10Biometric Technology Today February 2011

and boarding stages. Hoyos worked with Herta Security on a pilot programme to run at Barajas Airport in Madrid.

According to Carter, the Spanish pilot programme builds on Hoyos’ iris biometrics tests on the Mexico and US border with the Mexican immigration officials, which has been capable of scanning up 50 people a minute.

Hoyos has also taken the wraps off the EyeSwipe-Nano, which it claims is the first

iris-based biometrics system that is priced to compete with generic card reader systems used at border crossings.

According to the company, EyeSwipe-Nano is approximately one quarter of the size of its existing EyeSwipe-Mini and has the same footprint as a dollar bill. The unit, says Carter, can capture the irises of people from a distance and handle up to 20 people a minute in motion.

About the author

Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor, he has spe-cialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.

FEATURE

Securing access to healthcare

Seamless integration of security processes into the user workflow is widely perceived as being of upmost importance, particularly as user adoption is critical to the success of any security protocol. For those who prefer a simpler form factor than devices such as smartcards or tokens, which can be easily lost, forgotten or even shared, biometric technology has been identified as a key enabler for strong, efficient and secure working practices.

Dramatic shiftTraditionally, biometric technology has been per-ceived as state-of-the-art; however, over the past eight to nine years, Gartner claims that there has been a dramatic shift in both the availability and ubiquity of the devices as well as the broad adop-tion of fingerprint biometrics in environments where simplicity of use and the need for strong authentication are essential1.

By obviating the need for the user to carry devices such as smartcards or password tokens, biometric technology has become widely adopt-ed in fast-paced environments where quick access to critical data is essential. Healthcare and law enforcement are two key examples. The fact that the devices are today far more reliable and readily available has also had an impact on the use of biometrics for remote access and browser based systems.

Ten years ago, the price and the quality of the scanned biometric image were the main issues but today biometric solutions have become com-

moditised and as such, factors which differenti-ate a ‘good’ system from an inadequate system now include additional considerations such as how privacy is safeguarded, simplicity of deploy-ment, troubleshooting problematic use cases and how the device is matched to the workflow of the organisation or individual user.

For example, as the number of commercial use cases for biometrics has increased and identity theft has become a real concern, the privacy and protection of biometric identity has become increasingly important. As a result, the way in which biometric images are stored has become a central focus.

Potential biometric users are far more aware and concerned today with how their biometric identities are secured and protected from misuse. Unlike compromised logon or credit information, there is no way to reissue a new biometric identity for a user.

System design safeguardsSystem design principles have been developed to help to safeguard biometric identity, ensur-ing privacy through encryption and also by translating biometric images to templates. Double blind systems that ensure names and identities are not bound with biometric data have also become a fundamental expectation of biometric technologies.

“As the number of commercial use cases for biometrics has increased and identity theft has become a real concern, the privacy and protection of biometric identity has become increasingly important”

The quality of biometric solutions has of course developed alongside the many privacy and security improvements. For example, live finger detection and sensitivity across different levels of humidity has drastically improved. Scanners can also now work alongside different kinds of surgi-cal glove, a factor that has vastly changed and affected utilisation of biometric devices within the healthcare sector where clinicians can now use biometric readers to authenticate with mini-mal disruption to their workflow.

In addition to providing a fast and unobtru-sive means of authentication, the unique nature of biometric technology also helps businesses to address security regulations, which are them-selves becoming increasingly strict.

As new regulations are introduced relating to user access at a transactional level, biometric authentication is likely to become increasingly popular. Gartner claims that this rising interest in biometric solutions is due to the ability to balance high levels of accountability with ease of use2.

E-prescriptionsThis trend has already been seen in the health-care sector in the US state of Ohio where a

David TingDavid Ting, Imprivata

Information technology has taken centre stage in the global healthcare market, as the introduction of Electronic Medical Records (EMR) has demanded new levels of IT security. An increased focus on access management and re-authenti-cation has been driven by the requirement to protect these new volumes of sen-sitive digitised data.

11February 2011 Biometric Technology Today

regulatory body, the Board of Pharmacies, has mandated that all clinicians must re-authen-ticate each time an electronic prescription is issued as part of a Computerised Prescription Order Entry (CPOE) system.

