Industry Update: Managing User Authentication in Healthcare

By Deepa Saldanha, Director, Coalfire/Collin Schuler, Associate, Coalfire

In early 2010, Lincoln National Corporation endangered more than 1.2 million accounts due to credential-sharing among company personnel and affiliating vendors. These credentials were primarily used to access the portfolio information management system and had been ongoing since 2002. Although the sharing of credentials is usually prohibited by most company policies (as it was with LNC), the practice of credential-sharing surprisingly still occurs even to this day.

Information security has become a top priority for organizations and individual accountability has been considered one of the key solutions for preventing breaches and data security incidents. Although this concept seems relatively simple to implement, not all organizations have been able to adapt. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established requirements for protecting the privacy and security of health records. Organizations are required to track user access of an electronic health record. As our nation moves from a paper-based record system to electronic health records, implementing a strong authentication process for those individuals requesting access to medical records is crucial to protecting privacy. IT departments at a number of healthcare entities are increasingly faced with the question of how they can provide access to an electronic health record quickly while also tracking user access to comply with the audit requirement.

So how do organizations and IT experts ensure the accountability of actions taken by individuals while also making it a convenient task for personnel to access sensitive information?  Recently, several solutions have been presented to help address this concept. Some of these include:

  • Biometric devices
  • Proximity cards and PIN codes
  • Single sign-on

Since they include physical traits of an individual, biometric authentication devices are common tactics deployed by organizations. Some examples include speech recognition, fingerprint or iris scanners, and palm identification. With a fingerprint solution, access is granted to an individual based on a simple scan of a fingerprint and can verify the identity of an individual faster than typing in a username or password. Palm identification scans the actual veins of an individual’s hand and is extremely accurate due to one’s unique design. Speech recognition is another common authentication method because an individual’s speech is always different from everyone else. According to the National Institute of Standards and Technology (NIST), speech recognition measures the acoustic features of an individual’s speech, such as voice pitch and speaking style.  Finally, iris scanners can authenticate an individual simply by scanning the iris of an eye and generally does not require an individual to physically touch the scanning device.

Examples of where organizations have recently implemented biometric authentication solutions include:

  • September 2009: Bates County Memorial Hospital implemented a palm identification system for personnel in order to improve work efficiency and track employee access. The solution was provided by Fujitsu, and Bates had been pursuing an authentication process that was simple and reliable. The palm identification system was also designed to be contactless, a feature that emphasized hygiene for personnel. Earlier devices had sometimes required individuals to actually place their hand over a scanner.
  • August 2011: Arizona’s Children’s Clinic for Rehabilitative Services implemented fingerprint biometrics to substantially improve the security of systems and efficiency of personnel. The IT department had been searching for solutions that would allow personnel to access critical applications from any internal system without having to constantly log on and off. The clinic purchased a fingerprint solution that was widely accepted by users for login procedures and was quick and simple.
  • November 22, 2011: Los Angeles International Airport began upgrading and replacing its access control systems through biometric authentication solutions and contactless cards in a strong effort to enhance its security. They preferred iris scans simply because it posed less intrusive on personnel compared to other biometric access controls. They are not the first U.S. airport to implement such solutions; Seattle and Minneapolis airports have been using this technology since 9/11. Issuing proximity cards is another authentication method used by all types of organizations. Proximity cards generally use a magnetic strip or a radio transmitter that stores an individual’s authentication credentials, such as their name, the associating ID number, and what level of access privileges they hold. There are a variety of methods of how proximity cards can be read, such as swiping, inserting, or holding the cards up to a card reader. Proximity cards also have the ability to integrate photo IDs and allow organizations to track the individual’s actions. A PIN code can be implemented with the proximity card but remains at the discretion of the organization.

An example of where an organization has recently implemented proximity cards as an authentication solution includes:

  • April 2011: Albert Einstein Healthcare Network implemented a new form of proximity cards for several reasons, including convenience, authentication, and security. The proximity cards allowed personnel to log on and off the system through a card reader without requiring them to type in a username or password. The proximity cards were associated with a single sign-on feature.
    Single sign-on (SSO) is another method used for authentication purposes and is commonly seen in the healthcare industry. Generally, personnel that arrive for a workday will enter their usual credentials once (such as their username and password), and then select the applications they will use for the day’s operations. Using SSO allows personnel to save time since they will not be constantly logging on and off when accessing through separate systems. In the event that personnel would need to access an application with higher restrictions, SSO can be designed where two-factor authentication would be required for them to proceed. Some options include the deployment of a virtual desktop experience for a user. It delivers a true PC experience for desktop virtualization that provides strong authentication, and a PC experience by accessing their roaming desktops from any location with a single sign-on.

An example where an organization implemented SSO as an authentication solution includes:

  • March 2009: Based out of Ohio, Fairfield Medical Center implemented a single sign-on solution in order to boost personnel efficiency. Originally, personnel were constantly logging into physically separated systems in order to perform job-related tasks, which was accompanied with at least six different passwords. Fairfield Medical Center implemented a SSO solution and the hospital experienced a tremendous decrease in IT help desk requests.

The authentication methods listed above can usually be customized from the vendor based on the organization’s needs. This includes the devices needed and any applicable software. For clients interested in these potential solutions, it is also helpful to know the potential advantages and disadvantages.


Authentication Option







Biometric Scanners


  • Based on physical traits of an individual.
  • Makes it difficult for malicious impersonation.
  • Very accurate and easy for authentication.
  • Relatively user friendly.
  • Critics claim the technology can be personally intrusive.
  • Does not guarantee 100% accuracy.
  • Not all users will be able to use this technology due to unique physical features.
  • Some biometric access solutions can be extremely expensive.


Proximity Cards


  • Authentication credentials are stored in an actual card.
  • Less intrusive compared to biometric access controls.
  • Relatively simple and easy to disable cards if lost or stolen.
  • Hard to duplicate and affordable for most organizations.
  • Does not guarantee individuals will not share their cards with someone else.
  • Easy to lose and can be susceptible to damage or theft.
  • Installation costs for the system can be relatively high.


Single Sign-On


  • Reduces time for personnel having to constantly log on and off systems.
  • Does not require personnel to remember several different IDs and passwords.
  • Improves workflow and personnel efficiency.
  • Can be difficult to merge the solution with the organization’s applications.
  • Credentials are at greater risk due to fewer IDs and passwords.
  • If the SSO experiences network failure, users can be locked out of systems.
  • The SSO is also susceptible to attacks.

Finding the delicate balance of individual accountability and convenience doesn’t have to be a complicated task. Organizations can choose from a variety of methods that suits their business needs. However, it’s important that they consider their options carefully, both weighing the advantages and disadvantages of each solution and identifying which one will benefit them the most.