Biometrics & HIPAA

Jun 1, 2006 12:00 PM, By Mark Seelenbacher

Several years ago, the information technology community was abuzz with a new catchphrase, “HIPAA compliance,” which sent many information technology professionals in health care and government into a frenzy. No longer could IT professionals in these fields create their own policy on how information is handled; they now had federal laws to comply with, and they had a deadline. This served as both a blessing and a curse, because as anyone who has worked in public sector IT can attest, making policy and getting funding can be an uphill battle.

With the Health Insurance Portability and Accountability Act (HIPAA) of 1996, elected officials had no choice but to create or change policy and provide funding for hardware and software to make it easier to aid in compliance — or face the consequences.

A new age of health care

The term “doctor-patient privilege” was a practical concept when medical records were kept in paper files. One could rest assured that only their doctor and nurse had access to one's medical history. Several factors have made this concept more abstract today, not the least of which is the fact that the family doctor is, in essence, a dying breed. More and more people go to larger health conglomerates or HMOs, where their information could be shared with any number of doctors, nurses, accounting staff, etc. The dawn of the digital age has led to the computerization of hospitals, government offices and other medical-related businesses, which makes the sharing of information much easier.

With so many medical records being stored and transmitted electronically, however, the assurance of doctor-patient confidentiality comes into question. Laws governing the use and disclosure of private health information (PHI), if they existed, varied among different states, and there was no standardization by which medical professionals were held accountable for the mishandling of such information. HIPAA changed everything.

The U.S. government saw the need to standardize how medical records were handled both physically and electronically. HIPAA, quite possibly the largest piece of legislation dealing with medical information since the Medicare Act of 1965, became public law 104-191 on August 21, 1996. The act, initially written as a means to ensure continued coverage for individuals who lose or change their jobs, contains many provisions on how health information is to be maintained and transmitted. It has two main parts, although the act was written in five parts or titles: Title I — Health Care Access, Portability, and Renewability; Title II — Preventing Health Care Fraud and Abuse; Title III — Tax-Related Health Provisions; Title IV — Application and Enforcement of Group Health Plan; and Title V — Revenue Offsets. Titles I & III-V are of little concern to information technology professionals, but Title II sets the standard for how medical data is to be handled. All related entities affected by HIPAA were given the date April 14, 2003, by which they must comply with the privacy rules and April 14, 2005, by which they must comply with the security rules.

A complicated task

On the surface, it does not seem there is a lot that is needed to be done to ensure the security and privacy of data in the workplace. As with many things, however, outward appearances can be deceiving. As the privacy deadline loomed, many organizations, including county health departments, departments of social service and state health and human services departments, set up HIPAA compliance committees to make sure that they would not be in breach of the new law. It was then that the many facets of health information privacy and security came to light.

It was not just a matter of securing terminals and encrypting e-mail. There needed to be strict access control to any secured data, and security had to be put in place to make sure that unauthorized persons were not wandering aimlessly in areas where the data is accessible. Office furniture had to be rearranged so no passers-by could glance at private information that might be on a computer screen. Phone systems containing confidential voice mails had to be secured. Even manufacturers who made medical record software had to ensure that their programs were HIPAA compliant. Every aspect of the data infrastructure in affected organizations had to be re-assessed and new policies and procedures had to be developed. To ensure the privacy of protected records, the privacy rules outlined by HIPAA include the appointment of a privacy officer for any healthcare organization. The privacy officer is tasked with the responsibility of ensuring that only those who need protected healthcare information have access to it.

Government offices such as health departments, social service departments and emergency response deal with medical information; therefore, they have to deal with HIPAA compliance. Unlike hospitals, government offices are not self-contained health organizations, but rather provide a variety of services that often have nothing to do with healthcare. For example, while Social Services handles Medicaid, they also handle food stamps, welfare, child protection services and other responsibilities. For this reason, state and local governments are unique in their application of HIPAA compliance policies. A county finance office handles accounts receivable and accounts payable for all departments which include tax, information technology and purchasing as well as health and social service departments. Consequently, connectivity among the various departments in government to allow for this exchange of information may inadvertently provide a back door to data that may be protected under HIPAA. So complying with HIPAA is very much a multi-faceted endeavor with a range of issues to be considered.

Access control key to compliance

In order to tackle all of these issues, most organizations have created a compliance policy based on prioritization of privacy and security. For example, while a back door may exist into a system containing private health information, a bigger threat to privacy might be physical plant security. A firewall can close a back door, but it will not make the data any more secure if the front door is left wide open. It is for this reason that physical security plays the largest role in HIPAA compliance policies. Rules and regulations must be established as to how data is accessed and by whom. If there are unauthorized visitors to an area with protected data, they should be accompanied by an authorized person at all times.

