make it an individual responsibility. Once people understand the importance of such a change, they realize it’s a good thing.”

For more information about fingerprint verification from Identix, www.rsleads.com/412ht-201

For more information about iris recognition from Iridian Technologies, www.rsleads.com/412ht-202

For more information about hand geometry verification from Recognition Systems,
www.rsleads.com/412ht-203