Case Studies
According to recent statistics cited by the First Consulting Group, a Long Beach, California consulting organization that specializes in health care consulting, only 3% to 5% of healthcare provider organizations have deployed biometrics [8]. Despite these statistics, several successful biometric pilots and full-scale implementations exist across the country. Consider Washington Hospital Center in Washington, D.C., a 975-bed not-for-profit hospital that implemented an iris-scanning system to increase security for their integrated medical record system – or Lourdes Hospital in Paducah Kentucky, which implemented NEC Technology’s HealthID finger-scan system in 1998 and currently stores 15,000 to 20,000 fingerprints in a patient and physician database [8]. In another example of a successful biometric implementation, Moffitt Cancer Center, a 160-bed research hospital in Tampa, Florida, tested 60 biometric devices in early fall of 2002 with full rollout of 1,000 devices expected by June 2003 [11]. In the fall of 2000, the 660-bed Jackson-Madison County General Hospital implemented Identix fingerprint technology for 315 employees and affiliated physicians [9]. In April of 2002, the 281-bed Columbus Children’s Hospital in Ohio deployed a comprehensive program that requires more than 1000 doctors, nurses, and pharmacists accessing patient medical records and entering medicine orders by computer to authenticate via fingerprint scan [12]. North Florida Medical Centers in Tallahassee implemented biometric security solutions deployed to more than 100 users during a 6 to 8 month period [10]. Lastly, Children’s Hospital in Dallas plans to implement a single-sign-on application with iris scanning, fingerprint biometrics, or a combination of the two in 2003 [13].
In each of these case studies, biometrics were deployed with a specific implementation approach based on the appropriate solution methodology designed to meet each healthcare provider’s needs. With this approach, biometrics provide an effective means to address HIPAA mandates for secure access, storage, maintenance, and transmission of identifiable healthcare information between patients and hospital staff. Combined with proper user training, IT support, and appropriate fallback measures, biometric technologies can successfully integrate with people and policy criteria. And while many successful biometric deployments exist today, challenges lie ahead. From a technology perspective, biometric finger-scan devices remain susceptible to dust and dirt accumulation on the capture device itself. Excessively dry or oily skin can also disrupt a finger-scan system and produce inaccurate readings. Voice authentication systems, though great for certain telecommunication applications, perform poorly in noisy environments. From a people perspective, inconsistent usage, poor training, or simple reluctance to use the biometric system can negatively impact a biometric deployment. From a policy perspective, no biometric system can guarantee 100% successful enrollments within the user population, dictating the need for secure, accurate, and reliable fallback procedures. For many healthcare organizations, the cost of meeting HIPAA requirements through the use of biometric applications remains a strong deterrent with some full-scale biometric implementations costing hundreds of thousands of dollars [11, 12]. Others argue that the cost of a biometric deployment pales in comparison to the legal fees incurred from attorneys hired to review privacy and security plans [14].
Conclusion
Do biometrics provide the ultimate cure for compliance with HIPAA security requirements? Of course not – much the same way no specific technology resolves all the issues encountered in a complex enterprise security infrastructure with multiple work stations, user groups, software applications, and a litany of other variables to contend with. Biometrics do, however, provide a robust, secure, and highly reliable means of user authentication. Biometrics also offer unprecedented logging and audit trail capabilities. When used in conjunction with single-sign-on applications, biometrics free healthcare providers from the hassles of the login, logout merry-go-round. In the end, a poorly planned, arbitrary application of biometrics can do more harm than good, but a well-defined, well-designed application of this technology can provide a mature, scalable foundation from which to satisfy HIPAA security requirements.