TECHNOLOGY

Biometric devices: Are you ready for them?

As more pharmacists use the Internet to access patient records and prescriptions, worries over security and prescription fraud are prompting the growth of biometric devices—electronic units that scan fingers, hands, eyes, and faces.

Up until now, the issue was getting a lackluster reception overall from the pharmaceutical industry. But new requirements from federal and state authorities are giving these high-tech gizmos a shot in the arm.

Biometrics got a boost when the Drug Enforcement Administration recently disclosed it would require its use along with digital signatures when doctors and pharmacists transmit class II drug prescriptions electronically. In supporting documents, the DEA argued that "passwords are not enough" and that even for some of the 33 states that now permit electronic transmissions, another level of security is needed. Biometric controls at the point of access improve security because the devices will recognize only the fingerprint or iris of an individual. However, the agency does acknowledge that biometrics is costly—as much as $150 at each computer station.

Patrick W. Gavin, an industry consultant and former member of the Michigan Pharmacy Board, said that most pharmacists couldn't afford "that sophisticated kind of technology." While he favors the need for additional security for on-line transactions, Gavin said that government-imposed restrictions will only "slow down" the use of biometric devices and digital signatures.

As a member of the National Association of Chain Drug Stores, Gavin urged that organization not to support any specific government regulation but rather leave it up to pharmacists to make the choice about whether to adopt biometrics or not and, if they are adopting it, which system to employ.

Gavin predicted that if federal and state governments require the use of biometric devices, most pharmacists would abandon electronic transmissions and continue to use the telephone and fax machines as they are doing now.

However, Benjamin M. Bluml, national v.p. for research for the American Pharmaceutical Association Foundation in Washington, D.C., said the DEA's efforts to make sure prescription transmissions are "safe and secure is the first step in the right direction in moving this agenda forward. I believe it is one of the important concepts to create secure transactions by having secure, effective authentication at both ends." Currently, he said, the move toward biometrics is slow because there is no compelling business need for compliance.

States are also moving into biometrics—partly to curtail fraud. In Arizona last year, legislation was passed requiring biometric finger scanning for Medicaid beneficiaries and storage of the information in a central database. When a script is presented to a pharmacist by a patient, the finger would be scanned for an instant comparison with the one on file. However, according to Kathy Boyle, executive director of the Arizona Pharmacy Association, because of state budget restrictions, the $850,000 needed to implement the system has not been appropriated, leaving the program in limbo. In addition, she said, the organization also believes the state law "seems to be discriminatory" because it singles out pharmacists and does not include other providers in the health system.

The APA advocates running the program through a pilot project in a small county that would include pharmacies, doctors, clinics, and hospitals before going statewide. "The Arizona Medicaid system has to come up with rules to allow the pharmacy to not be held liable if there are problems with the system," Boyle said, "so they can provide services to patients, especially in a life-and-death situation."

In Virginia, the state pharmacy board was asked in February by law enforcement officers to endorse the use of invisible-ink fingerprint kits in pharmacies to prevent prescription fraud. Police in Pulaski, Va., said attempts to pass off forged prescriptions for the painkiller OxyContin dropped off dramatically after the fingerprint system was implemented in the town's pharmacies.

Lydia Del Rossie, president of CrimeBite in Akin, S.C., which makes the kit distributed nationwide to supermarkets, said a lot of retailers are not willing to implement such a program until they are "hurting in the pocket. Pulaski is the only town in Virginia that decided to step up to the plate," she said.

It was Ohio that laid the groundwork nearly a decade ago by passing a law giving pharmacists several options, including the use of biometric devices to verify identification of doctors or pharmacists who prescribe or dispense dangerous drugs. The state law also provides alternatives such as hard-copy signatures, a magnetic card reader, and a bar-code reader. The law requires a daily printout log that is also verified and signed within 24 hours after dangerous drugs have been issued.

"Passwords are worthless as a security measure in a healthcare setting," said William T. Winsley, executive director of the Ohio State Board of Pharmacy. "We verified several cases in which stolen passwords were used to obtain drugs. We don't mandate biometrics," he said. "Ours is a unique situation wherein we give [pharmacists] options." Several states have contacted Ohio about implementing a similar program. Electronic transactions eliminate telephone calls, and the cost of a fingerprint reader has dropped to as low as $79, he added.

While government agencies tussle with the issue, some companies have already taken on biometrics as an internal security measure. Merck-Medco installed thumbprint readers in some of its pharmacies as well as palm-scan technology in its on-line pharmacies in New Jersey and Nevada. "Once you are in the physical pharmacy, you have this additional level of security," a spokesman for Merck-Medco said. "We did it clearly to provide an enhanced level of security, particularly in sensitive areas. We have used the thumbprint technologies for about a year, and we are still in the pilot phase in our Ohio pharmacies."

At Kroger's, a major supermarket chain that has several in-store pharmacies in Ohio, a special identity card with a number is used by employees to access pharmacy computers. The number is changed every two weeks. "It is a smart-card system we use in all our higher-volume stores," said Bill Sheridan, who runs the pharmacy operations in Columbus. "Technicians and pharmacists who are dispensing prescriptions are assigned an identity card." In addition, a special bar code is put on the drugs, and it has to match the label that comes from the pharmacy. "It cuts down on errors and gives an audible beep from the scanner if it is not the right code," Sheridan said.

Pyxis Corp., a subsidiary of Cardinal Health, which has installed automated dispensing units in 4,500 hospitals, is now including a biometric fingerprint security system on its Medstation SN unit. "We have been successful in leading the industry to give healthcare providers the tools they need to improve patient safety, reduce medication errors, and enhance regulatory compliance," said Stephen S. Thomas, group president for Cardinal.

In order to implement biometrics on a widespread basis, there has to be an electronic marriage between physicians and pharmacists. To that end, the American Medical Association and the American Pharmaceutical Association have launched Internet ID, a free digital certificate provided through their organizations. The service, provided by VeriSign, authenticates the identity of doctors and pharmacists. It gives physicians the ability to access patient records, initiate lab orders, and prescribe medications with the assurance the transactions will be protected by the digital certificate. "Biometric devices can be used with the digital certificates to facilitate secure authentication through fingerprints or retinal scans," the AMA said. Currently, a pilot project to test the service is under way.

Dennis Blank

The author is a writer in Orlando, Fla.

Dennis Blank. Biometric devices: Are you ready for them?

Drug Topics

Apr. 1, 2002;146:66.