Biometrics in Healthcare

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Biometrics in Healthcare

by Geoff Keston

Docid: 00011352

Publication Date: 2012

Report Type: TUTORIAL


In the healthcare market, the safety and security of facilities and
information are not only major concerns but also mandatory requirements.
Through the proper application of biometric security technologies combined
with a strict adherence to Health Insurance Portability and Accountability
Act (HIPAA) regulations and other security requirements, healthcare
organizations can enhance the likelihood that their facilities and patient
information will be protected.

Report Contents:

Executive Summary

[return to top of this

Concerns over patient safety and access to critical facilities and
data are driving the demand for new solutions to ensure the highest
possible levels of authentication and authorization for anyone trying to
obtain protected health care material.

Biometrics Market Trends

Biometrics is one of the foremost technologies in this effort.
Biometric technology aims at enhancing the accuracy of security
identification and authentication systems, thereby preventing breaches and
intrusions into facilities and data repositories. This is of particular
importance in the field of health care with its mandated requirements for
the protection of personal information.

Existing methods for providing the security of facilities and data are
often based on monolithic or homogeneous solutions. Heterogeneous
strategies – combining two or more factors of security – appear
increasingly useful in order for the enterprise to stay ahead of
unauthorized access.

A biometric trait cannot be lost – for example, one’s fingerprint cannot
be misplaced – and is difficult to steal or recreate. As a standalone
method for secure access, however, complete reliance on biometrics still
cannot be considered foolproof. For this reason, biometrics becomes a
stronger method of securing access to systems or data when used in
conjunction with a password, personal identification number (PIN), or
other authentication factor.

Coupled with existing and emerging security solutions such as RFID (Radio
Frequency Identification, such as chips or tags) and smartcards,
biometrics can strengthen a healthcare facility’s ability to control
intrusions. These solutions, however, do not come without
additional considerations and potential risks, including the added
expense of the technology, which can inhibit widespread adoption in
situations where added security measures are optional. Ironically, the
security of biometric security itself can also be an issue, because
biometric indicators are stored in databases; if those databases are ever
hacked, the consequences are significant.

In addition, biometric technology still struggles with a lack of trust
and acceptance from users. In particular, placing a finger or hand into a
device for verification of identity is still viewed by some as an
intrusion on personal privacy.


[return to top of this

Security Factors

Biometrics measure the unique physical or behavioral characteristics of
people in order to recognize or authenticate identity. Common physical
biometrics include fingerprints, hand geometry, and retina and iris
characteristics. Research is underway on other less visible biometrics
including heartbeats and brain waves.

Behavioral characters include signature, voice (which also has a physical
component), keystroke pattern, and gait or way of walking. Of this class
of biometrics, technologies for signature and voice are the most
developed, and those for way of walking the least developed. Recognition
of facial characteristics is still a problematic field.

Authentication for secure access means verifying an identity, whether the
user is logging onto a network, entering a limited-access location, or
otherwise establishing an identity. In most modern security deployments,
there are three available factors (types) of authentication used to thwart
the probability of an unauthorized access event.

  • Factor known by an individual – A password, PIN, or
    piece of personal information (such as a mother’s maiden name).
  • Factor in one’s possession – A card key, smart card,
    or token (like a RSA SecurID card or RFID device).
  • A physical or behavioral factor – A biometric.

Combining two or more of these security authentication factors increases
the assurance that only authorized individuals will be able to access
restricted facilities or systems. However, there are numerous facilities
where only one or even none of these authentication practices are
implemented. Reliance on a homogeneous or “single solution” security
system, such as ID badges or sign-in sheets, leaves any system’s security
open to compromise. 

Biometric systems, while offering a high level of security and access to
facilities, are often expensive. And they may offer only limited
insurance against security breaches if they are not implemented as part of
a combined system requiring two or more methods of authentication.
Further, biometric data is, just like any data, vulnerable to theft. If
such data is stored on a network server, then the entire biometric system
of authentication is only as secure as the network and the server.1

Healthcare Privacy and Security

Healthcare is generally considered to be one the largest areas of
biometric technology use. Within the healthcare industry, many
implications with respect to facilities and data security are currently
being identified and addressed. From a regulatory perspective, the Health
Insurance Portability and Accountability Act of 1996 (HIPAA, Title II)
establishes guidelines for the security and privacy of electronic patient
records. To become HIPAA-compliant, healthcare organizations must address
each of four different areas:

  • Administrative Procedures – These include policies,
    procedures, practices, and protocols designed to ensure the integrity,
    confidentiality, and availability of data.
  • Physical Safeguards – These are the procedures used
    to protect physical systems and related buildings and equipment from
    natural disasters or intrusions. 
  • Technical Safeguards – These are the processes and
    procedures that are designed to protect, control, and monitor
    information access. 
  • Technical Security Mechanisms – These measures are
    the processes put into place to protect information and data from
    unauthorized access across a network. 

