- Email: [email protected]
A bill of health for biometrics?
Healthcare Survey:
A bill of health for biometrics? Few industries have such a need to promote privacy, fight fraud and cut costs at so many different levels as the healthcare market. Yet despite readily available biometric solutions on offer to combat these issues, Btt reveals this potentially lucrative sector is not yet yielding returns. by Wendy Atkins Biometrics have not yet made a great impact in the worldwide healthcare market. But as the pressure increases on healthcare providers to cut fraud, improve physical and digital security and reduce costs, the technology is now finding itself firmly on the industry’s agenda. Biometric system providers claim their systems are ready to be deployed to help with all these issues. They point to examples, such as controlling access to maternity units or drugs and authentication of health insurance claimants, where biometrics have already successfully made their mark Biometric suppliers also claim that their technologies can save time and money. Password based systems, for example, create a major headache for system administrators in hospitals. As Derek McDermott, managing director of UKbased Informer Systems told Btt: “Within the UK’s National Health Service, where passwords are changed every 30 days, time management of passwords is a costly business. Fifty percent of calls to Britain’s NHS helpdesks are about forgotten passwords. This has been assessed by one UK Health Authority to represent a cost of £110£130 per user. In terms of justifying the use of biometrics – which would obviously reduce the need for passwords – this cost provides adequate justification.”
Access granted The demands of a modern healthcare system are complex. One important factor is for a doctor or specialist to know exactly who has looked at a patient’s notes and at what time. The system must also be able to cope with different levels of access. For example, a physician may have access to read and amend a patient’s records, while a hospital administrator may only have the authority to access documents in a ‘read only’ state. To complicate things, the ubiquity of personal digital assistants (PDAs), laptops and mobile carts has increased the chances of security being compromised. Because these products can easily fall into unauthorised hands, it is important that
their means of electronic identification are stored elsewhere. Clearly, biometrics could serve as a useful platform to address all of these security, privacy and cost issues. However, it does face stiff competition from more well-known authentication techniques, such as encryption. One industry insider, however, believes that people are confusing the issue: “Many people still erroneously confuse encryption with security and privacy. Encryption does a very specific job, but it does not protect against improper use of crypto keys. Encryption does not guarantee that the person putting medical information into an information system is a qualified and authorised medical practitioner. Neither does it guarantee that only an authorised person has had access to that medical information.”
Education essential While there is a lot of effort from some companies in promoting their products, many within the biometrics industry believe that the healthcare sector is still slow in adopting new forms of biometric technology. According to Hal Jennings, VP marketing support at Biometric Access Corporation (BAC): “There is still a lack of customer awareness and market readiness. Although healthcare people are expressing interest, it has taken time for the industry to understand what is both available and achievable. The decision making process is slow.” It is strongly felt by many within the biometrics industry that more education needs to take place to demonstrate to healthcare practitioners what biometrics can do for their organisation. As McDermott points outs: “One of the key problems is that people still think the technology is coming. They don’t realise that it is already here.” This education needs to take place at a number of levels. One respondent explained: “At the basic level, even now, we need to get beyond science fiction. Beyond that, more information on hardware, software and digital signatures needs to be given.”
ISSN 0969-4 4765 /00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved
8 • Btt October 2000
Healthcare news A report in the New York Times on 30 August 2000 revealed that a study by New York State three years ago found that changes to welfare had made finger imaging for Medicaid largely superfluous from the outset. However, the state failed to make the study public and has since called it outdated and flawed. Paul J Sticha, an expert who has recently reviewed such programmes nationally for the US federal government, said: "Had the report been made public, other states that adopted such programs might have reconsidered."
Healthcare Growing pains
HIPAA hooray
One area which has been successful in catching the attention of healthcare providers is card technology. Many patients throughout the world need the ability to store and carry personal health information with them. Additionally, in parts of Latin America and Africa, they have been used to significantly combat fraud. Such technology can, of course, be secured using biometrics. Most recently, a smart card-based treatment scheme for Parkinson’s Disease patients was launched by HSB in the Netherlands (Btt July/Aug ’00, p3). The initial deployment of 200 cards began in July and contained an on-card fingerprint sensor from Infineon Technologies. Biometric technology was chosen to secure the card because of the nature of Parkinson’s Disease which can prevent patients from physically entering their PIN codes to unlock information. Apart from this type of collaboration, however, there are only a select number of examples of biometrics in action within this sector (see Box) and the biometrics industry still needs to work toward creating a strong unified message. New legislation and technology could see the healthcare market embracing biometrics more fully in the next couple of years. The presence of biometrics companies at healthcare technology conferences is also putting the notion of biometrics into the heads of healthcare decision makers. The next step is to convert that knowledge into the action of investing in biometric products and solutions. At present, the healthcare industry seems to be undertaking a general shift from knowledge-based tokens (passwords) to hardware such as proximity tags. The leap from hardware to biometrics should provide the third step in this process. However, biometrics remains beyond the reach of those running large old complex networks. The opportunity to include biometrics will come when such systems undergo a major overhaul.
