| Location | United States |
|---|---|
| Industry | Travel |
| Department/agency | U.S. Customs and Border Protection |
| Modality | Facial scan |
| Use | Paperless airline boarding |
| Storage | Centralized cloud-based database |
U.S. Customs and Border Protection (CBP) implemented a pilot program in a limited number of airports that employs biometrics to streamline travel. It developed a system that uses facial recognition to preclude the need to present a passport while traveling. Participating commercial partners—such as airports, airlines, or cruise lines—let passengers opt in to the service, which captures images of travelers’ faces at boarding. If the CBP system finds a match to the photos on file, travelers can board their flight or ship—and in some instances go through customs—without presenting their passport.
Six sea entry ports and 34 airports use this program, and three airline partners and one cruise line implemented the system for document-free boarding. The service uses passenger manifest data, which includes travelers’ demographic information and existing photographs (such as from passports), to confirm individuals’ identity by comparing the images against those captured during boarding. The commercial partner will receive a message from the system that a match was found, and the traveler is not required to show a passport or a ticket to board a flight or go through customs.
When individuals book their travel, they supply basic demographic information to the commercial airline or other carrier. This information creates the manifest that contains all expected passengers and their basic demographics (name, birthdate, gender, and address), which is sent to CBP. This information is used to create a gallery of the passengers, pulling from existing demographic information and photos already on file (obtained from prior CBP encounters, or from other federal agencies, such as the U.S. Department of State). The CBP system converts the raw images to templates then performs identity verification throughout the travel process.
When the passenger queues to board the flight, CBP officers or airline personnel capture a photo of the individual at the gate (where a boarding pass and passport would usually be scanned) using commercially available technology, such as a tablet or webcam. The camera system used at the gate sends the image to the CBP system, which converts the photo to a template and compares it to the images in the photo gallery using a matching algorithm. The airline receives a yes or no response within seconds that indicates if the passenger matches the flight manifest and can board without using a passport. If a match isn’t found, the passenger uses a physical passport and boarding pass.
Airlines and cruise ships can use COTS cameras, including tablets and standard webcams, to capture images only if the device has a network connection. After initial testing of matching using images from COTS cameras, CBP had successful match rates in the high 90s.40 The composition of the photo must meet the CBP-determined quality standards in order to be used by the matching algorithm, including the position of the head of the traveler, and the percentage of space the head must fill within the photo. When taking the photos, CBP requires that the airlines or cruise lines:
The CBP system is a secure cloud-based database with restricted access. For CBP staff who are granted access, two-factor authentication is required.41 Air and cruise lines do not have access to the images, and they do not retain photos in their systems. Airline and cruise ship officials will see only a positive or negative match confirmation from the system.
Airports and other travel locations did not adjust their network infrastructure or bandwidth in preparation for using the CBP system. In some cases, this resulted in delays in system implementation and in capturing images, exchanging data, and matching results once it went live.42
Any U.S. citizen may opt out of the CBP Biometric Exit program and choose not to have their image captured.43 If opting out, travelers will go through a manual process, including a CBP officer or airline official reviewing their passports and boarding documents as typically occurs absent this program.
To ensure that privacy protections and matching algorithms remain current, CBP conducts routine testing and system audits. As the system continues to be used and with more travelers, there is more data available to assess match rates and ensure the highest possible confidence in match determinations.44 This data is used to update the system and improve the match rates.
The application of facial recognition by travelers underscores three lessons important to applying biometrics in the U.S. health care system: using commercially available technology, ensuring adequate infrastructure upgrades, and mitigating privacy concerns.
| Location | Canada, the Netherlands (initial pilot) |
|---|---|
| Industry | Travel |
| Department/agency | World Economic Forum |
| Modality | Facial scan |
| Use | Passport-less international travel |
| Storage | Decentralized database |
Similar to the CBP Biometric Exit program case example, the Known Traveller Digital Identity (KTDI) project has the ultimate goal of eliminating the need to present passports and boarding passes in international travel. The KTDI project works across stakeholders—government agencies, sectors, and countries—to allow travelers to use a smartphone application as their identification when traveling.
Although many travelers store boarding passes within airlines’ smartphone applications, passengers can also use the KTDI app to store and manage their identity information (passport data, photo, and flight information). From the app, they can consent to share the identity information required by a particular entity, including facial photographs, with border authorities, airlines, and other partners in advance of their travel. At specific checkpoints and throughout their travel, biometrics are used to confirm their identity.
