When a Columbus (Ohio) man was indicted by a grand jury in April on identity theft charges, the case had nothing to do with stolen credit cards or bank accounts. Instead, police say the suspect, who pleaded not guilty, used a South Carolina man’s identity to obtain more than $300,000 in treatment at Ohio State University’s Wexner Medical Center.
Data breaches at hospitals may cost the U.S. health-care industry as much as $7 billion a year, according to the Ponemon Institute, a Michigan-based organization that studies privacy, data protection, and security. And that doesn’t count the unknown cost of fraudulent use of information from lost or stolen insurance cards and drivers licenses. HCA Holdings (HCA) hospitals in London and many U.S. providers have a solution: using biometric technology to verify patient identities. “If you don’t have a good way of authenticating legitimate users,” says Ponemon Chairman Larry Ponemon, “whatever you do on the other side isn’t going to be good enough.”
Biometric devices that recognize people’s physical traits—think iris scanners or palm vein readers—are no longer the stuff of spy movies or border control. Consultant Acuity Market Intelligence forecasts global biometric device sales will increase about 20 percent a year to almost $11 billion by 2017. And device makers, such as France’s Safran (SAF:FP), Japan’s Fujitsu (6702:JP), and AOptix Technologies and M2Sys Technology in the U.S., say demand from health-care providers is growing. Ensuring the right person gets the right medicine is the main reason to use biometric devices, but they also reduce the risk of medical identity fraud, which can leave hospitals with unpaid bills and consumers on the hook for care they didn’t receive. “You can make a lot of money very quickly as a criminal [bilking insurers] with a low probability of getting caught,” says Pam Dixon, executive director of the World Privacy Forum, a nonprofit researcher. “It’s a far easier crime to commit than robbing a bank.”
Using biometric technologies such as iris scans or facial-recognition software gives a level of assurance of a person’s identity that can’t be provided by a password or key card, which can be used by someone else, says Ted Dunstone, chief executive officer of Sydney-based consulting firm Biometix. The technology is also becoming more affordable, with iris-scanning units costing $200 to $300.
The iris is considered the best biometric identifier, says AOptix, whose technology is used at Gatwick Airport in London. With so many unique features, an iris scan is 100,000 times more resistant to false identification than facial-recognition software, says Joey Pritikin, AOptix’s director of product marketing for identity solutions. HCA, the largest for-profit U.S. hospital chain, chose scanners using iris technology developed by Maryland-based Eye Controls for its private facilities in London over patient ID cards with magnetic strips. “We needed something that people can’t not bring with them,” says Mike Gogola, chief information officer at HCA’s global division. (Patients frown on fingerprinting, associated with identifying criminals.) Eye Controls’ technology has also been used at Urban Health Plan, which operates medical centers in New York City. Atlanta-based M2Sys says it’s signed up dozens of hospitals, including Hugh Chatham Memorial Hospital in Elkin, N.C., and Phoebe Dorminy Medical Center in Fitzgerald, Ga.
More than half of the 80 health-care organizations that participated in a Ponemon Institute survey reported one or more incidents of medical identity theft. Forty-five percent reported having more than five data breaches over the past two years. “This is a technology whose time has arrived both in a cost sense and in terms of its potential utilization,” says Biometix’s Dunstone.
At HCA’s British hospitals, scanners are used when patients check in, as well as in radiology and at the cashier. When a patient is first enrolled, a camera takes a digital picture of the iris using LED lights. Gogola says most people approve, though using the system isn’t mandatory. “Patients equate high-tech with high quality,” he says.