Authentication Device Technology for Healthcare Use Part III – Smartcards & Conclusion

Something I Have + Something I Know = Two Factor Authentication.

Math is awesome. Especially when it is simple.

The big idea now in IT security is multi-factor authentication. The goal, of course is to prove beyond any doubt that the individual trying to access your system is who they say they are.

People can share passwords.

People can share credit card sized devices.

People can lose credit card sized devices.

People can leave a sticky note with a username AND password stuck to the very monitor of the system that is trying to be protected with said username and password.

So how can we be sure that the person logging in is who they say they are? As this is the third and final part of our series on authentication devices for healthcare, we will try to wrap all of this up into nice little bow.

If only it were that easy.

I keep forgetting about smart cards. But there is a good reason. I swear… the reason for which I will divulge after we discuss them more thoroughly.

The idea of smart cards is to give a very strong method of authentication by incorporating essentially a mini computer to help the big computer verify that the user is not a spy, thief, secret agent guinea pig or the ex-boyfriend of a patient trying to find out if his ex and her new husband are pregnant.

The smart card is really a miniaturized computer. Many people really don’t know that there is a micro processor and RAM built-in to these nifty little devices. Some of them are capable of quite a bit, but for this discussion we’ll just focus on a normal enterprise environment (typical hospitals).

The smart card will usually contain an encrypted unique identifier that can only be released to the big (host) computer by the correct password being entered by the user. This provides our two factors of authentication. The card as something you have and the password as something the user knows. Utilizing the internal storage of the card there could be additional levels of ‘something you know’ stored on the card like “Mother’s maiden name” or “first pet”.

From a user side: The user slips the card into the smart card reader, enters a password and gets to work. When the user is done, they simply remove the card and go on their way, which will automatically terminate or lock the user’s desktop until a smart card is inserted and the process starts over again.

As an added bonus, quite a few computer manufacturers are incorporating smart card slots into the computer hardware as standard equipment.

So we do indeed have a much stronger method of authentication by using smart cards. But here are the issues (and why I often disregard them as a viable authentication method for healthcare):

1. Cost: Smart cards (at least the brands you want to use) run from $3.00 to $20.00 a piece and that’s buying in bulk. That can get expensive for an entire user-base that is likely to forget those cards at a rate of 20-30% per year (see #3 below). The smart card readers are also much more likely to break or wear out and need replacement or more regular maintenance than prox readers.
2. Breakage: The microchips are fragile and can wear out, making the card unreadable. Since the card has to be inserted into a reader, the plastic and laminate wears out much faster than a proximity card (which is zero touch/rub).
3. Forgotten cards: Since the user has to leave the card in the reader for the duration of the session, the card is frequently forgotten at the end of the session and left in the reader… often with the session still open for someone walking by to use.

The difference between a true smart card (as described above) and a prox card as described in Part 1 of this series, is the fact that the smart card is unique and encrypted where a prox card has an easily readable number that is just passed to the prox reader. In theory, this number can be forged into a ‘dummy prox card’- but the user of the dummy card still has to have the password.

The ultimate in security is a biometric identifier stored on a smartcard that also requires a password. This goes beyond two factor authentication to something else entirely and even if you have the Russians (or Ethan Hunt of the Impossible Mission Force) trying to steal state secrets, your Chief Security Officer will feel pretty good about him/herself. Of course, it will make the user’s lives a nightmare for access… but that’s progress!

Authentication Device Wrap-Up

From a Healthcare perspective, although all methods discussed in this series can work: there are currently two technologies that make the most sense from a total security, TCO and usability/speed of access standpoint. What I take into account most (after security) is the effect on the users and the fact that doctors and nurses are already being slowed down by new EHR and CPOE systems and so we are looking for the simplest and fastest way to get them in and out with minimal frustration.

1. Fingerprint biometrics. Until the cost comes down on palm-vein scans, fingerprints offer the best security the 2^nd best usability, 2^nd best cost and allow for the possibility of the user not having to remember ANY passwords (huge plus for the users and the help desk). The main downside is implementation and getting the users trained. It may sound simple but making sure the users put their finger in the right place on the sensor is a big deal and causes user frustration when the “device doesn’t work”.
2. Passive Proximity cards. Prox cards are less expensive than smart cards, wear out at a much slower rate and are less likely to be left at the last computer used. They currently offer the fastest possible method of access and users usually don’t screw up waving a card in front of the device (though I have seen users trying to wave the card at the monitor).

Coupled with the right Single Sign-On or ease of access solution, either of these methods will make for a happy CSO and happy doctors and nurses (which ain’t easy).

Explore posts in the same categories: authentication devices, clinical workflow, Single Sign-On

Tags: Barriers to EMR, clinical workflow, CPOE, healthcare IT, HIPAA, physician alignment, Single Sign-On, SSO, Symantec Workspace Corporate

You can comment below, or link to this permanent URL from your own site.