Locked doors will deny access to protected areas from unauthorized persons, but the authentication process must be scrutinized carefully. The problem with physical access is designing a system that is secure, non-intrusive, and low-risk in terms of breaching security. Whether mechanical locks or electronic locks are used, every method has its advantages and disadvantages. The advantages of mechanical locks are simply ease of use and low cost. Everybody knows how to use a key, and there is no need to buy expensive equipment. Of course, the disadvantages are far greater in terms of security. There is no way to ensure that a key will not be copied, and mechanical locks can be breached with relative ease.

Electronic locking mechanisms are far more advantageous because they can allow for central management. But even there, organizations have the choice of keypads, magnetic card keys, proximity sensors, and a range of other technologies. Keypads are good for lower-security needs, although there is a risk of “shoulder surfing” — allowing an unauthorized person to steal the code precludes it from being used in higher security situations. Card keys can be lost, and in larger organizations, an unauthorized user can easily slip in with a stolen or lost card without being challenged. To answer the call, some government organizations have implemented biometric authentication systems for physical and network security. While two-factor authentication can greatly enhance security, the use of biometric systems can increase security even more when implemented as one of the factors.

Biometrics and access control

Biometric systems employ sensors to extract physical features from users and attempt to match those features against information stored in a database. There are a variety of features that can be used for biometric identification such as iris and retinas, voice patterns, facial recognition and, of course, fingerprints. Retinal scanning, while very dramatic and great for use in movies, has fallen out of favor with IT security professionals not only because of the cost, but also because of its intrusiveness. A retinal scanner uses a low-intensity light to scan an individual's eye and extract the unique features of their retina. For a typical retina scan, a person must be within a few inches of the scanner and hold still for 10-15 seconds for the scan to complete — far too intrusive for most applications. Iris scanners offer several benefits: Irises are as unique as fingerprints and iris features can be extracted by using a camera at a distance of about 18 inches. This, coupled with the fact that a person does not need to stay still for 15 seconds, makes the iris scanner more favorable than a retinal scanner.

No matter what biometric method is used, there are two types of errors made by biometric systems. A false accept is when two biometric measurements taken from different people are interpreted as coming from the same person. A false reject is when two measurements taken from the same person are interpreted as measurements taken from two different people. The accuracy of biometric systems can vary depending on the types of biometric characteristics being measured.

In terms of HIPAA compliance, a low false accept rate is crucial and a low false reject rate can be viewed as more of a convenience issue. It would be much more tragic to let an unauthorized person into a secure area than not to allow an authorized person in. Even so, if a false reject rate gets too high, it becomes an impractical system to employ. Poor lighting conditions could present problems for facial recognition, and ambient noise could affect voice recognition — certainly something to consider when designing and implementing biometric security systems.

Biometric systems are not without their drawbacks. While they certainly are not fool-proof, thwarting a biometric sensor is much more involved than trying to guess a password. Some fingerprint sensors can be fooled by using commercially available graphite powder. Even though biometric authentication systems are not completely hack-proof, the complexity of tasks necessary to circumvent a biometric sensor makes it much more secure than other systems. Add to this a second layer of security by using a pass code with biometric sensors, and the system comes as close to hack-proof as possible.

Technology explosion

There are several factors that dictate how much security is needed to protect data, from world politics and natural disasters to identity theft and personal privacy. Although biometric authentication has been around for a many years in various forms, it was only in the last few years that use of the technology had increased and cost had decreased enough to make its use a viable option for many organizations.

The need for stronger security models, especially in government offices, to comply with HIPAA spurred great advancements in biometric technology, making it more reliable, faster and cheaper. The anticipation of HIPAA compliance deadlines may have made it possible to enhance security in many places quickly when the need arose at the turn of the century. Biometrics have also found their way into the home, allowing many individuals to protect their own data through the use of affordable biometric-enhanced devices such as USB thumb drives, mice and other peripherals.

While there are reliable biometric systems in place today, the future of biometrics promises more reliable methods by improving on the more mature models.

New models may one day overshadow those in use today: DNA analysis, kinesiology, vein structure and thermogram inspection may be commonplace in government offices in the not-too-distant future.

ABOUT THE AUTHOR

Mark Seelenbacher is an information technology professional who has worked in the public sector for many years. He currently lives and works in North Carolina.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue