Yet these features are typically only used for physical access control and are not used for desktop authentication. These higher security features must be implemented in cooperation with the card vendor, decrease the speed at which a user is recognized and limit the interoperability of the system with various card technologies. For these reasons, most authentication software utilizes the CSN irrespective of what card technology is used.
In short, the common denominator is the CSN because it is fast and interoperable. Unfortunately, the CSN is an unencrypted static number that can be simply copied or cloned. Is a static card number plus a password any more secure than the former username/password model that it replaced?
The majority of single sign-on solutions also offer the capability to use either a proximity card with no PIN as an authentication method or use a “grace period” feature that bypasses the need to enter a password for each logon event. At the start of the day, a card and password is required but, for the next four to eight hours, only the card is required for authentication. When no password or PIN is required for user authentication, if a card is lost or stolen, it can be used by anyone — even without a password.
To summarize, in grappling with the new demands of electronic healthcare data, physician workflow was improved by tying every application and transaction requiring a username/password pair to a single authentication event. Then, the security of this authentication event was “enhanced” by replacing the username with a static card number. As a final step, two-factor authentication was bypassed and security was sacrificed, once again, to provide simplified access to information.
Biometrics Makes Better Sense Today
The reality is that security has taken a backseat to workflow at every stage. Prox cards were never designed to protect networks, applications and sensitive patient data, yet many healthcare organizations rely on this technology to protect their most critical assets.
Clinicians logon to an EHR system as often as 75 times a day. These transaction events can add up to 45 minutes if using a username and password. The use of electronic systems is undeniably valuable and necessary, and access
to those systems must be simple and convenient or they will not be adopted. What seems to have been forgotten in the rush to implement is that access must also be secure to meet regulatory requirements and to provide proper patient privacy.
If using a proxy card and PIN is not much better than the former username/password model, what is the alternative? It must be as or more convenient than using a card and password, and it must positively identify the person accessing the information. Something that the clinician can share with others such as a username and password does not identify “who” without some level of doubt. Something that can be easily duplicated such as a static CSN also does not absolutely identify “who.” Only through the use of a biometric can the authorized individual be positively identified to securely grant access while creating a record of the authenticity of the transaction.
Fingerprint biometrics is the most widely used biometric technology in healthcare for medication dispensing, electronic prescriptions of controlled substances and simple, secure login to EHRs. More convenient than using a card-based system, a fingerprint biometric authentication solution does not require the clinician to carry some other device, card or token. Requiring no more than the placement of a finger on a sensor, authentication using fingerprint biometrics enhances clinician workflow while delivering the level of security that is required to protect sensitive health information.
However, not all fingerprint biometric solutions are created equal. To maximize adoption, it is critical to select a fingerprint sensor that works in real-world environments and that can deliver consistent results irrespective of race, gender, age or physical conditions. To truly enhance workflow, the sensor needs to work every time and for every user.
Technology Suits the Environment
The purpose of any biometric technology is to provide consistent data for verification that can be used to match the data that was captured during enrollment. Only then can the system properly identify and quickly accept the right people while rejecting unauthorized users. A biometric sensor needs to collect usable data under a variety of real-world conditions. Within healthcare, these conditions are typically characterized by a diverse user population that has minimal training on biometric enrollment and high use of alcohol-based hand sanitizers and hand washing resulting in dry hands, along with a relatively cool, bright and dry environment. These conditions have caused traditional fingerprint biometric sensors to have difficulty supporting the demands of both health-care institutions and clinicians.
To address the shortcomings of conventional fingerprint technologies, a new technology — multispectral imaging — collects information about both the surface and sub-surface fingerprint to capture reliable data every time, regardless of whether a user’s finger is dry, wet, dirty, slightly rotated or difficult to capture.