As of April 2020, the KTDI project remains a pilot program and can be used in three airports globally: Montreal-Trudeau International Airport, Toronto Pearson International Airport, and Amsterdam Airport Schiphol. Air Canada and KLM Royal Dutch Airlines participate in the program and plan to use the KTDI app as a digital form of identity for up to 10,000 travelers throughout the pilot.45 To join in the pilot, the traveler must be invited to create a digital wallet that contains the identity information using the KTDI app through participating airlines.
To participate in the program, the traveler first creates a username and password via the KTDI app and can elect to use the mobile device’s biometric verification in place of a password (e.g., fingerprint or facial recognition, depending on the device). Once in the app, the traveler creates a profile.
After the digital profile is set up, the traveler goes to a local government office to verify their identity. To do this, they supply their passport to a government official and have a digital picture taken. Both pictures—the new one and the existing photo image, which is accessed through the chip on the physical passport—are converted into templates and run through a matching algorithm; this step ensures that the passport belongs to the traveler. Upon match confirmation, the recently taken photo is deleted.
Once the match is confirmed, a QR code is created and displayed on the government official’s computer. The traveler opens their KTDI app and scans the QR code, which creates a secure connection between the government computer and the mobile device, allowing for data exchange between them. Through the secure connection, the government official sends a mobile passport to the KTDI app, which includes demographics and the digital facial photo image that were pulled from the passport via its chip. The facial image, along
with demographic information, is stored on the user’s mobile device in the KTDI app. The traveler now has a government-approved mobile passport in the KTDI app. Before their travel begins, the traveler can elect to share their mobile passport with the airline and border control.
When using the KTDI app prior to travel, the raw images are encrypted and sent to the stakeholder’s biometric system, where they are converted into templates. There is a KTDI lane at security, boarding, and border control, where live photos are taken of passengers. The images of those photos are also sent to the biometric system, where they are converted into templates, and facial recognition is used to compare the live image with the photo from the mobile passport. If a match is found, the traveler can proceed without needing to use a passport or boarding pass.
KTDI uses a decentralized identity model, meaning that there is no central authority needed to validate an identity claim, with the user controlling the access. Travelers maintain the data on their smartphones for the duration of the KTDI pilot, and the stakeholder’s biometric system containing the image galleries used to confirm identity is frequently purged, often 24 hours after travel is completed.
The photo must be a passport photo that is compliant with the International Civil Aviation Organization standard, which is based on the International Organization for Standardization (ISO) standard.46 These standards control for quality, format, and size, among other image requirements.
When users elect to share data from the KTDI app, they can see when and by whom their data is accessed and viewed.
The KTDI example demonstrates two key lessons on the power that individuals can exercise over their digital identities:
| Location | Global |
|---|---|
| Industry | Finance |
| Department/Agency | Private sector |
| Modality | Fingerprint |
| Use | Payment |
| Storage | Digital chip on payment card |
Mastercard created the first payment card that uses biometrics to verify individuals’ identity for purchases in lieu of a personal ID number (PIN) or signature. The technology inside the chip on the card allows users to scan a fingerprint by placing it on the card’s embedded sensor to authenticate who they are during a purchase. Merchants do not need to purchase additional hardware, as the biometric reader is the card itself, powered by the standard EMV (Europay, Mastercard, and Visa) terminal in use worldwide.
This biometric card uses existing merchant hardware and transaction messaging as part of its solution. It functions as an alternative method of authentication confirming that the person is permitted to make the purchase without the need for a PIN or signature. The user experiences a checkout process that is as fast as current contactless transactions, while keeping sensitive biometric data on the card itself. Additionally, the results of the biometric match are shared with the issuer as part of the authorization request.
Cardholders can enroll for the biometric card at home using battery-powered “self-enrollment devices,” which are available from card vendors. In a typical use case, the cardholder inserts the biometric card into the device, providing power to the card for enrollment. After the cardholder completes the enrollment, they then contact the card issuer to activate the account and verify their identity.
If the card will be used for the distribution of formalized benefits, such as disbursements or insurance benefits, enrollment is an in-person process. The cardholder provides demographic information and a government ID to confirm their identity. The cardholder is either given the enrollment device as above or uses a tablet to capture fingerprint images. The fingerprint images are converted to a template and transferred for storage onto the card.47 The card is then activated. In either case, the biometric data is stored securely as a digital template on the card and never shared externally.