Within these areas, the United States Department of Health and Human
Services suggests that standards be adopted to protect patient data and
other confidential information. In the healthcare industry,
organizations must also identify and address threats to information
security. A fairly standard example is the Association for Computing
Machinery, which recommends that entities responsible for ensuring the
privacy and security of medical systems adopt organizational
practices that cover:

  • Establishing and enforcing security and confidentiality policies.
  • Establishing security and confidentiality committees to develop and
    revise policies and procedures.
  • Designating and empowering an Information Security Officer
  • Establishing education and training programs designed to foster
    security awareness and promote compliance.
  • Creating and imposing penalties for deliberate security violations.
  • Reviewing and strengthening authorization to provide better patient
    understanding of information flows and the associated time limits.
  • Patient access to audit logs so patients can be aware every time their
    electronic medical records are accessed.

Biometrics and Healthcare

It is a commonplace that the healthcare industry historically relied on
paper-based record systems, legacy applications, and physicians who have a
low propensity towards automation. However, the healthcare industry has
evolved, and it is one of the largest market proponents of biometric
technology. Spurred on by the need to comply with HIPAA regulations,
biometrics has found a receptive market for applying the various
biometric technologies in the enterprise application space. Typical
purposes of the use of biometrics in healthcare are for patient, doctor,
and nurse identification; regulatory compliance; the use of electronic
medical records and the control of Health Information Exchange (HIE) data;
fingerprint scans of donors; and identification of emergency patients.

To address the degree of compliance with HIPAA’s requirements for
Administrative Procedures, Physical Safeguards, Technical Safeguards, and
Technical Security Mechanisms, biometric authentication systems can offer
both ease of use and a high level of secure access. As an example,
biometric authentication systems can provide single sign-on applications
for the physician who needs access to vital patient records and facilities
like surgical units, and at the same time for the facilities/security
personnel who protect systems, buildings, and equipment from
unauthorized intrusions.

One of the most common biometric devices for single sign-on access to
critical systems and facilities are finger scanning devices. With most
finger-scans, the user’s finger is placed on a reader that takes a picture
of the fingerprint. The system then converts the picture into a map of
minutia points, which is run against an algorithm to create a binary
template. This template is stored and compared during the verification
process. (See Figure 1. Finger Scan Template Image)

Figure 1. Finger Scan Template Image

Figure 1. Finger Scan Template Image

Source – Biometrics Research Michigan State University

Finger-scan imaging may use optical, thermal, tactile, capacitance, or
ultra-sound techniques. Finger images on paper can also be scanned. For
optical images, users typically put a finger on a glass plate that
captures the impression made by the finger. For tactile or thermal images,
the user places a finger on a pressure or temperature sensor. Capacitance
(the storing of electronic charges in the body) silicon sensors measure
electrical charges and send electrical signals corresponding to the ridges
and valleys on the fingertip. For ultrasound images, sound waves detect
the finger patterns.

An additional advantage of finger scanning systems is cost.
Finger-scanning systems for use with a PC are available for as little as a
few hundred dollars (US), although this is not a typical price. The
systems more commonly used in enterprise applications currently sell for
several thousand dollars. Biometric systems have declined over the last
few years as the power of computers has drastically increased.

Other biometric technologies such as iris recognition and retinal
scanning systems cost up to $1000 or more per device. However, the old
adage that “you get what you pay for” may apply with respect to safety,
security, and accuracy. Iris recognition is widely considered the most
reliable form of biometric technology.

Voiceprint technology is another area of biometrics that
is expanding. Organizations that demand high security, such as banks,
are increasingly keeping voiceprints of users. For example, the Australian
Taxation Office reportedly has taken voiceprints of one out of seven of
the country’s citizens.2 Amazon has been sued because of
accusations that it collected the voiceprints of children.3 The
suit cites state-level privacy laws that the company is allegedly
violating. The result of this legal action could help to establish
precedents for what type of consent companies must obtain and for how
existing privacy laws will be interpreted in light of this new technology.


The demand for accuracy dominates biometric technology, as the number of
emerging applications continues to rise and their value propositions
undergo increasing scrutiny. An undependable security system is almost as
bad as no system at all.

Performance metrics are critical when evaluating biometric technologies
for accuracy. However, no one single metric clearly indicates how a
system will perform when presented with conflicting information.
Multiple metrics must be examined to determine the strengths and
weaknesses of each technology and vendor.