Up until the beginning of this year, Y2K was a major preoccupier for most healthcare practitioners. Since January, many biometrics companies have reported an increase in the number of contacts from prospective customers, especially from within the healthcare sector. According to Grant Evans, executive vice president, Securities ITrust division at Identix: “The market is currently being driven by the new HIPAA legislation, questions regarding access to information and the dawn of mobile technology. All of these issues add up to the need to address security concerns introduced by an acceleration of information.” As the people involved in nursing their systems into the twenty-first century are usually the same people involved in handling the security concerns of HIPAA, it is hardly surprising that there has been a growth in interest from healthcare providers. Although the healthcare market has been quite stagnant in terms of its market share during the past 12 months, many biometrics vendors are upbeat about the future. HIPAA, it seems, is putting security and privacy technology back onto the agenda (see HIPAA – a healthy act?). While biometrics may not be the first port of call for many healthcare practitioners, it is at least being recognised. In order to become mainstream, biometrics will have to be packaged with other technologies, such as digital signatures, databases and medical information. John Soltesz, CEO of Zerco told Btt: “The market will be big for those who can clearly deliver a complete solution.” With important case studies coming to light and companies able to draw on a growing point of reference for their technology, biometrics will continue to develop its credibility within the healthcare industry. Internationally, the healthcare market has the potential to provide a solid platform for the biometrics community; this is underpinned by the impetus for biometric solutions being provided by HIPAA in the USA.
A Selection of Healthcare Case Studies Airedale NHS Trust Airedale NHS Trust in the north east of England implemented SentriNet from Informer Systems Limited (ISL) in June 2000. The product, which is operated as a network fingerprint logon system, has been implemented at Airedale’s on-site library. SentriNet eliminates the need for a third party server by being integrated directly into Novell’s directory service, which is transparent to the user. Airedale’s library uses client-server based PCs to provide services such as internet access and medical databases. The Trust says that it required a system that would authenticate the user beyond any doubt in order to monitor PC usage over any period of time in the library. Biometric technology was chosen because: the probability of forgotten usernames and passwords was too high; users were often willing to share their username/password; and there was always a chance that a username and password could be guessed by an impostor. The Trust reports that following implementation, a number of unauthorised internet users were discovered. Currently, 10 client licenses are in operation. WEN Extended Care Facilities Management Corp Recognition Systems’ hand geometry product HandPunch has been adopted by WEN Extended Care Facilities Management Corp for
measuring time and attendance of staff at a number of their US nursing homes. Automated Time Concepts installed the first machines at Wen Extended Care in July 1998. Since then, implementation has been extended to include 14 units in three nursing homes. Currently 1,300 people are enrolled into the system. The readers are ‘daisy chained’ within each location, so only one modem is required per site. Lourdes Hospital, Kentucky Fingerprint biometrics are being used at Lourdes Hospital in Kentucky, USA, for the purposes of patient registration and identification. Lourdes’ IDLink was created from NEC’s HealthID system and was launched during the third quarter of 1999. Under the new system, a non-registered patient entering the healthcare centre,places their finger on a scanner and the resulting image is stored and used on future visits to positively identify that patient before retrieving his/her records. Patients from remote locations have been pre-registered to the system. During this pre-registration phase, important patient information has been added to the records.
