Iris Scans Seen Shrinking $7 Billion Medical Data Breach
Iris scanners aren’t just for airport border-control agents and spy movies anymore.
Clinics and hospitals around the world are acquiring technology that identifies people based on physical traits to improve patient safety and stamp out fraud. HCA Holdings Inc. (HCA) hospitals in London, as well as health-care providers across the U.S., are buying so-called biometric technologies.
Biometrics makers, such as Safran SA (SAF), Fujitsu Ltd. (6702) and closely held AOptix Technologies Inc. and M2Sys Technology, say demand from health-care providers is growing. While ensuring the right person gets the right treatment is the main reason for buying biometrics, hospitals and patients see another benefit: reducing the risk of data breaches that can lead to identity theft.
“It’s a form of health-care fraud,” said Pam Dixon, executive director of the World Privacy Forum, a San Diego-based nonprofit research organization. “You can make a lot of money very quickly as a criminal with a low probability of getting caught. It’s a far easier crime to commit than robbing a bank.”
Identify theft is leaving hospitals with unpaid bills and consumers on the hook for costly treatment they didn’t receive. Data breaches, which include lost and stolen information, may cost the health-care industry in the U.S. as much as $7 billion a year, according to a survey conducted by the Ponemon Institute, a Traverse City, Michigan-based organization that studies privacy, data protection and security.
That explains why the health-care industry represents a growth area for the biometrics market, which Louisville, Colorado-based Acuity Market Intelligence forecast will increase about 20 percent a year to almost $11 billion by 2017.
The shares of Paris-based Safran, whose Morpho unit is the world’s biggest biometrics company, have gained 35 percent in the past year, while Tokyo-based Fujitsu has risen 2.5 percent.
HCA, the largest for-profit U.S. hospital chain, is using iris scanners at its private facilities in London after considering patient ID cards with magnetic strips.
“We needed something that people can’t not bring with them,” said Mike Gogola, chief information officer for HCA International, the Nashville, Tennessee-based company’s overseas arm. Fingerprinting wasn’t popular because of its association with identifying criminals, so the company chose iris technology from closely held Eye Controls LLC of Rockville, Maryland.
Electronic medical records and computerized drug-ordering systems have made it easier for caregivers to exchange information needed to treat patients. Such systems can still be prone to errors: A patient’s allergies or test results may end up in the wrong place if another patient has a similar name, or duplicate medical records exist for the same person. That can lead to repeated orders for lab work, missed diagnoses, adverse drug reactions and even death.
More than half of the 80 health-care organizations that participated in the Ponemon Institute’s survey reported one or more incidents of medical identity theft. Ninety-four percent had at least one data breach in the past two years, and 45 percent reported that they had more than five such breaches. The survey was sponsored by ID Experts Corp., a Portland, Oregon- based company that sells products and services to prevent data breaches.
“This is a technology whose time has arrived both in a cost sense and in terms of its potential utilization,” said Ted Dunstone, chief executive officer of Sydney-based biometrics consulting firm Biometix. “It has the potential to radically alter the way hospitals deliver their service. I think we will see a lot more adoption both of iris technology and of biometrics generally in the health-care sector.”
The technology isn’t foolproof. Medical identity theft is often an inside job, with employees of health-care providers stealing and selling the information, the World Privacy Forum’s Dixon said. Electronic record-keeping has made it easier to steal many identities at once, and using biometrics may only create more information to steal, she said.
“You can scam this just as you scam an ID card,” Dixon said. “Palm vein scans or iris scans can be associated with other records, but you have to be inside the system to do it.”
In 2007, a woman who worked at the Cleveland Clinic in Florida pleaded guilty to improperly obtaining information about more than 1,000 patients and selling it to her cousin. The data was used to submit $7 million in bills to the Medicare program.
Medical identity theft also occurs in the U.K., where all residents have access to the taxpayer-funded National Health Service. Some people steal patient data to bill for private health-care services, a market valued at about 9 billion pounds ($13.9 billion) in 2009, according to a 2011 study by the Office of Fair Trading. There is also “shame-based” theft, in which a patient who doesn’t want his illness to be known seeks care using someone else’s identity, Dixon said.
Such incidents are spurring hospitals to look into biometric technologies, said Mizan Rahman, chief executive officer of Atlanta-based M2Sys.
Using biometric technologies such as iris scans, facial recognition and fingerprint and palm vein scans provides a level of assurance about a person’s identity that can’t be provided by a password or key card, which can be given to someone else, Dunstone said in an interview. Biometrics are also convenient, since a person always has their identifying features with them, he said.
Technologies that don’t require the user to touch a device, such as iris scanners, are particularly important in hospitals, where physical contact can spread diseases, Dunstone said. The technology is also becoming more affordable, with an iris scanning unit costing about $200 to $300, he said. Prices may decline further, he said.
Among biometrics, the iris is considered the most unique identifier, according to AOptix, a closely held company in Campbell, California, whose technology is used at Gatwick Airport in London.
The iris has so many features that it’s 100,000 times more resistant to false identification than face recognition, said Joey Pritikin, AOptix’s director of product marketing for Identity Solutions. Not even identical twins have the same iris, and a person’s right and left eyes have different irises.
“We are simply starting to understand the health-care market,” Pritikin said in an interview. “This is a new application.”
Scanners are used when patients check in as well as in radiology and at the cashier, HCA’s Gogola said. When a patient is first enrolled, a camera will take a digital picture of the iris using low-power light-emitting diodes, known as LED lighting, from as close as 1 inch or 2 inches to as far as a few yards away.
Most patients approve, though using the system isn’t mandatory, Gogola said.
“Patients equate high-tech with high quality,” Gogola said. “This streamlines the patient journey.”
Eye Controls technology has been used at Urban Health Plan Inc., which operates medical centers in New York City. M2Sys said it’s signed up dozens of hospitals, including Hugh Chatham Memorial Hospital in Elkin, North Carolina, and Phoebe Dorminy Medical Center in Fitzgerald, Georgia.
“We tried to penetrate the health-care market almost six years ago,” Rahman said. “At the time, we had only a fingerprint system. We saw tons of resistance because no one wanted to touch the scanner.”
About a year ago, iris scanning became more affordable and more common, and M2Sys changed its approach. The company’s product is an extension of the hospital’s electronic medical records system, and involves a “painless training process,” Rahman said.
Low-tech approaches to security, such as asking patients for photo ID and training employees on how to handle sensitive information, remain important ways to stop identity theft as well, both Ponemon and Dixon said.
“There is no magic, silver bullet that will prevent this,” Dixon said.
To contact the reporter on this story: Kristen Hallam in London at email@example.com
To contact the editor responsible for this story: Phil Serafino at firstname.lastname@example.org