ID FOCUS
Protecting Computer Networks With Biometrics
By Michael Fenner
To access patient medical records and other data, doctors and nurses at Sharp HealthCare in San Diego County, Calif., first type their user name into a personal computer. But instead of entering a password, some place an index finger on a reader, which scans their fingerprint. If the system matches the scanned print to the one on file for the user name provided, he or she is granted access to the network. "I almost always log in on the first shot," says William Spooner, Sharp’s senior vice president and chief information officer.
Interest in using such biometric technologies as fingerprint, face and iris recognition to identify travelers at international airports and border crossings is making headlines around the world. But some public and private enterprises are already using the technology to secure access to their computer networks. Experts agree that much of the interest in biometric network access systems is coming from health care, financial services and government, all industries under pressure to plug holes in their networks.
Vendors also tout biometrics as a way to control password-management costs. Large organizations—some of which grant network access to tens of thousands of users—face a daunting task in managing all those passwords. In the name of security, many companies require employees to change their network passwords several times a year. The result is often a steady stream of calls to network administrators from users who have forgotten their new passwords—or lost the Post-It note where they had written it.
"It’s a never-ending seesaw between (password) administrators and end users," says Harvey Bondar, vice president of marketing for U.S.-based biometrics technology vendor Digital Persona Inc. Ray Wagner, research director at U.S.-based Gartner Research, agrees that interest in biometric access control is growing in part because of its convenience. After all, you can’t forget your fingerprint.
The promise of added convenience and security is driving greater use of biometrics for PC and network security. New York-based International Biometric Group predicts that the market for such systems will grow from $116.4 million in 2003 to $800.1 million in 2008.
Early adopters are wrestling with the best ways to tweak their systems so they work reliably and to accommodate employees who have trouble using biometric systems. And despite some early flaws, biometrics clearly are generating more interest among network security managers around the world.
Examples are popping up all over the world. Schoolchildren in the Spanga-Tensta school district in Stockholm now gain access to the school computer network by pressing their fingers on fingerprint readers attached to classroom computers. The system, which uses readers from Sweden-based Precise Biometrics, Inc., is a boon for younger students who often have trouble remembering their passwords, says Christer Bergman, Precise’s CEO.
In Latin America, branch employees of the Central Bank of Costa Rica log into the main bank system via fingerprint readers supplied by U.S.-based Identix Inc., says Frances Zelazny, director of corporate communications for the biometrics technology vendor.
But there seems to be particular interest in the United States. In part, that’s a result of new laws requiring tighter security on the part of banks and health care organizations, as well as the heightened attention to all security matters in the wake of the Sept. 11, 2001, hijackings.
Sharpening Network Security
Among the U.S. enterprises adopting biometrics for network security is the not-for-profit Sharp HealthCare, which includes seven hospitals and three medical groups. Sharp last year began deploying a single-sign-on biometrics system for its 11,000 employees. That allows them to access a host of network-based data and applications with one press of a finger. Sharp’s CIO Spooner says approximately 2,000 employees—mainly doctors, nurses and clinicians—across four of its hospitals had enrolled in the system as of last month.
The Sharp deployment uses biometric technology and readers from U.S.-based Identix Inc. and single-sign-on software from U.S.-based Sentillion. The system stores templates of the fingerprint images of employees’ left and right index fingers; enrolled employees can use either finger to log in.
The biometric access system is part of what Spooner calls the "common clinical desktop" initiative, which aims to make it easy for health care professionals to access patient records and information securely from any computer within the Sharp network. For example, if a clinician who has signed on to the network must step away from the computer, she can press a "hot key" to lock the desktop. Upon her return, she simply presses her finger on the reader to regain access, Spooner says.
At the launch of the project, Spooner says he hoped Sharp employees would be able to log in to the network reliably about 90% to 95% of the time. In practice, successful log-ins occur about 80% of the time, Spooner says.
The Sharp system has had some difficulty recognizing certain individuals’ fingerprints, and this may be due in part to their profession. Doctors and nurses who wash their hands dozens of times each day, often with alcohol, can have dry fingers that are not easily read by scanners, Spooner says. Users who fail to log in after several tries can use a password as a fallback.
"We are going through a learning curve" regarding how to adjust the reader software for optimal performance in a health care environment, Spooner admits. Sharp is in the process of fine-tuning the system, which should help boost reliability.
But increasing the sensitivity of fingerprint scanners can also lead to problems. Spooner says sunlight shining on readers that have been tuned to be highly sensitive sometimes results in an on-screen error message.
The Sharp implementation has succeeded in giving health care professionals easier access to different parts of the health care organization’s network, which had previously required users to type several passwords. Spooner says Sharp is saving money on password management as a result of the biometric system, though he could not quantify the amount.
Nevada Bets On Fingerprints
Mitigating the hassle and cost of password management was also a goal of the new biometric network security project at the State of Nevada Public Employee Benefits Program office. The program administers and maintains health benefits and records for approximately 30,000 Nevada employees.
Chris DeSocio, information technology officer at the benefits office, says that since installing the biometric log-on system 6 months ago the office’s 50 employees access the network with the press of a finger. The system provides no password back-up, unlike the Sharp HealthCare implementation. In fact, users don’t even know what their passwords are since they are generated randomly by the biometric system during the enrollment process.
In addition to the goal of reducing password-management costs, new regulations prompted the Nevada office to pursue biometrics. In the United States, the Health Insurance Portability and Accountability Act requires hospitals and medical centers to establish safeguards regarding disclosure of patients’ electronic medical records. The goal is to protect the privacy of patients while making health care more efficient by replacing the mountains of paper-based health care forms with electronic documents.