Btt October 2000 • 9
Healthcare HIPAA – a healthy act? A big distraction for providers to the US healthcare market this year has been the Health Insurance Portability and Accountability Act 1996 (HIPAA). Surrounded by a degree of ambiguity, HIPAA, also known as the Kennedy Kassebaum bill, is set to introduce widespread changes to people involved in the provision and delivery of healthcare throughout the United States. The driving force behind the HIPAA act has been the need for more efficiency, better value for money, and better access to information and research information. Internet transmission has enabled healthcare providers to speed up processes, while at the same time allowing physicians to tap into a much broader network of information, collate data on clusters of illness and epidemics etc. Increased internet transmissions, however, have introduced more questions related to security and privacy. The desire to achieve a cost-effective, efficient solution has led to a need for standardisation of the ability to exchange information between the health provider chains. Following on from the need to standardise information exchange, has come a requirement to cover issues of privacy and security. The HIPAA act has created three types of standard: privacy, security and administrative simplification. Privacy and security standards are intended to protect privacy and confidentiality of individually identifiable health information. Issues relating to privacy in this context determine who should have access to a patient’s records, while security answers how these records should be protected. The security standards are applicable to all those involved in healthcare provision including claims clearinghouses, health plans, employers and healthcare providers. The security standard contains four categories of requirement: • Administrative Procedures; • Physical safeguards – computer systems and buildings, for example, must be protected from intrusion and other threats. This includes use of locks, keys and administrative measures designed to control access to computer systems and facilities; • Technical data security services – protect, control and monitor information access; • Technical security mechanisms – prevent unauthorised access to data transmitted over a communications network. All standards under the HIPAA act come into force within 24 months after the date of the final rule (or 36 months for small health plans). Once the legislation has become effective, civil and criminal penalties for ‘knowingly’ disclosing individually identifiable health information will range from US$50,000 – US$250,000 in fines and up to 10 years in prison.
10 • Btt October 2000
The Health Care Financing Administration (HCFA), which is part of the Department of Health and Human Services, has responsibility for implementing the Administrative Simplification requirements through notice and comment rulemaking. HCFA’s requirements are categorised as follows: technical security services and technical mechanisms, confidentiality and availability. Added together, these requirements make up a comprehensive security approach. These requirements are expected to be addressed by a combination of media controls, physical access controls, policy guidelines, audit controls, authentication, authorisation control, cryptography, unique user identification, communication network controls and digital signatures. Many people interviewed by Btt, believe that HIPAA’s requirements are very vague and uncertain. “It requires that at least one biometric form of authentication be used, but doesn’t specify exactly what qualifies as a biometric, nor what acceptable error rates are,” commented Brad Clements, VP engineering, CTO Voice Security Systems. Although some people within the biometrics industry believe that the privacy and security standards of HIPAA are something of an after-thought, it nevertheless represents a clear opportunity for biometric technology to develop its presence within the healthcare market. The decision taken by companies such as Resource Information Management Systems (RIMS) to appoint a dedicated HIPAA project manager to ensure clients meet compliance deadlines, highlights how seriously some biometrics companies are taking the new regulations. Rick Norton, executive director of the International Biometric Industry Association (IBIA), told Btt: “HIPAA will provide the biometrics industry with a major opportunity. The biometrics industry is ready to go – some companies have been built specifically around the HIPAA opportunity.” “HIPAA is very relevant to the biometrics community,” agrees Quoc Do, product manager, HealthCare Products at Veridicom. “The legislation calls for the use of secure email, rather than fax. PKI provides security, but because a private key resides on a PC, we still can’t be sure that a person accessing an email is who they say they are. We are always left with the question ‘Is it the right doctor?’. Biometrics removes that element of doubt.” With two years until the date of compliance, it is widely believed that HIPAA will have far reaching implications. A Gartner Group study concluded that HIPAA would cost healthcare organisations three times as much as Y2K preparations. Like Y2K, many within the biometrics industry believe that healthcare providers will only begin to show interest in developing their networks to achieve HIPAA goals once the deadline for compliance is more within sight.
Healthcare As a leading-edge industry, the US healthcare market has the need, money and staff to introduce and implement the use of new technology. Over the next two years, it remains to be seen whether that drive for new
technology includes a widespread embracing of biometrics. Wendy Atkins is a freelance journalist. She can be contacted at Ubiquitous Media, tel/fax: +44 1984 623127, email: [email protected]
A Selection of Healthcare Products Incorporating Biometrics BSi2000 MedSAFE 2000 is an optical card which holds full clinical insurance eligibility, claims/payment information, details of allergies, drug regimes, comments, standard treatment guidelines, statistics and physician outcomes. The system was expected to be launched during the third quarter 1999 using fingerprint or signature technology at the Western Medical Center, Colorado, USA.
CitX Citx recently announced that it will integrate Iriscan technology into its solutions for specific vertical markets. The first system to be tested will be developed for the healthcare industry through CitX’s affiliated company IntraMedX . The technology will be used to establish the validity of user identities, credentials and to grant access to different classes of information.
Conduit Healthcare Solutions Conduit Healthcare Solutions is a division of Leapfrog Smart Products and combines fingerprint technology within its range of healthcare solutions. In March 2000, the company announced that 33 smart card readers using fingerprint biometrics would be deployed across the Munroe Regional Health System.
