Biometric Single Sign-On to Secure Healthcare Systems

“96% of all healthcare service providers reported having had a security incident involving lost or stolen devices” “70% of healthcare organizations reported being most worried by concerns regarding negligent or careless employees causing a security incident”, – Fifth Annual Study on Medical Identity Theft by Ponemon Institute LLC, Feb’2015

Healthcare service providers realize the importance of holding PHI (Protected Health Information) data securely. Data breaches not only lead to financial losses for the patients and their healthcare providers, they also reflect poorly on the hospital’s handling of patient data. Under the HIPAA Act it is now mandatory for health care providers to have appropriate security in place in order to ensure that its Privacy Policy provisions are followed.

In this article we will look at why traditional password-secured applications are insecure and hence incapable in stopping data breaches including medical identity thefts. We will then have a look at Biometric Single Sign-On systems and understand how they are effective in preventing security lapses surrounding patient information.

This will be followed by a quick overview of benefits of integration of Biometric SSO with Active Directory to provide enterprise-wide security access and authorization. Finally, we will look at the various advantages which a Biometric SSO solution provides to the healthcare service providers as well as the hospital staff.

Hospital hold a lot of data which if accessed by persons with malicious intent can lead to huge financial losses. The important patients related information which is held by hospitals includes –

1. Patients’ health insurance data which if stolen can lead to medical identity thefts via impersonation of a patient’s identity.
2. Important PII (Personally Identifiable Information) such as social security numbers, date of births etc. which can be exploited for financial gains.
3. Medical records with disease information is another area which when leaked can lead to embarrassing situations for the patients.

Passwords have been used for past few decades for providing authentication and access control. However, passwords are inherently risky.

The mere fact that anyone who knows the password can access the system makes them vulnerable to misuse. Often people write their passwords down which can be copied. Then there are cases of employees sharing their password over phone or chat with another employee. As a result, there have been numerous instances of security and data breaches simply because persons with malicious intent get hold of passwords.

With all these problems being faced with passwords, healthcare institutions are realizing the need to do away with them. The move to a more secure authentication is based on the premise that passwords are “something you know”. Authentication industry is now moving towards technologies which work via “something you have”.

The authentication technology which is the frontrunner for replacing passwords is biometrics as it is based on “something you have” principle. Your fingerprints or iris patterns are your biological characteristics which you possess. They are far more superior than traditional passwords in protecting healthcare systems and patient data.

HIPAA or Health Insurance Portability and Accountability Act, requires that the healthcare providers put in place stringent policies and procedures to ensure privacy of their patients’ health records.

Few important mandates of HIPAA as specified in its Privacy Rule are –

• Beyond the information required for patient care, patient’s information cannot be released without the patient’s knowledge and consent.
• Audit logs should be maintained for all patient related information released. These logs should contain the purpose of release of data and its recipient.
• Patients can request for a copy of their health records and ask for amendments if any.
• Patient consent needs to be taken prior to release of his data for healthcare as well as non-healthcare purposes.
• The security mandates mentioned in HIPAA are quite stringent. They require strict control over access to patient information and health records.

Let us now take a look at how Biometric Single Sign-On(SSO) systems, which use biometrics for identity management, and SSO for application access management, are alleviating the security pain-points in healthcare organizations.

To understand biometric single sign-on authentication systems it is important to understand the two terms biometric and single sign-on.

Biometric refers to measurable physical characteristic such as fingerprints, iris patterns, retinal patterns, gait etc. Biometrics are unique for every individual and can be used for identification management. Biometric Authentication refers to the authentication of a person based on his biometrics captured.

Single Sign-On is a class of authentication solution in which authentication in a single application allows a user to gain access to all applications which have agreed to share the user session with this application. I.e. all applications require the user to login just once in any one of them to obtain access to all of the applications.

Biometric Single Sign-On authentication systems possess the abilities of both biometric authentication and single sign-on ability across applications. A user logging into any of the constituent applications of a biometric single sign-on solution uses his biometric identity as access credentials. I.e. he presents any of his biometrics such as his fingerprints or iris for scanning and validation.

If the user’s biometric access credentials validate him for allowing access, then that user gets logged-in to the current application that he opened. Subsequently, without logging-in he can access all the applications within the SSO ambit which have agreed to share the user session with the current application.

Biometric SSO Solutions when integrated with Active Directory delivers a highly secure and enterprise-wide access management solution with the following advantages –

• Centralized user enrolment with biometrics capturing
• Centralized credentials management
• Centralized access rights management
• Easy client components installation via Active Directory’s group policies
• Centralized auditing of application accesses

Due to the use of biometrics and single sign-on access management, biometric single sign-on applications provide the advantages of both the technologies. Biometric SSO systems benefit the healthcare providers along with the medical staff members and doctors as well.

Let us now take a look at the advantages which the healthcare organization and its staff can derive from the use of Biometric Single Sign-On authentication systems –

Use of biometrics for logging-in to hospital applications makes the system highly secure. Biometrics cannot be faked or spoofed. Any person who is not enrolled in the central biometric database will not be able to login into the hospital application posing as a staff member. In addition, the 2-factor authentication aspect makes the security very strong. Due to such tight security, instances of medical identity theft are not possible.

All the stringent HIPAA mandates mentioned earlier in the article are taken care of with the highly secure authentication provided by the use of biometrics.

In case a need arises to determine which hospital staff member accessed which records during a particular time frame, then biometric SSO can provide such audit tracking information for a patient across multiple applications.

Such audit tracking across multiple applications is possible because every application will get in touch with central SSO server to identify the authenticity of the user session they are about to share. Access request from individual applications can then be tracked. Patient data access requests from individual applications can also be tied up the logged in user’s profile and tracked for auditing.

Biometric SSO closely binds together user authentication with application access across the healthcare provider’s organization. There is no longer a need to have multiple access credentials for each individual application. Only a single biometric authentication is enough to access all applications.

All staff members need not be granted access to all applications. Like a nurse need not have access to the payments application. Likewise, sensitive disease related data might be restricted to doctors only. All these privacy controls and authorizations are in-built in a biometric SSO solution and can be applied across applications. When user authentication is integrated with Active Directory installation, then such authorizations can be centrally configured with ease.

Quick authentication and access of applications reduces transaction times. In emergency situations the doctor and staff can quickly authenticate themselves once using their biometric credentials. They can then access all applications required to get complete health information of the patient without having to login. The time thus saved can prove to be crucial in emergency situations.

Biometric Single Sign On (SSO) is a potent tool for security and authentication management in healthcare systems. Using a Biometric SSO system healthcare service providers can centrally manage access and authentication across all healthcare applications. In addition, Biometric SSO Solutions allow an organization to fulfil all necessary conditions specified under the HIPAA Act. Biometric SSO solutions are thus highly recommended for all healthcare service providers.