Biometric sounds like science fiction - bit It is a real issue for the health service.Sally Whittle reports

Published: 24/01/2002, Volume II2, No. 5789 Page 10 11

When the government's public enthusiasm for ID and 'citizen access' cards was at its height, there was excited speculation in the press that they could carry 'biometric' identification.

Fingerprints, and even iris scans, could be included to prevent fraud, it was suggested.

Some of this sounds like science fiction, but it is not.

Companies and health organisations are already working on the next generation of secure ID services using biometric technologies that identify users on the basis of their unique physical characteristics (see box).

In addition to being extremely secure (it is pretty difficult to fake a fingerprint), biometric technologies offer cost savings.

According to technology analysts Forrester Research, each time an employee forgets their password it costs organisations an average $200 in administration time and lost productivity.

Biometrics eliminates this problem by removing the need for passwords.

Market watcher IDC reports that global sales of biometric technologies, including fingerprint, voice, eye and facial recognition systems, reached $200m in 2000, and will grow to $1.8bn by 2004.

The healthcare sector accounts for a significant chunk of this market, says John Gallaway, marketing director of biometric supplier Biometricate. The company is working with 25 hospitals and health authorities on biometric projects, and Mr Gallaway believes the number will grow rapidly.

'The health service is facing two key issues: confidentiality and quality of access, ' he says.

'Biometrics is a way to meet both of those issues by enabling secure access to anyone who is authorised to see information.'

Much of Biometricate's work is based on fingerprint recognition, the most widely used of all biometric technologies.

Fingerprint recognition uses a small scanner, attached to a computer, to take a digital photograph of an individual's fingerprint. The fingerprint image is reduced to a series of numbers, based on the patterns of the skin at key points on the fingertip - known as 'minutiae' - and compared to a central database to identify the user.

At less than£50, scanners of this type are available embedded in desktop PCs and keyboards from mainstream vendors such as Compaq, HP and Dell.

The NHS Information Authority arranged for fingerprint access to be used at two pilot projects giving patients access to their electronic medical records.

A much larger pilot of this form of access will now be carried out at Lancashire and Bradford HAs.

One hundred biometric licences will be allocated to staff so they can access data held on the HAs' Exeter System, over a web system known as Open Exeter.

Another early adopter is Sheffield Children's Hospital, which is testing Biometricate's fingerprint recognition as a way to provide secure access to patients'medical records and speed up the delivery of laboratory test results.

The system allows test results to be entered into a computerised system, and digitally 'signed' using the laboratory staff member's fingerprint. This provides the hospital with a clear audit trail, as well as reducing the amount of paperwork involved.

'Maintaining confidentiality is critical to patients and staff alike, ' says Russell Banks, the hospital's IT manager. 'But delivering lab results accurately and rapidly is also an important part of quality healthcare.'

The fingerprint recognition system could be expanded, Mr Gallaway claims. For example, embedding biometric technology into a hand-held computer running a prescription-tracking software application would record exactly which consultant authorised which treatment, or which nurse gave the injection to which patient. Another potential benefit? 'It also gets around the issue of not being able to read doctors' handwriting.'

At the Dutch Burns Foundation, a non-profit organisation that researches burn injuries, a combination of fingerprint scanning and voice printing is used to provide secure access to lab facilities and medical records.

Working with US biometric supplier Keyware, the foundation has created a central database with information on hundreds of Dutch burns patients, with additional records supplied by 10 other burns units across Europe.

The aim of the project is to allow doctors to securely share information and treatment plans over the internet, says Luc Taal, the foundation's project manager.However, the sensitivity of the data held meant that it required 'extraordinary' levels of security. 'Due to privacy regulations, we were only allowed by the government to implement the project if we used a highly secure authentication and encryption systems, ' he says.

To satisfy the government, the foundation has embedded both fingerprint recognition and voice printing into a secure, 'smart' user ID card.

Voice printing works by taking a recording of a user speaking a pre-set phrase, and creating a unique 'print' based on the individual's cadence, tone, pitch and shape of the larynx. A recent study conducted by the Communications Electronic Security Group (part of the British intelligence service) found that voiceprint systems successfully rejected 99.3 per cent of impostors and recognised 99 per cent of valid users.