Hamilton Scientific Hamilton Scientific has adopted WhoIsIt? fingerprint biometric identification technology by QVoice for use with its myPatientCHARTS.com system. The technology will be used to verify the identity of healthcare professionals and patients to ensure that access to the electronic medical record system is granted only to authorised individuals. myPatientCHARTS.com is an internet application that facilitates the documentation and real-time sharing of patient information among multiple users in remote locations.
HSB Cards and Card Systems HSB Cards and Card Systems in the Netherlands has integrated Infineon’s FingerTIP sensor onto a smart card to produce a CardCare Management System as a central system with verification and issuing applications. It is designed to carry medical records, be a key to information over the internet and provide authorisation for applications.
Informer Systems (ISL) ISL has implemented a number of IT solutions in the UK healthcare sector. The company’s solutions include SentriNET technology and SecurDial client authentication software. With SentriNET, fingerprint templates created at
enrolment are stored either as a database record or on the server (NT SAM) in the Directory as part of the user’s record (Novell NDS or Win 2000 ADS) or on a smart card. SecurDial client authentication software uses smart cards and fingerprint authentication using a Cherry keyboard with a built-in card reader and fingerprint scanner. It is suitable for Windows 95, 98 and NT. Users can dial up centrally held resources once their identity has been verified using a choice of smart cards together with fingerprint recognition.
NEC Technologies IDLink has been designed to provide positive patient identification, speed up the admissions process and eliminate duplicate records. The product, which has been implemented at Lourdes , a full-service healthcare provider in Kentucky, USA, is based on NEC’s HealthID system. HealthID provides fingerprint access to patient records.
Presideo Presideo , previously called Integrated Visions , provides Trusted Space biometric authentication for the e-business environment. The company announced a strategic alliance with the TriZetto Group, which is a provider of internet-enabled application services and business portals for the healthcare industry. In April 2000, the company signed an agreement with HEALTHvision for the integration of Presideo’s access management, biometric authentication and nationwide physician credentialing into its internet-based solution suite.
VeriSign VeriSign launched its new range of Healthcare Trust Services in June 2000. This comprises a range of managed authentication, payment and validation services designed to meet the requirements of the e-healthcare industry. The services have been designed to support the ‘healthcare value chain’ and include portable digital certificates, support for smart cards and biometrics and risk management services.
Zerco Zerco provides optical memory cards secured with fingerprints as part of its PC-based terminal technology. The technology combines optical card reading technology and on-line PC processing for the management of complex systems which are networked over the internet for real-time consultation of records and for immediate processing of legitimate insurance payments to the point of service delivery.MARKET SURVEY CONTACTS
MARKET REVIEW CONTACTS Company Name Biometric Access Corporation BSi2000 CitX Conduit Healthcare Solutions eCryp Hamilton Scientific Healthcare System Benelus (HSB) IBIA Identix Informer Systems Limited ITT NEC Technologies Physmark Presideo Qvoice Recognition Systems Unisys (Spain) Veridicom VeriSign Voice Security Systems Zerco Systems
Contact Hal Jennings Jack Harper Bernie Roemmele Ken Clinton Tom Anderson Alex Golin Marcel Boogaard Rick Norton Grant Evans Derek McDermott Frank Smead Lee Moser Jacob Kuriyan Scott Perry Norm Hughes Tracy Timmer Ricardo Arroyo Quoc Do Lori Budin Brad Clements John Soltesz
Tel +1 512 246 3760 +1 303 231 9002 +1 215 538 3535 +1 407 838 0400 +1 310 553 2797 +1 973 618 9320 +31 348 433 080 +1 703 250 0206 +1 408 731 2188 +44 1527 571700 +1 219 451 6321 +1 703 247 8922 +1 505 897 7500 +1 561 581 7053 +1 973 786 6878 +1 408 364 6960 +34 91 721 1212 +1 408 565 6025 +1 650 961 7500 +1 949 493 4030 +1 330 448 0920
Fax +1 512 246 3768 +1 303 231 9002 +1 215 529 7599 +1 407 838 0404 +1 310 553 7169 +1 973 618 9183 +31 348 433 121 +1 408 739 3308 +44 1527 571701 +1 219 451 6126 +1 703 247 8941 +1 505 897 2030 +1 561 589 2049 +1 973 786 6131 +1 408 370 3679 +34 91 721 1281 +1 408 565 6020 +1 650 961 7300 +1 949 388 7714 +1 330 448 7900
Email [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Btt October 2000 • 11
A bill of health for biometrics? Few industries have such a need to promote privacy, fight fraud and cut costs at so many different levels as the healthcare market. Yet despite readily available biometric solutions on offer to combat these issues, Btt reveals this potentially lucrative sector is not yet yielding returns. by Wendy Atkins Biometrics have not yet made a great impact in the worldwide healthcare market. But as the pressure increases on healthcare providers to cut fraud, improve physical and digital security and reduce costs, the technology is now finding itself firmly on the industry’s agenda. Biometric system providers claim their systems are ready to be deployed to help with all these issues. They point to examples, such as controlling access to maternity units or drugs and authentication of health insurance claimants, where biometrics have already successfully made their mark Biometric suppliers also claim that their technologies can save time and money. Password based systems, for example, create a major headache for system administrators in hospitals. As Derek McDermott, managing director of UKbased Informer Systems told Btt: “Within the UK’s National Health Service, where passwords are changed every 30 days, time management of passwords is a costly business. Fifty percent of calls to Britain’s NHS helpdesks are about forgotten passwords. This has been assessed by one UK Health Authority to represent a cost of £110£130 per user. In terms of justifying the use of biometrics – which would obviously reduce the need for passwords – this cost provides adequate justification.”
