Using biometrics to prevent data breaches and identity theft in healthcare

Errol Weiss, chief security officer at Health-ISAC, says biometrics may hold the key to solving some of the biggest identity challenges in healthcare.

Posted 26 March 2024 by Christine Horton

The increasing digitisation of the healthcare industry is obviously a good thing, offering myriad benefits related to heightened operational efficiency and more advanced data processing.

However, new technology unfortunately puts organisations at a higher risk of data breaches, identity theft, and fraud. Due to the growing volume of patient data, and the extremely sensitive nature of that data, traditional single-layer security protocols are no longer sufficient. Healthcare organisations need additional measures to protect patient data and ensure that the only people who can view this data are the ones who have been authorised to do so.

One aspect of this solution is good old multi-factor authentication (MFA), in which a user can only gain access to a website or application after clearing two identification hurdles. MFA adds another layer of security beyond passwords and employee credentials, an extra step that is increasingly necessary. Recent research found that 62 percent of office workers have shared passwords with colleagues, making it more likely that this information will fall into the wrong hands. Compromised credentials remain a leading cause of data breaches, accounting for 61 percent of related incidents.

One particularly promising area in MFA is biometric authentication, which relies on the unique biological characteristics of an individual to verify their identity. Before we get into explaining how biometrics can be implemented in health care, let’s define how biometrics work and outline the different types of biometrics systems available today.

What are biometrics?

There are two types of biometrics: physiological and behavioral. Physiological biometrics verify identity with physical traits such as an individual’s face, fingerprints, iris, retina, or voice. Most smartphone users access their mobile devices with biometrics every day using facial recognition or fingerprints. Behavioral biometrics verify a user’s identity by analysing behaviors such as an individual’s keystrokes when typing, or the way they maneuver a computer mouse.

Biometric authentication stands out because of its direct link to an individual’s unique physical characteristics, making it inherently non-transferable. Unlike traditional employee passwords, which can be shared or stolen, biometrics are exclusively associated with the person they belong to. This approach offers logistical benefits over alternatives like physical security tokens, which are small devices carried by users to grant access to secured systems. These tokens, though effective, require users to physically carry them and connect them to each computer or tablet, which can be cumbersome in fast-paced healthcare settings.

Biometrics are also preferable to a system of one-time passwords, which typically consist of a six-digit code sent to a user’s mobile device. These offer an additional layer of security, but they too, pose challenges in a health care environment. Each login to a new system demands retrieving and entering this code, a step that, while enhancing security, can introduce delays in critical situations where every second counts. Biometrics represent a streamlined and secure alternative in such high-stakes settings.

Biometrics in healthcare

In the dynamic environment of healthcare, physiological biometrics can be integrated seamlessly into a clinician’s daily routine and serve as a second step in MFA. The process begins with registering employees in the biometric system and creating an exclusive list of individuals authorised for certain access levels. Once clinicians provide a standard form of identification, such as a password or ID badge, biometric technology steps in, requiring a fingerprint scan or facial recognition before providing access. The dual-layer approach to MFA not only enhances security, but also ensures that access is granted swiftly and accurately, crucial in healthcare settings where time and accuracy are of the essence.

For example, consider a nurse at a hospital who needs to enter new data into an electronic health record (EHR) system. After inputting a password, the nurse confirms identity by placing a finger on a scanner, ensuring that the individual entering the password is an authorised user. Later in the day, the same nurse may need to access medication from a locked cabinet. The process begins with swiping an identification badge on the cabinet’s card reader. To further verify that the badge has not been misused, perhaps by someone who might have stolen it, the nurse then scans their fingerprint, completing the second step in MFA. The action confirms the nurse’s rightful ownership of the badge and grants access to the medication. The biometric authentication takes just a few seconds of a clinician’s time and doesn’t restrict them from doing their jobs.

Challenges of biometrics

Since biometrics are still an emerging security tool, their functionalities still present some challenges. For example, some facial recognition systems have difficulty identifying individuals with certain skin tones. Organisations looking to introduce facial recognition technology should first make sure that their desired system has been approved by the National Institute of Standards and Technology which ensures that the system’s algorithm has been proven to perform equally well for all ethnicities, genders, and skin tones.

Different types of biometrics may be unnecessarily burdensome for healthcare workers in certain settings. For instance, fingerprint identification may not be possible in environments where clinicians are wearing gloves, much in the same sense that voice recognition may not be possible in noisy environments. So, organisations must determine which biometric system makes sense for each setting, or if biometrics would do more harm than good to certain tasks.

Biometrics are a significant deviation from traditional security protocols, so healthcare operators must take multiple precautions to ensure a smooth integration. Organisations must review local laws and regulations, create new policies to gain consent from participating employees and determine a backup plan in the event that someone cannot provide the necessary authentication.

Lastly, advancements in artificial intelligence and deep fake technology can allow cybercriminals to fool facial recognition systems or replicate an individual’s voice. Organisations should take a layered approach to security that doesn’t exclusively revolve around biometrics. If anything, putting too much reliance on biometrics can increase an organisation’s vulnerability to cybercriminals who specialise in AI and deep fake technology. To protect themselves from tech-savvy hackers, organisations should view biometrics as another layer in their security protocols that makes their data systems even harder to penetrate.

Final thoughts

As the healthcare industry embraces the digital age, the security of patient data becomes a paramount concern. In this context, biometric technology offers an advanced layer of security and heralds a new era of efficiency in patient care. The unique combination of speed and accuracy provided by biometrics makes it an essential tool in the healthcare sector’s ongoing battle against data breaches and identity theft.