Early deployment of biometrics in healthcare: Why it’s risky business

As one of the industries with the strictest privacy requirements on data, it is critical for healthcare institutions to lock down every server, database and account to ensure the utmost protection.

The current method, the use of passwords, is weighing down the industry. For the nurses, doctors, technicians and other staff interacting with many highly technical systems, along with patient's identities inside a hospital, this means remembering several passwords that need to be used on a daily basis and updated regularly. The challenge for hospital staff is clearly daunting.

Health information is some of the most sensitive personal data we possess, so enhancing its security has become an absolute necessity. However, many current implementations of biometric authentication put people's own biometric data at risk, and can also be gamed by hackers to replace the identifiers of the patient or practitioner with those of a criminal instead. The damage here can be lasting: you can change a password - but you can't change your biometric identifiers.

The current state
In general, the only biometric currently in use across the healthcare spectrum is the fingerprint. More recently, there has been a large increase in usage at doctors' offices, where fingerprint sensors attach to Windows machines and provide positive authentication for electronic prescription writing. Are these deployments good or bad? Here is the short answer: on the one hand, it makes forgeries a lot harder, but on the other hand the implementation is considered highly flawed (i.e., single-digit fingerprint matches are not unique - roughly 1 in 1000 other people will match to YOUR fingerprint), and could potentially be abused in a serious and hidden way without raising any alarms until it is far too late.

The healthcare industry must be careful
In general, healthcare lags behind other industries in terms of technology adoption due to the need to be highly risk averse. While there are obvious attempts to implement new features and security, the industry may not have the necessary information and knowledge to make informed decisions.

Overall, the IT security framework within hospitals and health plans is not yet strong enough to protect the biometric data of patients and practitioners. This is because it is still a new concept – not just in healthcare – but for all other industries deploying biometric authentication.

How hackers could game current deployments
Continuing with the concept that implementations are faulty, the basic idea is that the Electronic Medical Records (EMR) system being used in doctors' offices do not conform to a specific standard and are all individually written to attempt to meet the demands of a particular medical practice. Many of these software packages are poorly written hodgepodges of technologies, where the biometrics are simply added to the local software as an authentication or two-factor (2FA) improvement, with the first factor being the username/password and the second being the fingerprint used to validate prescriptions. Typically, the biometric vector is stored on the local servers on Windows 7 terminals that have fingerprint sensors attached.

At a recent visit to my own doctor, I noticed that the entire network operates on both Ethernet and Wi-Fi, and that all the machines seems to be running against the same Windows 2008 server. While I was waiting for my doctor, I took the liberty of probing the Wi-Fi network to see how it operated. As I guessed, it was using basic Wi-Fi Protected Access 2 (WPA2) security, without certificate-based, encrypted authentication. Any good hacker would be able to access the Wi-Fi network in a matter of minutes. Once on the network itself, it is a straight forward process to take over the desktops.

Another method is the tried and true Trojan or Remote Access Trojan (RAT). These programs are custom designed to bypass an antivirus on the first few attempts, allowing the Trojan to gain admin access to the desktop and granting a remote attacker full access to the machine. Since this is a Windows machine, writing a custom payload that would intercept the fingerprint sensor and force it to always authenticate no matter what is placed on the sensor (or not even needing to use the sensor at all), is a piece of cake for hackers. Therefore, it is certainly possible to bypass this security completely and turn doctors' offices into prescription writing bots for criminals seeking drugs.

The future of biometrics in healthcare
There are answers to the above problems, and there are companies that are building the frameworks for tomorrow. In time, these implementations will take hold, and there will be a large decrease in fraud and identity theft. By leveraging biometric data in the correct way to accurately match the medical record to the patient, organizations can eliminate the possibility of fraudsters accessing confidential data with stolen employee cards or passwords, protecting data from cybercriminals.

In addition to decreasing fraud risks, secure and correct implementations of biometrics and biometric authentication protocols could provide a convenient method to verify patient identification for both patients and workers. For example, a patient can enroll in a biometric identification solution at the reception desk by proving their identity using trusted credentials. Once enrolled, the patient's identity can be verified at each stage of their treatment to ensure that the correct person received their treatment, and can also be extended once the patient is home. For healthcare workers, biometrics can be used to ensure that those who are only authorized are allowed to enter certain restricted areas, prescribe drugs or perform medical procedures, vastly improving accountability

While it is important for the healthcare industry to proceed with caution when it comes to biometrics, the future is bright if a thoughtful approach to both the risks and rewards are undertaken.

John Callahan, CTO, Veridium

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.