Access granted The demands of a modern healthcare system are complex. One important factor is for a doctor or specialist to know exactly who has looked at a patient’s notes and at what time. The system must also be able to cope with different levels of access. For example, a physician may have access to read and amend a patient’s records, while a hospital administrator may only have the authority to access documents in a ‘read only’ state. To complicate things, the ubiquity of personal digital assistants (PDAs), laptops and mobile carts has increased the chances of security being compromised. Because these products can easily fall into unauthorised hands, it is important that
their means of electronic identification are stored elsewhere. Clearly, biometrics could serve as a useful platform to address all of these security, privacy and cost issues. However, it does face stiff competition from more well-known authentication techniques, such as encryption. One industry insider, however, believes that people are confusing the issue: “Many people still erroneously confuse encryption with security and privacy. Encryption does a very specific job, but it does not protect against improper use of crypto keys. Encryption does not guarantee that the person putting medical information into an information system is a qualified and authorised medical practitioner. Neither does it guarantee that only an authorised person has had access to that medical information.”
Education essential While there is a lot of effort from some companies in promoting their products, many within the biometrics industry believe that the healthcare sector is still slow in adopting new forms of biometric technology. According to Hal Jennings, VP marketing support at Biometric Access Corporation (BAC): “There is still a lack of customer awareness and market readiness. Although healthcare people are expressing interest, it has taken time for the industry to understand what is both available and achievable. The decision making process is slow.” It is strongly felt by many within the biometrics industry that more education needs to take place to demonstrate to healthcare practitioners what biometrics can do for their organisation. As McDermott points outs: “One of the key problems is that people still think the technology is coming. They don’t realise that it is already here.” This education needs to take place at a number of levels. One respondent explained: “At the basic level, even now, we need to get beyond science fiction. Beyond that, more information on hardware, software and digital signatures needs to be given.”
ISSN 0969-4 4765 /00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved
8 • Btt October 2000
Healthcare news A report in the New York Times on 30 August 2000 revealed that a study by New York State three years ago found that changes to welfare had made finger imaging for Medicaid largely superfluous from the outset. However, the state failed to make the study public and has since called it outdated and flawed. Paul J Sticha, an expert who has recently reviewed such programmes nationally for the US federal government, said: "Had the report been made public, other states that adopted such programs might have reconsidered."
Healthcare Growing pains
HIPAA hooray
One area which has been successful in catching the attention of healthcare providers is card technology. Many patients throughout the world need the ability to store and carry personal health information with them. Additionally, in parts of Latin America and Africa, they have been used to significantly combat fraud. Such technology can, of course, be secured using biometrics. Most recently, a smart card-based treatment scheme for Parkinson’s Disease patients was launched by HSB in the Netherlands (Btt July/Aug ’00, p3). The initial deployment of 200 cards began in July and contained an on-card fingerprint sensor from Infineon Technologies. Biometric technology was chosen to secure the card because of the nature of Parkinson’s Disease which can prevent patients from physically entering their PIN codes to unlock information. Apart from this type of collaboration, however, there are only a select number of examples of biometrics in action within this sector (see Box) and the biometrics industry still needs to work toward creating a strong unified message. New legislation and technology could see the healthcare market embracing biometrics more fully in the next couple of years. The presence of biometrics companies at healthcare technology conferences is also putting the notion of biometrics into the heads of healthcare decision makers. The next step is to convert that knowledge into the action of investing in biometric products and solutions. At present, the healthcare industry seems to be undertaking a general shift from knowledge-based tokens (passwords) to hardware such as proximity tags. The leap from hardware to biometrics should provide the third step in this process. However, biometrics remains beyond the reach of those running large old complex networks. The opportunity to include biometrics will come when such systems undergo a major overhaul.