“While working practices such as account sharing for fast access to patient data remain common, the ability to guarantee that the user processing a prescription is the user that is authenticated to the system continues to be a challenge”

The requirement for strict control of e-pre-scriptions in healthcare stems from the need to protect against drug diversion. It is an unfor-tunate reality that healthcare workers can be one of many sources of illegal drugs, and while working practices such as account sharing for fast access to patient data remain common, the ability to guarantee that the user processing a prescription is the user that is authenticated to the system continues to be a challenge.

Ohio again provides a good example of this very real problem. The Attorney General has refused to prosecute healthcare workers for drug diversion as it had been common practice for user sessions to be left unattended, leaving the user session exposed to unauthorised access. This meant that it was not possible to guarantee that the user who had issued a prescription was in fact the worker that had logged onto the system.

“It was recognised that without some form of non-repudiation, meaning a much higher correlation between who issued the order and who could physically have been the issuer, there was no way to slow down the diversion”

Without some form of non-repudiation, with a much higher correlation between who

issued the order and who could physically have been the issuer, there was no way to slow down the diversion. The originality of biometric fin-gerprints therefore seemed to be the obvious means through which to build a level of trust between an order and an individual.

By coupling authentication with something that is unique to the user like a fingerprint, it is possible to avoid mistaken or malicious access to user accounts. This level of non-repudiation is simply not possible with passwords, smartcards or tokens, all of which can be easily shared.

As well as guaranteeing a level of legal responsibility for each transaction, biometric authentication has also helped to challenge the huge financial and social costs associated with drug diversion, which is likely to have signifi-cant global impact.

Electronic medical recordsThe introduction of electronic medical records (EMR) puts highly sensitive patient data increasingly at the fingertips of clinical users. EMR vendors in the US such as Cerner, Meditech and Siemens have looked to inte-grate third party vendor technology such as Imprivata ProveID for transaction-based reau-thentication capabilities.

“Third party ownership of transaction-level access management hugely simplifies the process and is likely to be a trend that transcends EMR”

The concept that multiple healthcare vendors can use a third party authentica-tion system to verify users has been criti-cal to encouraging adoption by individual hospitals. Healthcare organisations typically rely on over 20 vendors to provide a range of healthcare applications, and if each ven-dor was to insist on using an individual re-authentication system, multiple authenti-cation points, devices and management sys-tems would be required, adding unnecessary complication to the process.

Third party ownership of this transaction-level access management hugely simplifies the process and is likely to be a trend that transcends EMR, going into any systems where ease of use, non-repudiation and secure access are required.

Access management technologies that simplify and streamline user access are becoming increas-ingly popular as businesses look to optimise operational efficiency. As we face a deluge of digital data, biometric technology is fast becom-ing one of the leading methods through which users can securely and conveniently access critical information, whether that be patient data, finan-cial information or otherwise. As regulations change, the requirement for non-repudiation will become more profound, encouraging businesses and users to increasingly look to biometrics for simple and total authentication.

About the authorDavid Ting, CTO and founder of Imprivata, has more than 20 years of experience in develop-ing advanced imaging software and systems for high security, high availability systems. Prior to founding Imprivata he developed biometric applications for government programmes and web-based applications for secure document exchange. David Ting was formerly the technical manager of Kodak’s Boston Technology Center and has also managed Atex System’s Imaging Department. He holds six patents and has several patents pending He regularly blogs on Identity 360, Imprivata’s blog.

Resources • ‘Shift Happened In The Strong

Authentication Market In 2009’. Bill Nagel, Forrester, 1 February 2010.

• ‘Hype Cycle for Identity and Access Management Technologies, 2009’. Gregg Kreizman, Ant Allan, Avivah Litan, Earl Perkins, Perry Carpenter, Ray Wagner, Eric Ouellet, Greg Young, Neil MacDonald, Barry Runyon, Lawrence Orans, Carolina Milanesi, Gartner, 16 July 2009.

References 1 ‘Gartner Hype Cycle for Human-Computer

Interaction 2010’. Stephen Prentice and Jackie Fenn, August 2010.

2 ‘Garter, Q&A: Biometric Authentication Methods.’ Ant Allan, June 2010.

FEATURE