How biometric palm scans help keep hospitals secure

If large retailers and banks are vulnerable to hacking, what about hospitals and doctors' offices? What prevents identity thieves from fraudulently charging medical care, and keeps our medical records secure from prying eyes?

For many hospitals, the answer is to stop relying on traditional passwords to secure computerized records. Instead, they are increasingly identifying patients with biometric security measures like palm scans.

"Palm scanning is 100 percent more accurate than fingerprints," Nader Mherabi, the chief information officer at NYU Langone Medical Center in New York, told CBS News. The hospital uses palm scanning as a key component of its computerized patient record system.

Palm scanners use invisible and harmless infrared light to detect blood flowing in our veins. The pattern of veins is set for life before a person is even born, by 14 weeks of gestation, and is more unique than a fingerprint. Even identical twins who may have similar (though not precisely matching) fingerprints have completely different palm vein patterns.

nyu-langone-patientsecure-palm-scan-620.jpg
Vein pattern detected by PatientSecure palm scanning device.
PatientSecure/NYU

Mherabi explained that the palm scan creates a "unique digital signature, which is a string of numbers, and we store that in our system." Each time a patient returns, they place their hand on the palm scanner and it calls up their medical records in the hospital's computer system. The computerized records also include a photo of the patient for confirmation.

A company called PatientSecure provides the palm scanning technology used at NYU Langone Medical Center and 250 other health care systems across the country, which have enrolled more than 6 million people to date. PatientSecure's Hiroko Naito told CBS News that each palm scan generates a file that is "about 3 KB," indicating that the digital signature contains up to 3,000 digits. For comparison, a fingerprint is usually matched based on 8 to 16 points of similarity. Mherabi also points out that the reliability of fingerprint IDs can vary based on the quality of the print.

Mherabi says he chose palm scanning technology for his hospital because it was widely proven in the financial industry in Japan, where it is used in ATM machines to confirm the identity of people accessing their bank accounts. Another available biometric system uses retinal scans, but Mherabi thought they were too intrusive.

High-tech patient identification is only one aspect of the hospital's electronic data system. "Being an e-hospital, a digital hospital, requires you to do things in a much more efficient digital way," Mherabi says. "We have one integrated chart, one chart per patient." The chart includes medical records, scheduling, and billing information stored in a "secure data center with a lot of security and firewalls around it."

"Thanks (sic) God we haven't been hacked," Mherabi adds. But he says the hospital never takes that for granted. His Information Technology department trains and drills employees on data security practices. They sponsor "cybersecurity days" to address other types of data security like proper data disposal; old phones, photocopiers, computers, and other equipment must have hard drive memories completely wiped clean of any sensitive information before discarding. NYU even hires its own hackers to probe its systems for vulnerabilities. "Security is an evolving thing," he notes, and the challenge is for hospitals entrusted with so much personal data to stay ahead of the game.