Up until the beginning of this year, Y2K was a major preoccupier for most healthcare practitioners. Since January, many biometrics companies have reported an increase in the number of contacts from prospective customers, especially from within the healthcare sector. According to Grant Evans, executive vice president, Securities ITrust division at Identix: “The market is currently being driven by the new HIPAA legislation, questions regarding access to information and the dawn of mobile technology. All of these issues add up to the need to address security concerns introduced by an acceleration of information.” As the people involved in nursing their systems into the twenty-first century are usually the same people involved in handling the security concerns of HIPAA, it is hardly surprising that there has been a growth in interest from healthcare providers. Although the healthcare market has been quite stagnant in terms of its market share during the past 12 months, many biometrics vendors are upbeat about the future. HIPAA, it seems, is putting security and privacy technology back onto the agenda (see HIPAA – a healthy act?). While biometrics may not be the first port of call for many healthcare practitioners, it is at least being recognised. In order to become mainstream, biometrics will have to be packaged with other technologies, such as digital signatures, databases and medical information. John Soltesz, CEO of Zerco told Btt: “The market will be big for those who can clearly deliver a complete solution.” With important case studies coming to light and companies able to draw on a growing point of reference for their technology, biometrics will continue to develop its credibility within the healthcare industry. Internationally, the healthcare market has the potential to provide a solid platform for the biometrics community; this is underpinned by the impetus for biometric solutions being provided by HIPAA in the USA.
A Selection of Healthcare Case Studies Airedale NHS Trust Airedale NHS Trust in the north east of England implemented SentriNet from Informer Systems Limited (ISL) in June 2000. The product, which is operated as a network fingerprint logon system, has been implemented at Airedale’s on-site library. SentriNet eliminates the need for a third party server by being integrated directly into Novell’s directory service, which is transparent to the user. Airedale’s library uses client-server based PCs to provide services such as internet access and medical databases. The Trust says that it required a system that would authenticate the user beyond any doubt in order to monitor PC usage over any period of time in the library. Biometric technology was chosen because: the probability of forgotten usernames and passwords was too high; users were often willing to share their username/password; and there was always a chance that a username and password could be guessed by an impostor. The Trust reports that following implementation, a number of unauthorised internet users were discovered. Currently, 10 client licenses are in operation. WEN Extended Care Facilities Management Corp Recognition Systems’ hand geometry product HandPunch has been adopted by WEN Extended Care Facilities Management Corp for
measuring time and attendance of staff at a number of their US nursing homes. Automated Time Concepts installed the first machines at Wen Extended Care in July 1998. Since then, implementation has been extended to include 14 units in three nursing homes. Currently 1,300 people are enrolled into the system. The readers are ‘daisy chained’ within each location, so only one modem is required per site. Lourdes Hospital, Kentucky Fingerprint biometrics are being used at Lourdes Hospital in Kentucky, USA, for the purposes of patient registration and identification. Lourdes’ IDLink was created from NEC’s HealthID system and was launched during the third quarter of 1999. Under the new system, a non-registered patient entering the healthcare centre,places their finger on a scanner and the resulting image is stored and used on future visits to positively identify that patient before retrieving his/her records. Patients from remote locations have been pre-registered to the system. During this pre-registration phase, important patient information has been added to the records.
