Friday, May 29, 2009

Cool Technology of the Week

In my recent blog about the Red Flags rule, GreenLeaves commented that biometric checking would help reduce errors by establishing identity and uncovering fraud.

Using biometrics to verify identity seems like a good idea, so I met with Jim Sullivan from BIO-key, a leading provider of biometric solutions.

In the past, I've been reluctant to adopt biometrics because of the expense of buying fingerprint or Iris scanners for each of my 8000 client devices.

However, now that many laptops and hospital ready tablets include embedded fingerprint swipe scanners and that the price of USB fingerprint scanners has dropped significantly, it is realistic to consider biometrics.

BIO-key has developed a next-generation algorithm that reduces the fingerprint to set of calculated unique identifiers. A person’s fingerprint graphic is not the credential; their finger is. BIO-key ensures that only a real finger is being scanned to produce these unique identifiers, making a stolen fingerprint graphic useless to a potential imposter. It's the computed values that are stored when the user's finger is scanned at enrollment, and is later used for comparison with future scans. To me, it's similar to the way NTLM authentication works - there is no need to store or exchange the actual password, it's a mathematical hash of the password that is compared to a stored mathematical hash of the original password. BIO-key allows you to enroll and identify on most of the different fingerprint scanners in the market, allowing an open, heterogeneous fingerprint hardware environment.

There are several interesting ways that biometrics could be used in healthcare:

1. As an alternative authentication method for clinicians instead of having to constantly type a username and password. BIO-key provides a web-enabled fingerprint scanning authentication method that interfaces seamlessly between web applications and an enrollee database or Active Directory. Every authentication, from connecting initially to a secure Wi-Fi hub, to authenticating to Active Directory, to authenticating to web-based or thick client applications, can be done using a finger scan.
2. As a two factor authentication mechanism for secure remote access to sensitive data - instead of a token, you carry your finger with you wherever you go. Note that modern fingerprint scanners include measurement of living tissue, so your finger cannot be stolen and used as an authenticator.
3. As a way to protect patients from identity theft or mis-identification. The first time you register for care, you present your passport and your finger for scanning. On every successive visit, your fingerprint scan is used to verify your identity, without the need to hand-check the paper credentials again.

Some people may think that fingerprints are used to identify criminals and thus be reluctant to use a fingerprint scanner. As noted above, we're not using the fingerprint itself - this is not an FBI comparison to a stored library of fingerprints. Instead, it's comparing the scan of finger to specific computations made on earlier scans of the finger when the patient first registered. Hopefully, this will make patients accept scanning as a positive way to protect their identity instead of a negative "police-like" search of their past.

If you'd like to try this yourself, just get a USB fingerprint scanner or use a laptop with a built in fingerprint swipe reader such as HP, Lenovo, or Dell. Go to http://www.bio-key.com/hitdemo.asp and follow the instructions to download the web client and test the fingerprint enabled applications. Note that it only works in Windows at this time.

A simple way to prevent identity theft and to authenticate web applications using your finger. That's cool!

No comments:

Post a Comment