Authentication: Security in a New Era

From the July 2000 Issue

Authentication:
Security in a New Era

Changing the guard at the front gate to your information system.

By Michael E. Hilts, publisher

Bill Gates learned the hard way. Everyone needs a way to ensure delivery of private messages to only the intended recipients. Gates’ unsecured e-mail, used against his company in the courts, may ultimately cost the technology giant a large chunk of cash, not to mention parts of the company itself.

For healthcare organizations, similar unsecured data transfers could hurt much worse. Errors in not guarding patient-private data could prevent them from using the Internet to whittle down an estimated $200 billion-plus lost each year in waste and inefficiency.

Strong authentication is the requirement. Protecting private and sensitive data requires more certainty than is now provided by passwords and usernames. Computer sentry systems need better methods for verifying the identity of attempted users and allowing or denying access.

“Most healthcare providers have begun to embrace the Internet, recognizing it as the ubiquitous platform that will finally allow efficient sharing of information, improving patient care and lowering costs,” says Sheila Schweitzer, president of Presideo, Inc. Her company provides a suite of authentication software applications designed specifically for healthcare information systems. “Ensuring the proper level of security, however, has been the No. 1 impediment to making use of that platform. Good security systems will liberate the Web for IDNs [integrated delivery networks].”

Passwords Don’t Cut It

Schweitzer estimates that less than 2 percent of healthcare information systems are authentication-ready. While the majority of healthcare institutions’ computer systems do have security systems in place, they were designed to protect the back-end, preventing break-ins by using firewalls and advanced encryption algorithms when data is transmitted elsewhere.

“Most healthcare installations have reasonable protection for everything except the front entrance,” says Marcel Koster, product manager for Keyware Technologies, a company specializing in middleware, including a bio-authentication server that allows use of multiple biometric components in a single authentication process. “Too often, front-end access is restricted only with low-level safeguards like passwords, usernames, personal identification numbers (PINs), and ID cards. What’s needed is a changing of the guard.”

The three basic ways to authenticate are by what you know (passwords, PINs, usernames), what you have (a card, key, token, digital certificate), and what you are (voice, face, fingerprints). The weakest security measures are associated with the first two. What a person knows can be shared or forgotten. What a person has can be lost or stolen.

“Passwords and PINs are the easiest for criminal hackers to beat,” Koster says. “Hacking tools to determine usernames and PINs are freely available on the Internet. Some hacking tools perform thousands of attempts per minute trying to guess PINs.”

The strongest authentication methods are biometric, because of direct and inseparable link to individuals. Still stronger authentication comes from the use of multiple authentication methods in the same system. It is combinations that healthcare facilities will pursue, not only to meet their needs for sharing electronic information, but because they will have to, under federal regulations we will soon see in final form. (See article below on HIPAA and authentication).

Fingers Point to the Answer

Biometrics is becoming the most accepted authentication solutions, Schweitzer says, because of greater confidence in the verification and because of convenience.

“In healthcare, convenience and efficiency are becoming as important as security,” she says. “The demand is for speeding entry for physicians and not aggravating them with a slow or tedious process, including having to recall passwords or draw out an ID card everywhere they go.” In addition, Schweitzer adds, hospitals want more than sign-on capability; they want authorized individuals, once in a system, to have the ability to verify documents, sign them and send them on. The combination of biometric authentication and digital certificates on a public key infrastructure (PKI) is a strong candidate for many.

Until recently, biometric methods were considered “emerging” technology, not quite ready for prime-time use by hospitals. But advances have made fingerprint, face, and voice recognition systems more reliable.

“Biometrics is at the cusp of change,” Koster says. “The perception has been ‘fingerprint capture technology is highly technical, expensive, out of reach,’ even though it really is proven and relatively affordable.”

Presideo’s fingerprint technology exemplifies the accuracy and the gain in popularity. Its healthcare customer base authenticates about 20 million messages monthly. It uses electronic impulses to create a digital map or numerical representation of the fingerprint—far different and superior to the photographic images most people consider when they think of fingerprints.

When registering, users provide two finger data maps and corresponding demographic information. This data is stored in a database for comparison when users later present their fingertips to a reader for access. Presideo reports false accept rates of less than 0.0002 and false reject rates of 0.0007, or between 99.98 percent and 99.93 percent success—sufficiently high confidence for most data systems, even in healthcare.

Biometric technologies are also getting more affordable even as they become more advanced. Fingerprint readers and digital cameras for face recognition now range from less than $200 to up to $500, and voice recognition systems come in at less than that. The software will add about $4,000 to most systems, but these costs can escalate rapidly. For large systems, the hardware costs in servers and IS personnel time can range into the hundreds of thousands. So, a full implementation for systems with dozens of facilities and thousands of workstations might cost $1 million to $2 million or more.