Btt October 2000 • 9
Healthcare HIPAA – a healthy act? A big distraction for providers to the US healthcare market this year has been the Health Insurance Portability and Accountability Act 1996 (HIPAA). Surrounded by a degree of ambiguity, HIPAA, also known as the Kennedy Kassebaum bill, is set to introduce widespread changes to people involved in the provision and delivery of healthcare throughout the United States. The driving force behind the HIPAA act has been the need for more efficiency, better value for money, and better access to information and research information. Internet transmission has enabled healthcare providers to speed up processes, while at the same time allowing physicians to tap into a much broader network of information, collate data on clusters of illness and epidemics etc. Increased internet transmissions, however, have introduced more questions related to security and privacy. The desire to achieve a cost-effective, efficient solution has led to a need for standardisation of the ability to exchange information between the health provider chains. Following on from the need to standardise information exchange, has come a requirement to cover issues of privacy and security. The HIPAA act has created three types of standard: privacy, security and administrative simplification. Privacy and security standards are intended to protect privacy and confidentiality of individually identifiable health information. Issues relating to privacy in this context determine who should have access to a patient’s records, while security answers how these records should be protected. The security standards are applicable to all those involved in healthcare provision including claims clearinghouses, health plans, employers and healthcare providers. The security standard contains four categories of requirement: • Administrative Procedures; • Physical safeguards – computer systems and buildings, for example, must be protected from intrusion and other threats. This includes use of locks, keys and administrative measures designed to control access to computer systems and facilities; • Technical data security services – protect, control and monitor information access; • Technical security mechanisms – prevent unauthorised access to data transmitted over a communications network. All standards under the HIPAA act come into force within 24 months after the date of the final rule (or 36 months for small health plans). Once the legislation has become effective, civil and criminal penalties for ‘knowingly’ disclosing individually identifiable health information will range from US$50,000 – US$250,000 in fines and up to 10 years in prison.
10 • Btt October 2000
The Health Care Financing Administration (HCFA), which is part of the Department of Health and Human Services, has responsibility for implementing the Administrative Simplification requirements through notice and comment rulemaking. HCFA’s requirements are categorised as follows: technical security services and technical mechanisms, confidentiality and availability. Added together, these requirements make up a comprehensive security approach. These requirements are expected to be addressed by a combination of media controls, physical access controls, policy guidelines, audit controls, authentication, authorisation control, cryptography, unique user identification, communication network controls and digital signatures. Many people interviewed by Btt, believe that HIPAA’s requirements are very vague and uncertain. “It requires that at least one biometric form of authentication be used, but doesn’t specify exactly what qualifies as a biometric, nor what acceptable error rates are,” commented Brad Clements, VP engineering, CTO Voice Security Systems. Although some people within the biometrics industry believe that the privacy and security standards of HIPAA are something of an after-thought, it nevertheless represents a clear opportunity for biometric technology to develop its presence within the healthcare market. The decision taken by companies such as Resource Information Management Systems (RIMS) to appoint a dedicated HIPAA project manager to ensure clients meet compliance deadlines, highlights how seriously some biometrics companies are taking the new regulations. Rick Norton, executive director of the International Biometric Industry Association (IBIA), told Btt: “HIPAA will provide the biometrics industry with a major opportunity. The biometrics industry is ready to go – some companies have been built specifically around the HIPAA opportunity.” “HIPAA is very relevant to the biometrics community,” agrees Quoc Do, product manager, HealthCare Products at Veridicom. “The legislation calls for the use of secure email, rather than fax. PKI provides security, but because a private key resides on a PC, we still can’t be sure that a person accessing an email is who they say they are. We are always left with the question ‘Is it the right doctor?’. Biometrics removes that element of doubt.” With two years until the date of compliance, it is widely believed that HIPAA will have far reaching implications. A Gartner Group study concluded that HIPAA would cost healthcare organisations three times as much as Y2K preparations. Like Y2K, many within the biometrics industry believe that healthcare providers will only begin to show interest in developing their networks to achieve HIPAA goals once the deadline for compliance is more within sight.
Healthcare As a leading-edge industry, the US healthcare market has the need, money and staff to introduce and implement the use of new technology. Over the next two years, it remains to be seen whether that drive for new
technology includes a widespread embracing of biometrics. Wendy Atkins is a freelance journalist. She can be contacted at Ubiquitous Media, tel/fax: +44 1984 623127, email: [email protected]
A Selection of Healthcare Products Incorporating Biometrics BSi2000 MedSAFE 2000 is an optical card which holds full clinical insurance eligibility, claims/payment information, details of allergies, drug regimes, comments, standard treatment guidelines, statistics and physician outcomes. The system was expected to be launched during the third quarter 1999 using fingerprint or signature technology at the Western Medical Center, Colorado, USA.
CitX Citx recently announced that it will integrate Iriscan technology into its solutions for specific vertical markets. The first system to be tested will be developed for the healthcare industry through CitX’s affiliated company IntraMedX . The technology will be used to establish the validity of user identities, credentials and to grant access to different classes of information.
Conduit Healthcare Solutions Conduit Healthcare Solutions is a division of Leapfrog Smart Products and combines fingerprint technology within its range of healthcare solutions. In March 2000, the company announced that 33 smart card readers using fingerprint biometrics would be deployed across the Munroe Regional Health System.
