Security

A finger on the pulse of security

Stories about data loss and IT breaches are now a regular occurrence in today’s media and it seems that no one is safe. The healthcare sector in particular has been exposed on a number of occasions in the last year. Recently, it was announced that 4000 – 6000 smartcards had been lost in the NHS.

Although the security risk was played down, the loss of so many smartcards is clearly a significant and unnecessary drain on resources. Worries about verifying ID for the proposed medical database, along with these recent losses, has led organisations to consider alternatives such as fingerprint biometrics.

The healthcare industry is challenged with maintaining patient record privacy and providing access to authorised healthcare professionals, while adhering to government regulations. Current authentication methods like passwords and smartcards are too reliant on users for ensuring the security of networks.

Password authentication is often compromised because users tend to choose passwords that are easy to guess, such as a date of birth or the name of a pet or a loved one. While experts urge people to use separate, complex passwords for each application, most people find that cumbersome and impractical.

Passwords get forgotten (at a cost of £10–£19 per reset by the IT department) or written down in places where they can be stolen. Or, people simply use a single, simple password and even share passwords with others. All of these pose significant risk.

Smartcards are similarly affected by user behaviour. They are easy to lose (as is illustrated by the NHS incident mentioned above) and the practice of sharing smartcards is rife — which makes accountability almost impossible to have.

Indeed, early in 2007, South Warwickshire General Hospital received a lot of media attention when it was revealed that staff had regularly been flouting rules governing the use of smartcards. In busy departments such as accident and emergency, it was taking users upwards of 90 seconds to log on or off the network. To avoid delays, senior staff were handing over access via their smartcards to junior team members, giving them admittance to private information and leaving systems vulnerable to unauthorised use.

A growing number of people in the healthcare sector are finding biometrics technology to be a realistic solution to these problems and more. Many organisations outside the UK are already using fingerprint biometrics in their day-to-day processes.

Health workers at Sutter Solano Medical Centre, Vallejo, California, have been using a fingerprint authentication solution for five years. The 110-bed hospital is using a single sign-on application and fingerprint readers to access computers and nursing stations rather than typing in generic usernames and passwords.

In addition to improving authentication and increasing security, this system has also had a significant impact on efficiency. Previously it could take five or six minutes for users to log on, but with fingerprint biometrics, people no longer need to tediously log on or off.

Users simply touch the fingerprint reader and the PC is unlocked. While some people had reservations about the use of this technology in the medical environment these have proven unfounded. The scanners are able to read fingerprints through the rubber gloves regularly worn by medical staff.

What makes fingerprint biometrics different from all other methods of authentication is that fingerprints uniquely link actual people to individual actions — providing irrefutable accountability. Biometric authentication relies upon who you are, not what you know or what you have in your possession. While passwords and smartcards can be lost, shared or forgotten, this is impossible with a fingerprint.

This accountability allows medical organisations to know exactly who has accessed what data, when they accessed it and what they did with it. In a sector like healthcare where information is highly sensitive, biometric technology can prove invaluable for helping organisations to comply with data security legislation.

Organisations in all sectors are acknowledging that traditional methods of authentication are not secure enough for protecting sensitive data. Industries like finance and retail in particular are embracing biometric authentication as the future of network and data security.

It appears that this cutting-edge technology is now moving into the mainstream and medical applications mentioned here are just the tip of the iceberg.

Last year there were reports suggesting that thousands of NHS patients were receiving the wrong treatment due to errors reading patient wristbands. Since these reports surfaced, there have been discussions suggesting that biometrics could be a viable alternative for patient identification. Other potential applications range from control of physical access to hospital departments to touch-based purchases for buying your lunch in the canteen.

While these developments are exciting, the most important point is that biometric authentication is a vital tool in ensuring that only authorised users can access sensitive data and that the right patients get the right treatment.

Jim Fulton, Vice President, DigitalPersona, Inc.