Ease of use, 99.97% specificity, and cost-effectiveness assure compliance with HIPAA and HITECH Regulations
Meaningful use. Two words of towering importance that now remind every hospital administrator, CFO and medical group CEO that they must comply with newly promulgated regulations from federal HIPAA and HITECH legislation., or risk forfeiting funds previously received from the Center for Medicare and Medicaid Services.
But while emphasis originally stopped at the word “meaningful”—as in, is the EMR system being employed as demanded by law—greater emphasis now lands squarely on the word “use”—as in, will the physicians, paramedical staff, and record keeping and insurance-billing departments actually use the EMR as required? After all, what good is any electronic system if the user experience suffers?
With the recent introduction of biometric signature authorization systems that users effortlessly manage on their existing smart phone, tablet or desktop, the second half of the equation can now be solved. At the same time, the latest iterations of biometric signature authorization meet the “meaningful” needs of the medical organization by abiding by the letter of the law through gate-access specificity approaching 100%. The fact that the these new systems reside “in the cloud” outside of the company‘s business system, and require absolutely no additional cash-outlays for hardware, tag them as a cost-effective option for compliance.
Play or pay
By now, the entire medical community understands the consequences of failing to employ meaningful use and safeguard the access to personal health information. Federal law (42 USC § 1320d-5) puts teeth into this message by imposing stiff penalties that start at a minimum $100 per violation and balloon to $50,000 per violation with an annual maximum of $1.5 million.
Acting as watchful sentinels to any EMR system are the access portals. When they fail, the entire system is compromised. In March, 2012, hackers managed to steal the medical records, including social security numbers, of 280,000 patients seen by the Utah state Health Department. The breach occurred at the password authentication level.
“Most of the administrators I speak to tell me that their biggest fear is having their organization’s EHR system compromised,” says Jeff Maynard, CEO of Biometric Signature ID, based in Lewisville, Texas. In excess of 80 clients and nearly 2 million users in all 50 states and approximately 60 countries currently utilize the company’s biosignature software. “The stakes have been upped by the HIPAA and HITECH acts. When you allow unauthorized access, then you can be held personally liable for the fines, as well as the organization.”
To ligate breaches to the system, and stop hemorrhaging at the bottom line, healthcare portals must meet several criteria. Among them: a) ensure that first time users are who they say they are; b) secure access by physicians, nurses, etc. to clinical applications that contain patient data; c) secure access by payees and other third parties; and d) secure any session both before and after login.
CFR 45, Section 170.314(d)(1) sums it all up—the system must verify against a unique identifier (e.g., username or number) that a person seeking access to EHR is the one claimed.
Finding a secure solution
A number of identification-checking modalities currently exist, falling into three basic categories: 1) something only (presumably) the user knows, such as a PIN or password; 2) an item the user has in his or her possession, such as a proximity card, flash drive or a token that provides random authentication codes; and 3) biometrics, something physically unique to the individual. However, the challenge begins at this point.
The failure of relying on something the user knows has become all too apparent. Cybercriminals have repeatedly proven the ease of cracking passwords and PINs. Secondly, requiring a user to possess a verification tool, like a flash drive or proximity, entails the cost of purchasing, producing and distributing the necessary hardware. Of even greater concern, such devices do not necessarily authenticate the individual. They only verify that a person has possession of the device or card.
Which leaves biometrics. Examples include fingerprints, iris scans, facial recognition, DNA sequencing and, at the “bleeding” edge, vein scanning. While these may offer near-absolute verification, this type of identification requires a sophisticated, expensive, hardware device to capture and interpret the biometric patterns.
Obviating the need for a hospital to purchase a scanning device for its medical staff and other employees, Apple® has brought fingerprint scanning to the personal smartphone in the form of its Touch ID™ application; but not without its share of flaws.