Other Authentication Methods

Some experts say voice and face recognition are effective. Others say they are not adequate for security levels needed in healthcare, but can be effective when combined with other authentication components. Most experts agree that iris or retinal scans are still too inconvenient or expensive in healthcare settings.

Authentication devices such as smart cards and proximity tokens are getting their first trials in healthcare settings. Smart cards are credit card-size IDs that can carry personal biometric data and authorization codes. Information is stored on embedded chips, instead of the magnetic strips on conventional credit cards. Proximity tokens are physical, non-biometric elements carried as a badge or computer chip. The token device emits a signal that can be read automatically by a receiver unit, providing authentication and access without the need for the individual to stop and present information, card, or password to the system. These are more expensive and not widely tested in healthcare settings, but may be attractive because of their convenience.

Authentication in Action

When hundreds or thousands of individuals have access to a computer system, managing their access to specific applications becomes essential. Successful security systems grant access to authorized individuals according to their roles.

“Physicians normally have access to the entire patient history, radiology and lab records, medical records, even billing,” Schweitzer says. “But the dietician should have only access to a limited portion of records in the system.”

This focus on individuals is a key difference from past security efforts, says Ray Wagner, senior director of technology research for Phyve, a provider of the security infrastructure or platform onto which healthcare organizations can build applications.

“From a network perspective, the whole objective in the past was trying to keep people out. The new focus is letting people in—in a controlled way,” Wagner says. The goal is to provide access for individuals from many places, rather than securing a single PC or workstation or software application for access by a select few.

One of Presideo’s programs use biometric data from individuals and links it to digital certificates, so they can assign security rights to a doctor, a nurse or other individual users.

“The real need is mobility,” Schweitzer says. “Clinicians work in many locations within a large facility and off-site as well. Authenticating individuals, rather than single stations, allows travel from hospital to office or the lab without losing the link to the clinical or patient data.”

Winning Combinations

Healthcare facilities face challenges not apparent in other industries. “In noisy areas like emergency rooms or nurses stations, voice recognition won’t work,” Wagner says. “Fingerprints are more convenient for staff members than passwords, but where clinicians wear gloves, they are not feasible. Smart cards can carry demographic and biometric data, but they might not work well in surgical areas where sterilization is an issue. Healthcare environments need a mix of approaches.”

When deploying a mix of authentication technologies, one solution is to write middleware applications to manage the different systems simultaneously. Such a system would manage inputs from different locations—thumbprints for some, passwords or smart cards for others. When Phyve found that BioNetrix was doing this, they partnered with the company. Keyware Technologies is another vendor offering middleware to manage the mix.

The need to integrate goes beyond combining different methods. “Most authentication trials have been of stand-alone or self-contained systems,” Wagner says. “To gain efficiencies, healthcare IS managers should aim to process all security and ID functions through one centralized system. All authentication information—biometric data, digital certificates, etc.—should be stored in one location. And the system should have a single administrator.”

Authentication processes are but one piece in a system of access control, auditing and transactions, Wagner says. “You don’t want a system where you have difficulty each time you add a new application to the system, developing new interfaces and troublesome integration. Eventually, you want an Internet-based platform on which you can lay whatever clinical and business processes you select.”

Authentication in HIPAA

HIPAA regulations will require organizations to analyze security risks and take steps to reduce them. The legislation lists some components to consider, explicitly mentioning some types of access controls, authentication mechanisms and audit controls that could be part of a compliant system.

“When finalized, HIPAA will detail how information resides on public workstations, how it is secured and managed, and how it is transported,” says Sheila Schweitzer, president of Presideo, Inc., whose staff includes experts that assisted the Department of Health and Human Services in writing the regulations. “While it may not specifically require a technology or solution, the regulations will be stated so tightly that everyone will recognize what technologies must be used. It may stop just short of stating biometric, digital certificates, PKI, but there will not be a lot of room for choice, especially for organizations who want to avoid challenges about their compliance.”

One particularly onerous piece of HIPAA, Schweitzer adds, will be auditing and reporting functions. “The rules will require organizations to not only show who had access to a record, but all attempts at access, and who were denied. You have to show that you were able to control access.
“Most CIOs and CTOs are aware of what they must do, but these new security technologies are not typically their core competencies,” Schweitzer says. “They should seek vendors who will partner with them and certify that their systems are HIPAA-compliant.”
—Mike Hilts

July 2000