Authentication Systems for Securing Clinical Documentation Workflows

Context: Integration of electronic signatures embedded in health care processes in Germany challenges health care service and supply facilities. The suitability of the signature level of an eligible authentication procedure is confirmed for a large part of documents in clinical practice. However, the concrete design of such a procedure remains unclear. Objective: To create a summary of usable user authentication systems suitable for clinical workflows. Data Source: A Systematic literature review based on nine online bibliographic databases. Search keywords included authentica tion, access control, information systems, information security and biometrics with terms user authentication, user identification and login in title or abstract. Searches were run between 7 and 12 September 2011. Relevant conference proceedings were searched manually in February 2013. Backward reference search of selected results was done. Selection: Only publications fully describing authentication systems used or usable were included. Algorithms or purely theoretical concepts were excluded. Three authors did selection independently. Data Extraction and Assessment: Semistructured extraction of system characteristics was done by the main author. Identified procedures were assessed for security and fulfillment of relevant laws and guidelines as well as for applicability. Suitability for clinical workflows was derived from the assessments using a weighted sum proposed by Bonneau. Results: Of 7575 citations retrieved, 55 publications meet our inclusion criteria. They describe 48 different authentication systems; 39 were biometric and nine graphical password systems. Assessment of authentication systems showed high error rates above European CENELEC standards and a lack of ap plicability of biometric systems. Graphical passwords did not add overall value compared to conventional passwords. Continuous authentication can add an additional layer of safety. Only few systems are suitable partially or entirely for use in clinical processes. Conclusions: Suitability strongly depends on national or institutional requirements. Four authentication systems seem to fulfill requirements of authentication procedures for clinical workflows. Research is needed in the area of continuous authentication with biometric methods. A proper authentication system should combine all factors of au thentication implementing and connecting secure individual measures. Correspondence to: Jonas Schwartze, M.Sc. Peter L. Reichertz Institute for Medical Informatics Technische Universität Braunschweig and Hannover Medical School Mühlenpfordtstraße 23 38106 Braunschweig Germany E-mail: [email protected] Methods Inf Med 2014; 53: 3–13 doi: 10.3414/ME12-01-0078 received: August 23, 2012 accepted: September 12, 2013 prepublished: November 19, 2013