Once the templates are stored on the card, the cardholder can begin to use it normally. The cardholder inserts or taps the card at a terminal at purchase, placing a thumb on the card’s sensor. The thumbprint is compared against the stored biometric template on the card. If it was successful, the cardholder does not need to complete any additional steps. If the match fails—after a set number of attempts that merchants can determine for themselves—the card automatically switches to the next cardholder verification method enabled on the card using either a PIN or signature so the transaction can still be completed.
The biometric card complies with the same standards as a regular payment card and can be used in any EMV terminal. For most effective workflows, the terminal should be:
For contactless transactions, the card can be used by tapping or hovering it close to the contactless indicator on the terminal.
The template of the cardholder’s fingerprint is never shared with the merchant.48
If the card is lost or stolen, individuals use the typical procedures for canceling and replacing a card. The card issuer would deactivate the account, and the card would not be usable.
This case study demonstrates the increased accessibility and acceptance of biometrics in everyday activities, as well as that biometrics provide an accessible approach for identity verification:
| Location | United States |
|---|---|
| Industry | Health care |
| Department/agency | Private sector |
| Modality | Facial scan |
| Use | Two-factor authentication |
| Storage | Centralized database |
A new federal law aimed at combating the opioid crisis requires physicians to start electronically prescribing— sending a digital prescription to a pharmacy, rather than a paper slip—controlled substances in a manner compliant with the Drug Enforcement Administration’s (DEA) rules and standards for digital credentials by Jan. 1, 2021.49 The DEA requires two-factor authentication, or providing two sources to confirm identity, for a provider to electronically prescribe controlled substances (EPCS). Allscripts, an EHR developer, and ID.me, a biometrics company, designed a solution to streamline electronic prescribing for controlled substances such as opioids.
Normally, EPCS requires multiple steps and the use of an external device, such as a fob, that generates a custom code. Through this approach, providers can use a smartphone application that transmits identifying information for two-factor authentication to meet the DEA requirements.
First, the provider downloads the ID.me app and enters their EHR user information, such as a username and password. The clinician then receives an email to their EHR and app accounts. After clicking the link to make the connection, the provider sets up multifactor authentication by entering a security code received via text into the app.
The provider then uploads both a photo of a government-issued identification—a passport or driver’s license— and a selfie taken in real time into the app. ID.me compares the image from the government ID with the photo using facial recognition.50 Both of the images are stored in the ID.me database as encrypted raw images.
After the above steps, the provider can use ID.me to provide two-factor authentication for EPCS. Using the standard electronic prescribing workflow within Allscripts, the physician can place the order for the controlled substance. The provider will then open the ID.me app and see an automatically generated six-digit code to enter within a field in the order as the second factor needed for authentication. The clinician can then sign and send the electronic prescription to the patient’s preferred pharmacy.
Armed security guards, surveillance equipment, and access control technology secure the servers hosting biometric images.51 This approach helps protect the data from both physical and cyber intrusions.
The biometric selfies follow NIST Identity Assurance Level (IAL) 2 standards for quality, which include requirements on image resolution, pixels, and color and is the standard used for government-related transactions (NIST defines IAL2 as follows: “Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity. IAL2 introduces the need for either remote or physically-present identity proofing.”).52 Photos can be captured on any mobile device with a functioning camera and network connection.53
For the photos used at registration, liveliness (meaning the image was taken live and not uploaded from a stored photo) and anti-spoofing detection, used to ensure the image is coming from the appropriate source, prevent the use of photographs of other individuals.54 These processes follow a NIST framework that stipulates how to complete the identity-proofing process with minimal security risk.55
The ID.me process of verification and the associated creation of a digital identity follow the principles developed by the National Strategy for Trusted Identities in Cyberspace (NSTIC). Launched in 2011, NSTIC is a government initiative that encourages collaboration across private and public sectors to improve the efficiency, safety, and security of online interactions, including digital identities.56 The principles state that credentials should be: privacy-enhancing and voluntary, secure and resilient, interoperable, and cost-effective and easy to use.57
This example highlights the security measures for central databases and the role that individuals’ smartphones can play in collecting biometrics and confirming identity:
Department of Homeland Security US-VISIT program and the
| Location | United States |
|---|---|
| Industry | Immigration/travel |
| Department/agency | Department of Homeland Security |
| Modality | Fingerprint; limited facial scan and iris |
| Use | Immigration and border control |
| Storage | Centralized database |
The Department of Homeland Security (DHS) implemented a program that uses biometrics for security purposes at border control and points of entry into the U.S. The U.S. Visitor and Immigration Status Indicator Technology, or US-VISIT, program uses fingerprints and facial scans to identify all non-U.S. citizens who enter and exit the country. US-VISIT maintains a centralized database, referred to as the Automated Biometric Identification System (IDENT), to reduce the use of fraudulent travel documents and ensure that individuals entering the country are not known or suspected terrorists, criminals, or immigration violators.58 Federal agencies use IDENT to ensure that individuals entering or exiting the country are who they claim to be—and that their identity matches the demographic information on their travel documents and applications.