Key performance metrics evaluate a system against the identity of an
individual already logged in or enrolled into the system, and the identity
of the individual who is being verified against the data the individual
has logged. Metrics include:

  • False Acceptance Rate (FAR) – FAR calculates the
    probability that one individual’s verification template will be
    incorrectly judged to be a match for a different individual’s enrollment
    template. This test may not apply to all biometric systems or system
  • False Rejection Rate (FRR) – FRR is the probability
    that an individual’s verification template will be incorrectly judged to
    not match that same individual’s enrollment template. Simply, FRR is the
    probability that an individual who already exists in a data base will
    not be matched in a search. For example, an individual who may need
    entry into a secured area will not be granted entry, or an individual
    who has been flagged as a terrorist will not be identified at the
  • Crossover Error Rate (CER) – Also known as Equal
    Error Rate (EER), it is a comparison metric for different biometric
    devices and technologies; the error rate at which FAR equals FRR. The
    lower the CER, the more accurate and reliable the biometric device.

Biometric accuracy is measured by combining the FAR (when the device
accepts the identity of an impostor) and FRR (when the legitimate person
is rejected). These two measurements are graphed as separated curves, and
the measurement point occurs where the two curves intersect. The point of
intersection represents the system’s crossover error rate (CER), that is,
the degree of accuracy. The lower the CER, the more accurate the system
(see Figure 2 Crossover Error Rate), and the higher the FAR, the more
accurate the system is considered.

Figure 2. Crossover Error Rate

Figure 2. Crossover Error Rate

As noted, biometrics include a range of security techniques, some more
accurate than others. The techniques categorized as physiological include
finger scanning (fingerprinting), finger geometry, hand geometry, iris
imaging, retina scanning, and others under development. Techniques such as
voice and signature verification (scanning) are considered indicative of
behavioral, as opposed to physiological, characteristics.

Studies of crossover accuracy are listed in Table 1.

Table 1. Crossover Error Rate Chart of Various Techniques
Technique Crossover
Error Rate %

Retinal Scan


Iris Scan




Hand Geometry


Signature Recognition


Voice Recognition



[return to top of this

Biometric applications for healthcare security are being
implemented in facilities around the world: 

  • In Florida, St. Vincent’s Medical Center
    Clay County
    uses palm scanning for patient sign-in. 
  • The New York

    medical center uses a combination of palm scanning and photography.
  • Northwell Health reported plans to implement iris scanning to identify
    patients in at least 600 locations.4

Nor is the United
the only market for biometrics
in health care. India’s national ID program uses cards embedded with
fingerprint, iris scan, and face recognition biometrics, in addition to
demographic data. India is using its biometric database, Aadhaar, the
world’s largest biometric database, to support its National Health
Assurance Mission (NHAM) program. It has been reported that in nearly half
the banks in Japan
use vein pattern recognition, a type of biometric technology, in
conjunction with date of birth and a PIN number, to identify customers.
Hospitals in Angola,
led by the largest, Hospital 28 Augosta, are now using fingerprint
biometrics, and Ghana used biometrics to fight apparent registration fraud
in its National Health Insurance Scheme (NHIS).

It should be noted that security, in either a limited or broad sense, is
not the only use of biometrics in health care. “Medical biometrics”
involves the use of biometrics, in particular digital images and biometric
measurements, in both diagnosing and treating illnesses. Examples include
sensors that can be either worn externally, or ingested or implanted
internally. A familiar popular use of “medical biometrics” is the
measurement of statistics for athletic activities such as running and
weight lifting. A number of such sports monitoring devices are available
on the commercial market.

Current View

[return to top of this

A long and ongoing debate in the field is whether biometrics will
become widely used or remain a niche product. Biometric technology today
continues to contend with a lack of trust and acceptance from users, who
are often unaware of what the technology is intended to accomplish. Much
of the general population still views placing a finger or hand into a
device for verification of identity as a violation of privacy. There are
also concerns about potential abuses of the data collected by these
systems, since templates of biometric data may be stored on obscure
systems in unknown places. The situation is not improved by the fact that
failure rates for biometrics remain at unacceptably high levels in a
number of cases.

Resistance may vary even within an organization. For example, a
published report claims that one large hospital deployed fingerprint
readers so personnel could access medical records without a password.
While many doctors reportedly embraced the system because it reduced time
and work, many others rejected it, claiming it was more cumbersome. Of
course, it is also possible that they had other reasons for rejecting the
technology which they did not acknowledge.

Another pressing issue involves an individual’s right to privacy. Many
advocacy groups are attempting to establish a middle ground that appeases
consumer concern and promotes biometric development by calling for
safeguards that ensure biometric data is not misused to compromise any
information, or released without personal consent or the authority of law.
The International Biometrics Industry Association recommends that “clear
legal standards should be developed to carefully define and limit the
conditions under which agencies of national security and law enforcement may
acquire, access, store, and use biometric data.” It has even been suggested
in Congress that Americans should all carry biometric ID cards. This
idea has encountered fierce political opposition.

