Biometrics – Multiple Users

Multiple Users
In my continuing Biometrics experience I found some interesting problems when multiple people use the same computer. This isn’t a problem when you have a tablet or convertible that is dedicated to a specific doctor or nurse. Once you place a computer in an exam room and want mutliple doctors and nurses to use EMR on the same computer you have a major problem.

The worst solution is to make each doctor or nurse log in and out of windows. Otherwise, the biometrics software can only allow the person who logged into windows log into the EMR. We all know how long it takes for Windows to log in and out and so that’s not an option. By the time you are logged in and out of Windows you will have no need for the computer, because your visit with the patient will be done. This is ideal for those counseling centers using EMR. It’s not unreasonable for them to log in and out because they don’t share computers as much and often are going to spend a long period of time charting their clients.

What’s the solution? The key is that you want the computer locked so you have good security, but you don’t want to have to log the windows user in and out of the system. My friends (at least they better be friends since I’m writing such nice things about them) at Digital Persona have a solution they’ve created for just this problem. It’s been termed to me as their “kiosk” software.

This kiosk software was described to me as being able to have a generic windows login to a “kiosk” computer. This “kiosk” computer in our example would be a computer in an exam room. Many of you HIPAA experts out there may be ready to scream VIOLATION at the thought of a generic login shared by multiple users. Have no fear! This isn’t the EMR and HIPAA log for nothing. A generic windows login really isn’t a problem in this case because it is all integrated with active directory. You set a group policy that allows a group of users access to that generic login. Only those users will be able to use the generic login and unlock the computer. Furthermore, every time the generic login is used it is all nicely logged by the biometrics software for future security needs. Isn’t that great?

One caveat is that Digital Persona’s “kiosk” software must be tied to their active directory server software which I’ve mentioned before.

The best summary is one computer used by multiple users using biometrics to securely log into EMR.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

3 Comments

  • Wouldn’t such a generic login remove the possibility of a Single Sign On system? How would you pass a unique, biometric ID to applications that require one? One would think an audit trail would require a uniqe user assigned to a transaction, not a group.

  • Wouldn’t such a generic login remove the possibility of a Single Sign On system?

    A true single sign on system could potentially wreak havoc on this idea. However, what’s the need for a single sign on if it just requires a touch of a finger? One of the most significant advantages to biometrics is speed of login. There are pros and cons both ways I guess.

    The reality is that a biometrics product could create single sign on for you if they wanted to do that. In fact, it would be true single sign on access since the biometrics program stores the information for all types of applications and doesn’t worry about synching passwords. However, that would mean if you ever left your computer logged in then they would have access to EVERYTHING you had set to be single sign on.

    How would you pass a unique, biometric ID to applications that require one?

    I’m working to get an active directory install that I can test this application on. What I’ve described so far is what I was told by the vendor. Hopefully in the next couple weeks I can iron out the details for testing this software. However, from what I was told you should be able to unlock the computer using your fingerprint which will then use the generic login. Once you’re in to windows it should then recognize your fingerprint and log you into the program with the credentials tied to your fingerprint. If it doesn’t happen that way I’ll let you know.

    One would think an audit trail would require a uniqe user assigned to a transaction, not a group.

    You are correct. I think I just didn’t describe it well. The beauty of blogging. Second Chances!! Let me try again:
    Your fingerprint is a unique identifier that can easily be tied to a user. That fingerprint is logged in the audit trail whenever a transaction occurs. So, if you are able to unlock the computer with your fingerprint then the system logs that your unique fingerprint did the following transaction(ie. logged into the generic user) at the following time, on this computer etc. If I needed to go back and say who was using this computer at a specific time I wouldn’t audit the generic user, but instead I would audit the fingerprint being used to login as the generic user. Does that make more sense?

    Great questions. The single sign on one sure makes me think about my future plans for single sign on work with biometrics.

  • We have found another solution.

    This is a problem that has come up here many times. Something I have been investigating for a long time and I think I have found a third party product that addresses this problem. The product is called “Unlock Administrator” and information can be found at http://www.e-motional.com/ULAdmin.htm .

    Unlock Administrator allows you to select which users (and they do not need administrative priviledges) can unlock a system – either completely unlock saving the current session or forcing the session to close. Like Digital Persona’s product, all activity is logged either to the Windows Event Log or a file. Users use thier login name and password to unlock. This will work either with a generic login or anybody else’s login.

    I have been testing this for about a week and have not found any problems…yet. If testing goes well I think this is the solution we will adopt.

Click here to post a comment
   

Categories