Biometric Technology Background
For a detailed review of biometric technologies; their characteristics and applications; and their strengths and weaknesses, refer to the chapter "Biometrics" by Philip J. Holt in Healthcare Information Systems, Second Edition (CRC Press)—ISBN 0849314984 .
Access Control Approaches
The beginning of virtually any secured workflow is access control. The default logic of access control is that no one has access unless s/he is trusted and everyone else is excluded. A typical transaction, then, includes a Requestor and a Grantor. Access control technology attempts to automate the process of answering two basic questions prior to offering any kind of access:
- Who are you claiming to be?
- Are you who you claim you are?
The first question represents the task of identification. The second question represents the task of authentication. The importance of the distinction between identification and authentication will become clearer in later discussions about automating the process. In its simplest form, the generally accepted approach for arbitrating requests for access is through the use of a token and the assumption that possession of the token and authenticated identity are pretty much equivalent. The token can be concrete—something one has—or abstract—something one knows. Requesting access with a token is an example of single-factor security—if the requestor has the token access is granted. For example, a house key or a secret password are two common examples of tokens that are used in a single-factor scenario.
Unfortunately, a lost or stolen token will compromise single-factor security. Anyone with a house key can enter that house. Once a password isn't secret, anyone can use it. What compromises this type of security is its anonymity—a lack of real authentication allows virtually anyone possessing the token to use it. The most common solution to this problem is to use two tokens in a combination of something one has and something one knows. This is a two-factor scenario.
Two-factor security is more resistant to compromise. ATM cards are probably the most common two-factor security scheme in use today. With the card (something you have) to identify you and the PIN (something you know) to authenticate you, you can access your bank account from pretty much anywhere in the world. Since this only works when the requestor has both factors, the security is considered strong enough to support widespread consumer use.
The strength of this approach, however, is also its key weakness—neither token is any good without the other. A lost ATM card is useless to the person who finds it—good for the owner. It is also useless to the owner because the PIN by itself is useless. So a two factor scheme works well as long as the requestor has both tokens. There are circumstances where an unauthorized third party could gain access to both tokens, but they tend to be rare enough exceptions to be considered acceptable risk.
Because of the requirement that requestors carry a physical token, traditional two-factor schemes require considerable operational infrastructure to create and issue cards and PINs as well as install and maintain electro-mechanical card readers. The approach remains practical to the extent that people only carry one or very few of these cards.
Changing Requirements
The goal of most security schemes is to reduce the risk of loss or theft to real (physical) and intangible (intellectual) property. Loss can include not only the physical loss of data but also logical loss where data is stored in the wrong place. For example, a credit card transaction inadvertently assigned to the wrong account is a type of data corruption that is the insidious equivalent of outright loss. Healthcare has grown particularly data-intensive, yet the improvements to security infrastructure surrounding applications has been limited.
Confronting several technical frontiers at a time, vendors of healthcare application software struggle to keep up with the requirements of a data-driven market. Where an application depends on the flow of transactional data about people—it could be financial or clinical data—reconciling the records authoritatively is essential to mining any useful information about the relationship between clinical actions, their costs, and their outcomes from the data. Eliminating duplicate identifiers for the same individual or preventing transactions from becoming associated with the wrong individual are a basic application challenge for designers of security infrastructure.
Biometric Technology
Technology is emerging that allows the use of biometric techniques to identify and authenticate individuals more authoritatively than has been practical in the past. Biometrics defined broadly is the scientific discipline of observing and measuring relevant attributes of living individuals or populations to identify active properties or unique characteristics. Biometrics can look for patterns of change by measuring attributes over time or look for consistency by measuring attributes of identity or unique differentiation. When looking for patterns of change, biometric technology can be considered a tool for research, diagnosis, or even medical monitoring. When looking for consistency, biometrics become a useful vehicle for security, automating the two principal steps of access control:
- Identification—who are you?
- Authentication—are you who you claim to be?
Using biometric technology for security purposes, a permanent personal attribute, unique to an individual and not easily duplicated, determines privilege or access—for example, a fingerprint, signature, iris, or voice pattern. Conceptually, a personal characteristic is yet another form of token, but it offers some unique advantages:
- The individual possesses the characteristic; the characteristic is not added to the individual (the individual essentially becomes the token)
- The attribute is a generally a permanent token—you can't lose it, and it can't be stolen
- The best characteristics are statistically unique to the individual
Since biometric identification/authentication can be quite authoritative, virtually no anonymity is possible in the transaction—each individual becomes self-authenticating, especially in a two-factor scenario. The approach is not without limitations however. Casual observation of the incredible variety of human forms and attributes might seem to reveal a large number of potential attributes for biometric identification. Good biometric identifiers however, share several characteristics that make them useful and reliable for recognition and identification applications:
| Characteristic | Description |
| Universal | Everyone must have the attribute. The attribute must be one that is universal and seldom lost to accident or disease. |
| Consistent | The attribute must not change significantly over time. The attribute should not be subject to significant differences based on age either episodic or chronic disease. Voice is a consistent measure assuming consistent health, but can vary considerably with colds and sinus. The iris of the eye changes measurably between birth and adolescence. Retinas and fingerprints change very little over a lifetime. |
| Unique | Each expression of the attribute must be unique to the individual.Height, weight, hair and eye color are all attributes that are unique assuming a particularly precise measure, but do not offer enough points of differentiation to be useful for more than categorizing. |
| Permanent | The attribute must be inseparable from the individual. The attribute must be integral and not viable for identification if removed. |
| Inimitable | The attribute must be irreproducible by other means. A recording of a voice could be separated from and individual just as an image of his or her face. The less reproducible the attribute, the more likely it will be authoritative. |
| Collectible | Must be easy to gather the attribute data passively. If a patient is unconscious, voice recognition would not be useful. If a patient is not particularly cooperative, fingerprint recognition or hand geometry would present limitations. |
| Tamper-resistant | The attribute should be impractical to mask or manipulate. Fingerprints cannot be changed and hiding them is difficult whereas faces can be masked or made up. |
| Comparable | Must be able to reduce the attribute to a state that makes it digitally comparable to others. The less probabilistic the matching involved, the more authoritative the identification. |