Is Biometric Authentication the Future of Healthcare Security?

June 20, 2014

Think passwords are passé and that biometrics will come to the rescue to keep healthcare records safe? Think again - it's only one part of the security puzzle.

Many people believe the future of controlled access to healthcare networks and medical records software systems will be based upon some type of biological-based authentication, commonly referred to as biometrics. If you think biometric-based security will make your life easier, think again.

Before we jump into the problems, let's look at where the technology is today. The current prevailing consumer biometric approach is the use of a fingerprint. Prior to the release of the iPhone 5S, fingerprint scanners could be found imbedded in laptops and tablets and also available as USB devices. The release of the iPhone 5S, with its Touch ID, brought fingerprint scanning into the mainstream. Apple touted the likelihood of an errant match with Touch ID to be 1 in 50,000, highlighting the unique potential of biometric based authentication.

Without question, biometrics is an improvement for security and in most cases much better than user-generated passwords. After all, passwords have limitations, and we are that limitation. Case in point, password management company SplashData released a report of the most popular passwords for 2013, and the top spot went to "123456," dropping the 2012 winner, "password," to the number two spot. If that's not bad enough, most of us only use a few passwords for all of the websites we access. If one of those sites gets hacked, perhaps a site you used once years ago, your overused password is now in the open and can be used to access your bank, your medical records, or any other destination where you used that same password. Biometrics to the rescue, right? Not so fast.

When the iPhone 5S and its Touch ID hit the market, within two weeks the technology was hacked by a group of German hackers. They used a laser printout of a fingerprint, created a glue mold, and tricked the device. 3-D printing will make this process even easier. But physical replication isn't the only vulnerability of biometric authentication.

A fingerprint scanner is just that, a scanner. It reads the nuances of your finger, digitizes it, and then stores that information in an encrypted file somewhere on your device or on a remote server. In the case of the iPhone 5S, Apple stores this information on a quarantined section of the phone's processor in an area users can't access - at least most users wouldn't be able to access it. But what if they did?

The reality is biometrics can still be boiled down to an encrypted file being stored somewhere. While defeating encryption isn't in every hacker's wheelhouse, it happens; probably more often than we are all aware. And once your fingerprint gets into the open, you can't change that as readily as you can your password. And therein lies the Achilles heel of biometric authentication: Once it's hacked, your uniqueness is gone, and you can't change your fingerprints, your retina, or your palm print.

Biometrics will improve security as the technology continues to be deployed across more systems and devices, but by itself, it's only an incremental improvement. Even with biometrics, we can still expect to see more systems relying upon two-factor authentication - or something you have and something you know. While not perfect, the addition of biometrics to two-factor authenticaiton will add layers of security to the protection of our medical networks.