HIPAA’s mandate to protect patient information makes it all the more important for health benefits network administrators to prevent what DeSocio calls "password malarkey," or the sharing of passwords among employees. "It’s about making it easier for people to access information and assuring that they’re the right people," DeSocio says.
Two employees out of the 50 enrolled in the Nevada benefits office occasionally have trouble logging in to the system and must have their fingerprints scanned several times before gaining network access, DeSocio says. "It’s not perfect," he admits, but overall user feedback has been positive. For most users the biometric system "makes their life a lot easier," DeSocio says.
The system cost approximately $100 per person for both hardware and software, DeSocio says. Digital Persona provided fingerprint scanners and software for the project.
Banking With Biometrics
Fingerprint scanners from Digital Persona are also being used in a project at United Bankers’ Bank. Why bother with a biometric logical access control system for banking when usernames and passwords are already common? Because regulators require banks to know who their customers are when executing wire transfers and other transactions, says Darren Mehl, UBB’s assistant vice president of information technology.
"When doing (authentication) over the Web, passwords are just too weak. We wanted to know without a doubt who our customers are," he says.
All 80 employees of UBB, which is owned by U.S.-based United Bankers’ Bancorporation Inc., now access the corporate network through a fingerprint biometric system. That project was launched in 2001, and in September of 2003 UBB began rolling out the same biometric authentication technology to its customers, most of which are small community banks. Of UBB’s 529 client banks, 249 are already participating in the program; the remainder will be included by March, Mehl says.
To log in to the bank’s system, a UBB or customer bank employee enters his user name and presses his finger to the fingerprint scanner.
The system can be set up to remember all of an employee’s passwords for various internal and external network resources. For example, an employee could log in to his Expedia.com travel-reservation account with his fingerprint instead of by typing in his Expedia password. The ultimate goal, Mehl says, is for the biometric system to control access to any customer or transaction data on UBB’s network.
UBB is sending one finger sensor to each of its customer banks at no charge, though the banks pay for additional readers if they want them. Customer banks can enroll an unlimited number of qualified employees in the network access system, however. There are currently 422 registered user profiles stored in the system and 284 fingerprint scanners at UBB’s customer banks, Mehl says.
Seasonal Variations
But, as in other deployments, the sensor technology used by UBB is not foolproof. Mehl says that some people who are enrolled in the system—particularly older women—have trouble logging in during winter months.
Dry skin on fingertips or the use of hand lotions or moisturizers can interfere with a sensor’s ability to read fingerprints, Mehl says. UBB is working on a backup authentication system for those customers who have troublesome fingerprints, but Mehl would not elaborate on what that might entail. He also points out that the vast majority of registered users can log in to the network easily. For example, "it works every single time for me," Mehl says.
Mehl says UBB chose to use fingerprint technology after concluding that many people find iris scan systems too intrusive. But others are giving iris scan technology a try.
For example, approximately 150 employees at Eagleville Hospital in Pennsylvania access the hospital network by looking into an iris scan camera perched atop the facility’s PCs. The project is aimed at meeting the data privacy and computer security requirements of HIPAA. The iris scan system is supplied by U.S.-based Iridian Technologies Inc.
Looking At PDAs
Iridian’s president and CEO, Frank Fitzsimmons, says the company is also readying a prototype iris scan system for wireless personal digital assistants carried by health care professionals. According to a 2003 study by the Pri-Med Institute, a U.S.-based physician advocacy group, 36.5% of doctors surveyed use PDAs.
A camera will snap into a handheld Compaq or Hewlett-Packard PDA running Windows CE, Fitzsimmons says. The camera will control access to both the information stored on the PDA and on the hospital network, which can be accessed from the device. Fitzsimmons says Iridian plans to announce the product officially in the second quarter of 2004.
Still, fingerprint technology is the biometric of choice for most existing logical access systems. While many biometric access projects use only a reader to authenticate users to the network, 2,000 employees at the Washington, D.C., headquarters of the U.S. Department of Treasury use both a smart card and a biometric.
Trung Nguyen, the agency’s smart card program manager, says the new Treasury ID card contains a proximity chip, made by U.S.-based HID Corp., for accessing the building with a wave of the card, and a 32-kilobyte contact chip module from France-based Oberthur Card Systems for network sign-on.
The contact chip stores a fingerprint image of the cardholder, and "we log on using the fingerprint and the smart card," Nguyen says. Cardholders insert the card into a reader, then press their finger to a scanner which compares the live image to the one stored on the chip. As in other implementations, the biometric log-in process has some glitches, Nguyen says, but "most of the time I can get in with one shot."
Treasury is one of several U.S. government agencies rolling out smart cards for employee identification. The goal is for employees to have a single ID card that will provide both physical access to buildings and logical access to the computer network.
More To Come
Treasury has purchased public key infrastructure (PKI) licenses, part of the computer network access system, for all its more than 150,000 employees and contractors. PKI systems control the issuing and maintenance of digital certificates, which allow cardholders to authenticate themselves online and digitally encrypt and sign electronic documents. But full deployment of the ID will not take place until funding is secured, Nguyen says, and he is not sure when that is likely to occur.
The success of pioneering projects in government, health care and financial services will no doubt have an impact on whether and how quickly biometrics are embraced as a mainstream tool for controlling network access and simplifying password management. But in those industries where data security is a high priority, biometrics seem likely to make further inroads in the coming year.
cardtech.faulknergray.com
steve |