IDENT was the original database for fingerprints collected by border control in the 1990s.59 The US-VISIT program expanded IDENT to collect fingerprints and facial scans in international airports and additional ports to grow the database and confirm identity of non-U.S. citizens when they entered the country.
Several other federal agencies—including Citizenship and Immigration Services (CIS) and the Department of State—send raw images to IDENT as well. These images come from visa applications, past visits to the U.S., or criminal records.
US-VISIT is in place in 115 airports, 15 seaports, 101 land border stations, and 211 visa offices worldwide.60 It contains more than 200 million fingerprint records, 36.5 million facial scans, and 2.8 million iris scans.61
US-VISIT and the widespread collection of biometrics, particularly facial scans, were subject to scrutiny by the House Committee on Homeland Security in 2019.62 The committee raised concerns regarding security of the data because of a CBP system breach early in 2019, as well as issues with facial recognition software misidentifying people of color.
The US-VISIT program collects biometrics of non-U.S. citizens and stores the raw images within IDENT. The process begins either in a traveler’s home country at a U.S. visa-issuing post, such as a consular office, if the traveler is required to travel with a visa or upon arrival in the United States if the traveler is from a visa-waiver country. In the case of the former, the traveler goes to the closest U.S. visa-issuing post and meets with a Department of State consular official. There, a U.S. government representative interviews the traveler and collects biometrics: 10 digital fingerprints and a digital photograph. The raw images of those biometrics become part of the IDENT database.
Once travelers arrive in the United States, a CBP official reviews travel documents, scans 10 fingerprints, and takes a digital photo. These images also become part of the person’s record in IDENT and are assessed for a match to the existing images in the database. To determine a match, the images are sent to the IDENT biometric vendor, where they are converted into proprietary templates and assessed for a match against the templates of biometrics already on file. Upon finding a match, the CBP official obtains information on past travel, visa status, and whether the individual is on a criminal or terrorist watch list. Based on the information received, the CBP official processes the traveler’s entry accordingly, such as by allowing entry or detaining for further questioning.
If biometrics for this individual are not in the database and no match is found, the CBP official relies on travel documents and interviewing the individual before determining whether to permit entry into the country.
There is no permanent biometrics process at departure; the biometric exit process described here is currently being piloted. Instead, airline manifests complete the exit process. In the future, DHS plans to implement a similar biometrics process at exit as well.63
IDENT uses international standards (American National Standard for Information Systems/National Institute of Standards and Technology—International, or ANSI/NIST-ITL) for raw image and data quality as well as for data exchange to enhance interoperability. These include specifications for image resolution, the percentage of the image that should be filled by the subject’s face, and overall dimensions.64
IDENT is a centralized database, and user access is restricted and monitored.65 Because so many U.S. government agencies provide and query the data, DHS controls access and limits the availability of information. If a user requests information and does not meet the security requirements to view data, IDENT does not return results.66
The US-VISIT process collects and stores raw images of multiple modalities for several purposes, revealing two lessons for health care:
| Location | United States, Canada, United Kingdom, New Zealand, Australia |
|---|---|
| Industry | Public safety and immigration |
| Department/agency | U.S. Department of Homeland Security |
| Modality | Fingerprint |
| Use | Immigration and security |
| Storage | Federated (centralized databases in each country that can be accessed by each participating country) |
The Five Country Conference (FCC) Protocol is a collaboration among the United States, Canada, the United Kingdom, New Zealand, and Australia to share biometric data to enhance immigration and border operations and security. Each country allows the others to search their biometric database for matches when reviewing and processing immigration applications, including asylum and refugee determinations, using specific criteria. These criteria include: if the identity of the applicant is unknown or uncertain; if the applicant’s current location is unknown; or if there is reason to believe that the applicant has spent time within one of the participating countries.67
Each country maintains a database containing biometric data of individuals who enter their country. All five countries include fingerprints; several also incorporate additional modalities. The U.S. database IDENT (discussed in the case study on the US-VISIT program) contains biometrics of non-U.S. citizens who enter and exit the country. The country’s relevant agency queries the applicable country’s database to search for a match for a specific applicant and receives information back.
