How biometrics could improve health security by Laura Shin @FortuneMagazine February 10, 2015, 11:13 AM EST E-mail Tweet Facebook Google Plus Linkedin Share icons Todd Major, a 36-year-old stay-at-home father and retired firefighter in Winston-Salem, visited the emergency room twice this past summer for his five-year-old son. During the first visit, the staff at the hospital, Clemmons Medical Center, asked to take a picture of the boy. The high-quality image captured his son’s iris pattern in an effort to prevent fraud, duplicate records, or what are known as “overlays,” when medical information for someone else makes it into a person’s file. “In today’s society, that was really comforting to know that somebody else cannot come in and use his name or register with his account and have access to his medical record,” Major says. Clemmons, which is part of the four-state Novant Health network, is one of many medical systems switching to electronic health records. Responding to incentives offered by the federal government, about eight in 10 hospitals and health care providers adopted such systems in 2013. But going paperless exacerbates existing problems like duplicates and overlays and creates new ones—namely, producing more targets for medical data to be hacked. Just last week, Anthem, one of the nation’s largest health insurers, became the victim of what is probably the largest ever cyber attack against a health care organization. Hackers are believed to have gained access to up to 80 million records that contained Social Security numbers, birthdays, postal addresses, and e-mail addresses. For the last two years, the health industry suffered the highest number of hackings of any sector. Last year, it accounted for 43% of all data breaches, according to the Identity Theft Resource Center. To help prevent these costly issues, medical companies have begun adopting an array of biometrics security systems that use data from a patient’s fingerprint, iris, veins, or face. The new technologies promise to not only reduce overlays and duplicates but also remove the incentive for health hacks by removing our reliance on information that’s easy to steal and can easily identify patients. One of the most crucial steps of the health process is correctly identifying a patient when he or she walks through the door. For 12 years, improving the accuracy of the process has been a goal of the Joint Commission, which accredits and certifies more than 20,000 U.S. health care organizations and programs. Duplicates are not a big concern with regard to patient safety, but for health care providers, they are a huge expense: the cost to resolve every duplicate pair rings in at around $50, according to a 2004 study by Initiate Systems. Eight percent of patient records, on average, are duplicates. For systems with more than one million records, the figure was even higher: 9.4%, which would carry with it a cost of $4.7 million. Overlays, meanwhile, are more dangerous for patients and more costly and time-consuming for an institution to resolve. A patient with a contaminated record could be administered the wrong medication or mistreated. Though overlays occur at a far lower rate—1% or less —than duplicates, a single overlay can take 60 to 100 hours to resolve at an average cost of $19 per hour (or $1,140 to $1,900 per case). A single overlay case in Denver involving twin girls took three months to resolve and involved 16 members of a hospital’s staff. Novant, which serves more than four million patients, has seven full-time employees who concentrate solely on the task. Enter the new biometric systems, which combine our physical traits and personal history to create a unique record that can be quickly recalled. For instance, RightPatient, the system Novant uses, launched in 2011 and allows health care providers to link a patient’s biometric data to his or her medical record. The system registers a patient’s fingerprints, veins—in the finger or palm—and face at enrollment and later uses that signature to recall a medical record. “You have to physically scan your finger and the actual fingerprint sensor itself creates an image. Our software will extract all the unique data points from that image and convert that into a biometric identity template,” says Michael Trader, president of RightPatient. Vein scans use near-infrared light technology to read the unique vein pattern under the skin of your finger or palm. Iris recognition technology uses a very high-quality camera to extract the unique pattern present in your eye. The results are mere binary strings—a series of zeroes and ones. “You can’t recreate a biometric image from the biometric data,” Trader says. During enrollment—and if the company has selected the option—RightPatient will also conduct one of two types of credit checks on a patient. The first, more expensive option asks you multiple-choice questions about your credit file that presumably only you would know—such as, “Which of the following four options was your street address in 2005?” The second, cheaper option simply ensures that the identification you’ve submitted hasn’t been flagged by a credit agency for fraud. (RightPatient wouldn’t share pricing details, but Trader acknowledged the cheaper option is less secure.) When a patient returns, the company will take another photograph with the iris camera and perform what is called a one-to-many biometric search, in which the patient’s iris scan is compared to the rest in the system. “One other big advantage of using the system is that you’re capturing a color photograph of the patient during enrollment,” Trader says, “so when we retrieve the patient’s medical record, we also display the photograph, so you have a secondary form of authentication that the nurse or registrar can reference.” Other systems, such as LifeMed ID, allow a person to use any kind of conventional identification—a health insurance card, Medicare card, or a private-label card—to create a “smart card” embedded with a chip that contains their photograph. When a patient returns, he or she is asked to swipe the card, calling up their photo for a registrar to compare to the person standing in front of them. The system can also match biometric data to the smart card. David Batchelor, LifeMed ID’s chief executive, says its system eliminates 92% of the error rate in keystrokes for patient registration. But it, like similar technologies, is no silver bullet. “There is no ‘totally foolproof,'” he says. “If a fraudster’s going to fraud, there’s going to be fraud.” But the new systems will surely help. Batchelor says his company is developing technology, not yet employed, that will ping the insurer every time a patient arrives at and leaves the medical center so medical providers can’t fraudulently bill insurers. Meanwhile a new level of biometric authentication eliminates the central database, considered to be the treasure chest of hackers, entirely. The FIDO Alliance, a non-profit trade association working to move industries away from passwords, has developed a system to authenticate a person using their phone. “We’re not replacing passwords with a new password substitute,” says Brett McDowell, FIDO’s executive director. “We don’t have remote matching of a biometric. We only do local matching.” The matching takes place against the biometric data stored in the phone. For instance, the technology, which is already being used by Samsung and PayPal, allows a person with a Samsung phone equipped with a fingerprint reader to shop online with PayPal using only his or her fingerprint to log in. In a health context, the same system could be used to verify a patient’s identity and allow them to delegate authority to a caregiver to pick up his or her prescriptions or access lab results. FIDO’s protocols haven’t yet been applied in the health care industry, but several health care organizations are starting to use it for internal purposes. Biometrics may also help accelerate the movement toward home health care. Karthik Mani, senior vice president for identity and fraud at Equifax (which provides the knowledge-based authentication questions to RightPatient), says his company is focused on online access to medical records. “We have built-in technology now to bring in voice biometrics, take a picture of yourself as a selfie and your government-issued identity, and make sure that the face in the selfie matches the photo in the government-issued identity and that the government-issued identity hasn’t been tampered with,” he says. Security for the price of a selfie? It’s just around the corner.