This paper explores the application of biometric technology as a viable approach to fulfill the security standards mandated by the Health Insurance Portability and Accountability Act (HIPAA). Through analysis of hospital and healthcare organization case studies, this paper examines the ability of biometrics to provide a safe, secure, and reliable means of user authentication via desktop and Internet applications. In addition, an unbiased look at the impact of biometrics with respect to people, policies, and existing security infrastructures provides valuable insight for healthcare industry leaders grappling with HIPAA security requirements.
Introduction
Much has been published in recent months regarding the use of biometrics as a skeleton key solution designed to free the healthcare industry from the shackles of security compliance standards mandated by the Health Insurance Portability and Accountability Act (HIPAA). And while it’s true that biometrics provide a viable alternative to more traditional user authentication mechanisms like PINs, passwords, and magnetic swipe cards, HIPAA remains technology neutral, placing emphasis on when and why a security solution must be implemented rather than on how. So why all the hype surrounding biometrics and their potential to satisfy HIPAA security requirements? The answer is complicated and remains at large without a better understanding of the various components that constitute an overall healthcare security infrastructure, a complex paradigm encompassing the confidentiality of patient records, as well as electronic access to patient information via multiple applications and platforms.
A secure, reliable, and inherently flexible healthcare security infrastructure contains the following four components described by the inner loop in Figure 1: authentication, authorization, digital signatures, and network security [1]. These four components stem from a public key infrastructure (PKI) designed to govern electronic transactions and provide a framework for securely delivering healthcare information across the Internet.
With hospitals and healthcare organizations required to provide patients with secure access to medical data over landline, wireless, and Internet applications, biometrics play a critical role in the user authentication space, addressing the question, “Are you who you claim to be?” And since a person’s biometric trait cannot be lost, stolen, or in most cases forged, biometrics provide stronger authentication security over passwords or token ID systems alone. In a sense, biometric authentication constitutes the first line of defense, followed by security authorization, which must determine whether or not a person has access privileges to a particular system. Digital signatures for Internet transactions handle non-repudiation, or the ability to guarantee that the authenticated individuals actually participated in the transaction. Network security provides the information assurance umbrella to protect the security system from unauthorized use as well as provide confidentiality of communication through encryption methods. Together, these four components of authentication, authorization, digital signatures, and network security form a sort of security nucleus with biometric authentication technology at the core and a PKI environment surrounding it. In turn, biometrics within the PKI environment provide significant support for the five overarching HIPAA requirements. The first of these requirements address electronic transactions, which dictate the need for standardized code sets for encoding data elements involved in the electronic transaction of healthcare claims, health care payment and remittance advice, benefit coordination, and other transactions. Privacy of individually identifiable health information establishes regulations that include consent, authorization notices, disclosure audits, and grievance procedures. Security rules define standards intended to protect confidentiality, integrity, and availability of healthcare information through technology neutral and technology scalable means. Administrative procedures dictate rules for access, whereas network security governs rules for logical network access and physical access controls for data rooms, equipment control, disaster recovery, and general facility access [15].
Technology, Policy, and People
With biometrics at the core, the deployment of biometric application software within a PKI environment can positively impact each of the five general HIPAA regulations by securing entire networks and all associated applications running across the healthcare continuum, including applications for computerized physician order entry systems, time and attendance logs, user audit trails, patient identification, data access, and more. But technology alone will not satisfy HIPAA compliance requirements, and healthcare organizations who embrace technology as a silver bullet solution to their HIPAA woes are in for a harsh ride when they realize 75% of HIPAA governs policies and procedures [7]. Unlike password guidelines, however, biometric policies dictate that you can’t share a finger or an eyeball when it’s time to authenticate on the system. And in most cases, unless you’re prone to playing with live grenades or staring at the sun with a magnifying glass, you can’t lose your biometric attribute the way you lose a magnetic swipe card or personal identification number scribbled on the notepad in your drawer. Unfortunately, too much attention is placed on the technology for technology sake and not enough on researching and establishing relevant security policies that define access privileges, fallback procedures, equipment maintenance schedules, and so on.
Along with security policy, people play a critical role in defining, implementing, and enforcing an effective biometric authentication solution. Regardless of the chosen technology and policy application, the appropriate personnel must define the security policy and ensure that users obey the rules and procedures described therein. End users decide whether a particular technology suits their tastes or not. Some end users find fingerprinting distasteful because of the negative connotation associated with law enforcement applications. Others find iris-scanning too invasive and perpetuate false concerns about potential damage to their eyes. People, not technology or policy, make judgments about their personal comfort level with a given technology or system. If users are uncooperative, the biometric system can fail. If people neglect to follow directions when authenticating, the system will produce significant errors. If users don’t understand the importance of obtaining a quality enrollment image or the importance of consistent biometric presentation, the system will produce inconsistent results. The technical and non-technical issues involving people are plentiful, and no authentication system, biometric or otherwise, will completely eliminate the need for some form of human intervention.
With an understanding of the roles that technology, policy, and people play in the overall establishment and execution of a security infrastructure with biometrics at the core, we are better equipped to answer the initial question regarding the use of biometrics to satisfy HIPAA security requirements. In essence, biometrics provide a vehicle that can work equally well for physicians, nurses, administrative staff, and patients – all of whom must coexist in a dynamic healthcare environment shaped by technology, policies, and people. Biometrics not only provide an effective means of user authentication, but also an effective means of integrating disparate information systems that communicate over wireline, wireless, and Internet paths both locally within a hospital setting and remotely at end user locations. The integration of biometrics with other technologies and the appropriate people and polices go a long way toward fulfilling HIPAA security requirements. From a patient care perspective, biometrics allow multiple users to share a workstation while preserving the authentication and audit trails for each user [7]. In turn, physicians and nursing staff can focus more attention on patient care and less time on logging in and logging out of various applications. Furthermore, biometrics facilitate patient admission, speed access to prior medical records, and eliminate duplicate medical records [7]. In short, biometrics provide an effective means of managing access to patient records, preventing unauthorized use of system resources, and ensuring higher levels of information security. It should be noted, however, that biometrics are not without fault and must be properly introduced to meet a particular healthcare provider’s needs, a facet of this technology often overlooked in a system integrator’s haste to deploy a quick-fix solution.