The FCC Protocol began in 2009 and shares nearly 3,000 individuals’ biometric data among the five participating countries each year.68
Each country’s immigration authority collects biometric data on individuals applying to visit the country, either through a visa or as a refugee seeking asylum. The collection of biometrics begins either at a consulate or visa-issuing office or at ports of entry, including airports, seaports, and land crossings. If travelers require a visa, they go to the closest visa-issuing post at their point of origin. There, a U.S. government official interviews the traveler, reviews the visa application, and collects the biometrics. These raw images become part of the participating country’s biometric database. This is the same initial process used in the IDENT example.
If any of the partner countries identify an individual who meets the criteria, that country can query the system of the other nations for a match. The requesting country sends the raw biometric images it collected using a shared standard messaging format.69 The providing country works to respond to the request within 72 hours with match information.
When one country queries another’s database, a two-part process ensues. First, a message, containing only the raw fingerprint images, is sent through a firewall to a secure server hosted by the Australian government. That server works as the central processer for the requests and passes along the images to the applicable country. Once received, each country converts the images into a proprietary template and compares the data to the templates it has on file. Each country uses a different vendor to convert the images into a template and run the matching algorithm.
If a match is confirmed, the country that received the request will share the positive result as well as the demographic and other information about the individual.70 With this information, the requesting country then determines next steps for the specific applicant—such as moving forward with the individual’s visa or asylum application to enter the country or denying entry.
Each country’s database and administering agency is as follows:
The raw fingerprint images meet ISO standards for quality and formatting. After assessing a match, each country deletes information received from another. This process ensures that no nation incorporates data from another country into its system.
Each country signs a formal protocol for bilateral, international data-sharing that outlines the requirements for privacy and security controls. DHS provides oversight to ensure compliance with the protocols, both within each country’s database and through any process of exchange. The protocols include an agreement prohibiting the exchange of classified information, requiring two-factor authentication to access information, and mandating regular access audits.71
The FCC Protocol allows disparate countries to access each other’s biometric databases, highlighting three lessons for health care:
| Location | Schengen area |
|---|---|
| Industry | Immigration/travel |
| Department/agency | European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA) |
| Modality | Fingerprint |
| Use | Immigration |
| Storage | Centralized database |
Schengen area countries use a shared database to manage visas, called the Visa Information System (VIS). The VIS uses biometrics to confirm the identity of visa applicants, avoid duplicative review among member countries, and reduce fraudulent applications. The system is managed by the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA), which manages all large-scale IT systems used for security and justice. The VIS also ensures that there are not duplicate visas for the Schengen area granted to the same person: for example, that a visa is not granted to the same individual by both Austria and Germany, when only a single Schengen visa is needed for visiting both countries.
At the end of 2017, the VIS contained data on more than 31 million visa applications, resulting in the granting of 29 million visas and the denial of 2 million across member countries.72
The VIS contains all visa application data from Schengen area countries, including demographic information, digital photographs, and fingerprint images. When a traveler from outside the EU requires a visa to travel to a Schengen country, the individual goes to a consular office in his or her home country with a visa application and passport. The consular official collects the traveler’s fingerprints and facial image, and the VIS stores the raw images along with the application.
At this point, the consular official determines if the traveler already received or applied for a visa, either to the same country or to another Schengen area country. To do this, the recently collected fingerprint images in the VIS are sent to the biometric matching system (BMS) that is also maintained by eu-LISA. BMS converts the images into templates in order to perform matching and never retains the raw images. BMS does retain the templates in order to use the images for future comparison. If the traveler already existed in the VIS from a prior visa, the consular official receives a match notification. The official then grants or denies the visa application.