There are other limitations to biometrics. In particular, if a biometric
measurement is compromised – for example, if it returns a false negative –
it cannot be replaced, unlike an object like an ATM card. Any security
measure is quickly followed by attempts to compromise it. Other elements
that may cause problems with biometrics include, in some systems, the
possibility of injury, changing a biometric “signature;” maintenance
issues, for example, scratched or dirty lenses; and times for receiving
results, which may lengthen in proportion to the size of the database
being accessed. Biometric devices may also fail or give distorted results
in extreme climates, and portable devices may break.

Finally, the security of databases of biometric indicators is a concern.
The stream of reports that various databases around the world have been
hacked demonstrates that security intrusions are a sophisticated and
ever-present threat. A built-in difficulty of biometrics is that if a
record of a biometric feature is compromised by hacking or other theft,
that biometric cannot be replaced in the way that one would , for example,
change a password. If or when this problem becomes more prevalent, it may
be necessary for systems to contain multiple biometric devices, so that,
for example, if an iris recognition database is hacked, its users can
switch to palm print recognition.


[return to top of this

The worldwide market for healthcare biometrics is forecast to grow at a
compound rate of 18.9 percent, from $1.8 billion in 2020 to $6 billion in

Healthcare is by no means the only market for the technology. In
particular, such government initiatives as network access
security are substantial growth areas. Biometrics have become
somewhat more familiar among enterprise end users, being used in some
brands of laptops.6 As other emerging technologies such as
Radio Frequency Identification (RFID) are projected to grow six-fold in
the healthcare vertical market, it can be assumed that biometric
technology in the healthcare vertical market will follow a similar growth

A secure and well monitored system for protecting facilities and
information is not only critical for the security of the healthcare
industry but is also a legal requirement. Adding biometrics and other
multi-factoring security solutions to other healthcare systems can improve
the monitoring of pharmaceuticals, patients, and other assets.
However, an existing system can also be overwhelmed by trillions of
new bits of information translating into millions of dollars of new
investments just to manage, track and integrate data. How and with what
methods the new systems will integrate data into the enterprise
information hierarchy is a major issue that is only beginning to be

In general, positive reports make it clear that biometric pilot
projects being conducted by healthcare providers generally are producing
good results in system functionality. However, the area of enterprise
integration costs is more unclear. Costs can vary from remarkably
small to substantial. As an example, an RFID system using ultra high
frequency (UHF) might run to several thousand dollars. In any case, with
respect to eliminating unauthorized access to facilities and patient
information, the risks of liability may outweigh the costs.

Finally, the long-term impact of the coronavirus on healthcare and
consumer behavior may reshape the biometrics industry. For example, some
professionals in the field have speculated that users will continue to
favor touchless authentication methods.7


[return to top of this

To assure compliance and to address the concerns of both public and
private entities, a single system security solution should include
multiple individual authentication factor methods. A multi-tiered
authentication system is clearly a promising solution. In order to take
full advantage of multiple authentication techniques. However, the
underlying architecture must support conditions of interoperability,
scalability and adaptability that will provide the flexibility needed to
cope with continually changing security conditions. 

Heterogeneous Security Solutions

Increasingly, security solution providers are focusing on developing
biometric technologies that enhance rather than replace current
authentication methods such as passwords. Concurrent authentication
methods, including both biometric hardware and software solutions, can
ensure a higher level security environment. 

Combining one or more of the three security authentication factors – a
known factor, a factor in one’s possession, and/or a physical or biometric
factor – demonstrably increases the assurance that only authorized
individuals will be able to access restricted data and utilize networked
resources. A typical heterogeneous security solution is a single sign-on
(SSO) solution that includes authentication methods such as passwords,
tokens, smart and proximity cards, and biometrics.

Example: Fingerprint/Smart Card/Password Solution

Fingerprint-scan technology adds an additional security layer to a smart
card system. Integrating a fingerprint scanner into a smart card reader
increases security by adding a “something-physical” factor to the
authentication process, while smart cards provide the
“something-possessed” factor. The highest security level would be adding
“something-known,” which is the password factor, in addition to a
biometric smart card solution. 

Integrating a fingerprint-scan sensor with a smart card reader will add
to the privacy and security of authentication, and the scanned fingerprint
can be directly matched with the stored templates on the smart card. This
process is called “match on card.” The fingerprint-scan biometric smart
card solution is a classic example of the combination of authenticated and
authorized information access.


[return to top of this

About the Author

[return to top of this

Geoff Keston is the author of more than 250 articles that
help organizations find opportunities in business trends and technology. He
also works directly with clients to develop communications strategies that
improve processes and customer relationships. Mr. Keston has worked as a
project manager for a major technology consulting and services company and
is a Microsoft Certified Systems Engineer and a Certified Novell

[return to top of this