If you’ve been reading my blog for some time you know that I’m currently testing some great biometrics products from DigitalPersona. I’ve been pretty impressed with what they have to offer and their support. In fact, I’ve been taking it around to everyone showing them how cool it is. It still amazes me each time it recognizes my fingerprint and no one elses.
Now that I’m past that emotional connection I’ve started at looking at biometrics accuracy and security. This is a huge issue, because I don’t want anyone not getting in that shouldn’t be in. Possibly more important (unless you’re the HIPAA police reading) is you being the correct person and the reader not recognizing who you are. As usual these two items are at odds. You can’t keep everyone out and still ensure that it will ALWAYS recognize your fingerprint. You’ll always have a tradeoff.
In my conversations with DigitalPersona I was introduced to 2 terms FAR – False Accept Rate and FRR – False Reject Rate. I’m told this is a common term used by all biometrics companies. Essentially this tells you how many times you can expect to get an unauthorized use accessing a machine or the number of times an authorized user can’t access a machine. As you increase the FAR for security then the FRR will increase and vice versa.
The coolest part of this all is that you get to actually choose what FRR and FAR you want (at least with the biometrics I’m testing). From my limited knowledge biometrics is matching the points and curves on your fingerprint and then exporting it to a binary file. Then, in the future it creates another binary file and matches those points. If you increase the number of points it has to match then the False Reject Rate goes up, but the False Accept Rate goes down.
What does this mean for an EMR wanting to use biometrics? You are going to have to decide what FRR and FAR you are ok with. In the end if you have documented a well thought out reason then HIPAA security issues won’t be a problem. However, if you just say I always want to let my users get in regardless of the security implementation then you might have a HIPAA problem. My suggestion would be to follow the biometrics vendor’s suggestion and use their skill as the basis for your security. Never go under what the vendor suggests for security. That should raise a huge red flag. Otherwise, biometrics is a great technology with great security benefits and less password support requests.