HIMSS coverage: Face it, biometrics is here

Among the emerging worries of hospital IT administrators in the HIPAA era is how to authenticate users of their computer systems.

Current user authentication practices (the verification of identify and access permission) do not satisfy developing security requirements, according to Stephen Pellissier, project manager at the Advanced Technology Institute in Charleston, SC, who spoke Sunday at the HIMSS meeting in San Diego.

"Users find proper authentication time-consuming and mission-distracting," Pellissier said.

Passwords, though available and reliable, are often shared with other users during the same session. Also, users may choose "weak" passwords, or they forget, lose, or write down "good" passwords.

Biometrics and smart cards offer alternative solutions in the healthcare environment, where rapid sign-on is critical and multiple users may share multiple systems on the same workstation.

Smart cards can offer a measure of security due to their secret PINs, but they are susceptible to loss, theft, or damage.

Biometrics, including voice and face recognition systems and fingerprint and iris scanning, is gaining favor in many healthcare facilities.

"Biometrics is becoming increasingly accurate, cost-effective, and easy to use," Pellissier said.

The disadvantages of biometrics are that it lacks standards, and once compromised, the resulting security breech can be serious.

The following are pros and cons for each biometrics technology, according to Pellissier:
? Widely used finger scans offer reliability and maturity, although obtaining input samples is not possible in all environments.
? Voice recognition systems are least intrusive but are highly susceptible to interference.
? Face recognitions systems are also unintrusive but are impaired by poor lighting conditions and can be compromised with masks.
? Iris scanning is the most accurate and works in all environments. It is perceived as intrusive, however.

"Technology offers no silver bullet for meeting the challenge of effective authentication," he said.

While good security practice also involves audit controls (who did what, when) and user access (based on need to know), user authentication if of prime importance.

Integration of the various methods of authentication will be the most difficult technical and procedural challenge to overcome, Pellissier said.