“Fingerprint scanning seems convenient, but will lead to many case of blocked access, especially in a clinical environment,” notes Maynard. “Antibacterial hand creams, powder from latex gloves, etc. will dirty the screen and reduce accuracy down to as low as twenty or thirty percent. If authorized users can’t access the system, they will rebel and refuse to use it.”
As a subset of biometric physical qualities, dynamic (AKA behavioral) biometrics offers the possibility of more accurate identification with less false negatives. Among the already proven types is “finger writing,” a type of gesture recognition verification.
Here, identification is accomplished in seconds by having medical personnel handwrite four letters or numbers within a confined space on a webpage by moving their mouse, stylus or dragging their finger across their smartphone screen. The software assesses the unique pattern of length, angle, speed, height, number of strokes and stores the information in an encrypted database. This data is compared to patterns collected by the user’s subsequent logins, confirming that the person who registered is the same person trying to access the account.
In independent testing by the Tolly Group—a leading global provider of testing and third-party validation and certification services to the Information Technology industry since 1989—the BioSig-ID™ gesture recognition system was found to be 27 times more accurate than keystroke analysis reported in earlier evaluations. Observed confidence ratings at 99.97% meant that the false positive level of this particular software was three times better than guidelines put out by National Institute of Standards and Technology.
But will they use it?
Accuracy aside, the payoff to such systems is its ready adoption by medical staff.
In fact, its very accuracy helps ensure acceptance because of the lack of false negatives. Additionally, since the reader is virtual and resides “in the cloud,” even users who do not have a smartphone can access it from any tablet or desktop computer, making it instantly and universally available.
It is all about the user experience and flexibility according to Maynard. Experience surveys report a 98% positive rating from users with many even reporting that it’s ‘fun.’
“Taking it one step further, in terms of timesaving and convenience, with our mobile app a user need only acquire authentication via his or her biosignature once. Upon which the system can be set up to respond with a RSA style key code, QR code or even NFCs that land in their smartphone,” explains Maynard. “From that point on the user can employ that code as a ‘key’ to access the facility’s EHR. The duration of the key’s access rights is configurable from groups to individuals.”
Since one of the biggest concerns today is how to manage and secure personal devices, BioTect-ID™─using BioSig-ID biometrics─was created to lock down mobile devices, tablets and workstations to further prevent un-authorized access and data breaches.
Through easy and convenient, yet secure, access to medical records, applications, and even physical corridors, physicians and staff can accomplish their assigned tasks without fear of violating the law and incurring risk to the facility.
Recognizing these advantages, leading healthcare and enterprise companies like Epic and Ping Identity have already moved to integrate with Biometric Signature ID.
Covering future contingencies
New rules issued last year by The U.S. Department of Health and Human Services further tighten the requirements for protecting patient privacy and securing their health information.
The Federal Regulations/Interpretive Guidelines for Hospitals (482.24(c)(1)(i)) require that every entry in the health record should be authenticated and traceable to the author of the entry. Hence, any authentication system must incorporate some method of tracking.
“A good biosignature system can provide an audit trail including the time, date, physical location, history and even the ISP/IP address of a user who signs in for any medical record or through a portal,” explains Maynard. “Through continuous data mining we have developed risk scoring algorithms that uncover fraudulent activity. Examples include, comparing the history of IP address, ISP’s, accuracy levels, password resets, validation attempts and more data that point to atypical behaviors. We can set up certain alerts and bring this information to the attention of the medical institution.”
Industry accepted application program interface standards like SAML 2.0, SSO-IO communicate with the business systems of the medical enterprise to allow seamless exchange of such tracking information.
The ability to provide evidence of all the events surrounding the authentication activity not only provides a powerful tool to combat fraud, but also ensures compliance with evolving regulations that portend to mandate even stricter standards of identity authorization within the healthcare industry. Leading healthcare and enterprise companies like Epic and Ping Identity have already seen the handwriting on the wall, and have integrated with Biometric Signature ID.
