Biometric Authentication: Medical Center Use of Vein Scan Raises Questions
Biometric authentication is becoming more commonplace in medical centers, financial companies and even the local gym. It is seen as a way to reduce fraud because it authenticates identity by way of a person's physical characteristic, like a fingerprint or palm vein pattern, as opposed to something that the person has or knows, like a password or a secure token. But when Natasha Singer, a journalist with the New York Times, went to see a doctor at New York University Langone Medical Center and was asked to submit a palm scan for her file, she questioned the need to give them more personal information about herself beyond what they already had. The medical center had recently adopted a two-factor identification system, adding a photo and a palm-scan to patient records.
For midsize businesses, security and privacy concerns related to biometrics are many, including how employee or customer biometric data will be stored so that it is secure, how the data will be used, and who will have access to the data. While the technology itself may be relatively foolproof, the New York Times article cites director Pam Dixon of the World Privacy Forum as suggesting how someone might defeat the medical center's system by making a false ID and posing as a real patient who has not yet had their biometrics stored into the system. By getting the imposter's photo and palm print taken instead, the real patient wouldn't be allowed access to the medical center's services since their biometric information wouldn't match the false data stored in the system. Dixon is quoted as saying, "Hospitals that are doing this are leaping over profound security issues that they are actually introducing into their systems."
The takeaway for midsize business is that it is not enough to simply choose the biometrics method that seemingly works the best or is the furthest developed, but to start with an understanding of the business requirements for a biometric system. As a part of this effort, midsize IT must examine the security issues that they are facing if they implement such a system, and they must nail down functional requirements for acquiring, storing, and using the biometrics data so that security risks are not inadvertently introduced or perpetuated as time goes on.
Another factor that makes many leery about the expanded use of biometrics as an authentication tool is in expanding its use to new systems as the business grows. For example, should employees be notified if a new system comes online and biometrics are used for access control simply because it is convenient to do so and not because the new system needs highly secure and controlled access?
Biometrics offer a secure authentication solution, but it's important for IT to work with business management to ensure that technology choices are a match to business policy, enterprise security, and user privacy. And it is just as important to inform and train users on why biometric authentication is to be implemented and how their privacy will be maintained.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.