Hamilton Scientific Hamilton Scientific has adopted WhoIsIt? fingerprint biometric identification technology by QVoice for use with its myPatientCHARTS.com system. The technology will be used to verify the identity of healthcare professionals and patients to ensure that access to the electronic medical record system is granted only to authorised individuals. myPatientCHARTS.com is an internet application that facilitates the documentation and real-time sharing of patient information among multiple users in remote locations.
HSB Cards and Card Systems HSB Cards and Card Systems in the Netherlands has integrated Infineon’s FingerTIP sensor onto a smart card to produce a CardCare Management System as a central system with verification and issuing applications. It is designed to carry medical records, be a key to information over the internet and provide authorisation for applications.
Informer Systems (ISL) ISL has implemented a number of IT solutions in the UK healthcare sector. The company’s solutions include SentriNET technology and SecurDial client authentication software. With SentriNET, fingerprint templates created at
enrolment are stored either as a database record or on the server (NT SAM) in the Directory as part of the user’s record (Novell NDS or Win 2000 ADS) or on a smart card. SecurDial client authentication software uses smart cards and fingerprint authentication using a Cherry keyboard with a built-in card reader and fingerprint scanner. It is suitable for Windows 95, 98 and NT. Users can dial up centrally held resources once their identity has been verified using a choice of smart cards together with fingerprint recognition.
NEC Technologies IDLink has been designed to provide positive patient identification, speed up the admissions process and eliminate duplicate records. The product, which has been implemented at Lourdes , a full-service healthcare provider in Kentucky, USA, is based on NEC’s HealthID system. HealthID provides fingerprint access to patient records.
Presideo Presideo , previously called Integrated Visions , provides Trusted Space biometric authentication for the e-business environment. The company announced a strategic alliance with the TriZetto Group, which is a provider of internet-enabled application services and business portals for the healthcare industry. In April 2000, the company signed an agreement with HEALTHvision for the integration of Presideo’s access management, biometric authentication and nationwide physician credentialing into its internet-based solution suite.
VeriSign VeriSign launched its new range of Healthcare Trust Services in June 2000. This comprises a range of managed authentication, payment and validation services designed to meet the requirements of the e-healthcare industry. The services have been designed to support the ‘healthcare value chain’ and include portable digital certificates, support for smart cards and biometrics and risk management services.
Zerco Zerco provides optical memory cards secured with fingerprints as part of its PC-based terminal technology. The technology combines optical card reading technology and on-line PC processing for the management of complex systems which are networked over the internet for real-time consultation of records and for immediate processing of legitimate insurance payments to the point of service delivery.MARKET SURVEY CONTACTS
MARKET REVIEW CONTACTS Company Name Biometric Access Corporation BSi2000 CitX Conduit Healthcare Solutions eCryp Hamilton Scientific Healthcare System Benelus (HSB) IBIA Identix Informer Systems Limited ITT NEC Technologies Physmark Presideo Qvoice Recognition Systems Unisys (Spain) Veridicom VeriSign Voice Security Systems Zerco Systems
Contact Hal Jennings Jack Harper Bernie Roemmele Ken Clinton Tom Anderson Alex Golin Marcel Boogaard Rick Norton Grant Evans Derek McDermott Frank Smead Lee Moser Jacob Kuriyan Scott Perry Norm Hughes Tracy Timmer Ricardo Arroyo Quoc Do Lori Budin Brad Clements John Soltesz
Tel +1 512 246 3760 +1 303 231 9002 +1 215 538 3535 +1 407 838 0400 +1 310 553 2797 +1 973 618 9320 +31 348 433 080 +1 703 250 0206 +1 408 731 2188 +44 1527 571700 +1 219 451 6321 +1 703 247 8922 +1 505 897 7500 +1 561 581 7053 +1 973 786 6878 +1 408 364 6960 +34 91 721 1212 +1 408 565 6025 +1 650 961 7500 +1 949 493 4030 +1 330 448 0920
Fax +1 512 246 3768 +1 303 231 9002 +1 215 529 7599 +1 407 838 0404 +1 310 553 7169 +1 973 618 9183 +31 348 433 121 +1 408 739 3308 +44 1527 571701 +1 219 451 6126 +1 703 247 8941 +1 505 897 2030 +1 561 589 2049 +1 973 786 6131 +1 408 370 3679 +34 91 721 1281 +1 408 565 6020 +1 650 961 7300 +1 949 388 7714 +1 330 448 7900
Email [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
Btt October 2000 • 11