Foundation staff attend a training session where their voice prints and fingerprints are recorded and encrypted before being transferred to their smartcards.

If the user wants to access medical files or secure lab facilities, they must speak a pre-set phrase into a door-mounted microphone and place their finger into a fingerprint scanner. The two sets of data - from the door-mounted systems and from the smart card - are then sent over the internet to a trusted third party to be checked. If the sets of information match, the door opens. It sounds complex, but the whole process takes around 30 seconds, says Mr Taal.

The potential applications of biometrics in the health sector are virtually limitless, believes Frank Prince, a research director with Forrester Research.

From scanning for troublemakers in the accident and emergency waiting room to allowing patients to sign-in digitally and read their own medical records, there are a range of technologies to suit most needs.

'In the case of something like facial recognition, for example, the patients wouldn't even have to know it was there, ' he says. 'It could just be working in the background, looking for troublemakers, and alerting security to their presence before it becomes a problem.'

But therein lies one of the thorniest issues of biometric technology - some critics see it as a potential invasion of privacy.

Not only can the technology be seen as invasive, but it relies on large databases of personal information. Privacy campaigners fear that if these databases were hacked into or stolen, then a person's identity could be permanently compromised - after all, it is a lot easier to change your password than your fingerprint.

There are also still technical limitations to some biometric systems, Mr Gallaway admits. For example, while fingerprint recognition is getting more reliable, some readers still have problems reading certain types of prints.

For example, some readers are unable to read AfroCaribbean users'prints because of the different contrast between light and dark areas of the skin.

Other problems can arise if a user's body temperature is too high, or if they do not have a fingerprint - because it is covered in dust, for example.

The biggest problem, however, with biometrics is that the technology is only as good as the least effective user.

According to consults International Biometrics Group, 10 per cent of any sample user group will be unable to use a biometric system because of human or machine error.

The Nationwide building society, for example, abandoned its biometric-enabled cash machines when it found out that customers were not always too keen to have their eyeballs measured by a glowing infrared laser.

Another prominent government department in South America, meanwhile, spent thousands on a fingerprint recognition system that was installed too high on the wall for shorter members of staff to provide an accurate print.

While many industry observers believe people will be happy to swap passwords and PIN numbers for biometric access, others are concerned that organisations see biometrics as just one part of a wider solution.

Biometric technologies do not remove the need for passwords, security codes and ID cards, cautions Piers Wilson, a senior consultant with Insight Consulting. 'Biometrics is just one part of the jigsaw puzzle.Nothing will give you total security.' l How does it work?

Fingerprint recognition

A fingerprint scanner takes a digital picture of a fingerprint and reduces it to a map of points where ridges in the skin meet and separate.This data is unique and consistent over time, and systems will correctly identify a user 98-99 per cent of the time.

Technology is available for less than£50 per user, but the public may see fingerprinting as having negative associations with criminal activities.

Palm reading

Hand geometry systems use the same technology as fingerprint readers to scan the length, width and position of the fingers.

These systems are easy to use and are well suited to securing doors within buildings.However, they correctly identify users only 95-98 per cent of the time and are not suitable for users with conditions like arthritis.

Iris scanning

The iris scanner uses a video and infrared reader to map 400 separate features of the eye, and even checks for vibrations to make sure the person is alive.The technology is ideally suited to cash machines, as it has a range of about one metre, but consumers have so far felt uncomfortable being subjected to scanning by this kind of system.Virtually impossible to fool.

Voice printing

Voices are digitally recorded and checked for a range of features, including tone, vibration, the shape of the larynx and pitch.New voice-printing technologies have improved the reliability of this technology, and it can now be used over a standard phone line.Typically identifies the user correctly 99 per cent of the time.

Facial recognition

Video and infrared rays map the contours, curves and measurements of the human face.The advantage is that this can be linked into closed-circuit TV systems and used without the subject's knowledge, but this could be seen as an invasion of privacy.Around 98 per cent accurate, but falls steadily as the number of faces scanned increases.