If the visa is granted, a border control official collects the traveler’s fingerprints again at an airport, seaport, or land crossing station. The fingerprint images are templated and run through the matching algorithm, and the border control official receives a yes or no response. If a match is confirmed, the traveler can proceed with the entry process. If there is no match, the border control official determines if the individual can enter the country through an interview and a manual review of travel documentation and identification.
Fingerprint images in the VIS meet the ANSI/NIST-ITL standard that determines quality, resolution, and size. All member states receive a fingerprint acquisition toolkit that performs quality control assessments on the collected fingerprints to ensure they meet the requirements and undergo processing by the biometric matching system.
As the VIS is a centralized database and all participating Schengen countries have access, users obtain access authorization and encrypt all data exchange over a private network.73
Visa applicants who visit frequently are not required to provide a new set of fingerprint scans with each application. Once stored, returning applicants can reuse their stored fingerprints for five years.74
This example demonstrates how to share a centralized database across many users:
1. Cooperation allows for shared infrastructure: The VIS is shared by 26 countries with each nation collecting, storing, and querying data within it. Despite the geographic dispersion, each country adopted shared criteria, common standards, and a single process for managing visa applications to participate. If health care in the United States adopted a single system or multiple shared systems or services approach, organizations would also need to implement a similar common agreement—around principles, practices, and infrastructure—to effectively and securely exchange biometric data. If health care commits to a common agreement and infrastructure, it is feasible for multiple facilities to contribute to and reference a shared database to use biometrics for patient matching between organizations. As previously mentioned in the FCC Protocol example, TEFCA could serve as a platform to secure this cooperation.
| Location | Estonia |
|---|---|
| Industry | Government, public services, health care |
| Department/agency | Government of Estonia |
| Modality | Fingerprint (planned) |
| Use | Public services, health care |
| Storage | Decentralized |
Estonia’s e-ID card, introduced in 2002, is widely acknowledged as one of the most advanced approaches to digital identity and, although biometrics play a limited role, the infrastructure used offers lessons learned for health care. Estonia mandates an e-ID card for citizens over 15 years old. Citizens can use their e-ID as a national health insurance card, for official identification when traveling within the European Union, to remotely access their bank account, to pay for goods, to sign contracts, to view their health information, and even to vote.75 Estonians can use e-IDs to access 99% of public services digitally—for instance, collecting social welfare benefits, paying for public transportation, or reporting a crime.76 Currently, citizens set up a PIN to confirm identity when using their card, but Estonia is upgrading the system to allow for the use of a fingerprint in its place.
The e-ID is a physical card with an image of the citizen’s face, basic demographic information, various security features, and a chip. The chip contains two digital certificates aligned to two separate PINs: one for identity authentication, and the other for providing a digital signature. Every individual’s PIN stays the same (so long as the card is not stolen or breached in any way) and is used to confirm identity, access services, and send data.77 By 2019 individuals had used the e-ID as a digital signature more than 900 million times, as well as to vote in national elections and electronically submit taxes.78
Despite the widespread use, Estonia dealt with a major breach in its e-ID and chip technology in 2017. The country recovered from this incident through risk mitigation strategies and transparent communication with the public. For example, cardholders could update their PIN remotely, and Estonia upgraded the card chips to address the cyber risk. The country resolved the crisis that same year as a result of cooperation among the government bodies, researchers, private sector partners, and residents.79
The e-ID can be used to access many needed services and share information—including personal health information. Although biometrics are not yet a part of the process, the workflow includes elements relevant to health care in the United States that could integrate disparate health information and use digital identity in the confirmation of patients.
Estonia has an electronic health data repository (e-Health Record) that integrates data from providers and systems across the country. Acting as a centralized system, patients can view all of their health information in one place, regardless of the providers, facilities, or systems in which they received care. To access their data, patients use the e-ID to confirm their identity when logging in to the country’s patient portal. Patients insert their e-ID into a COTS chip reader, and it reads their user credentials to log in to the portal. They then enter a PIN as a security measure in order to access health information.
Through this process, patients also control access to their health information and determine which providers can view their complete e-Health record.80 However, in a medical emergency, a provider uses a patient’s e-ID card to view critical health information such as blood type, allergies, medications, and current diagnoses.81 Similarly to accessing the patient portal, the provider can insert the e-ID into a chip reader to access basic emergency health information through e-Health Record.
If the e-ID card is lost or stolen, the individual must call the ID helpline within 24 hours so the following processes could be triggered:
The e-ID works across industries and sectors through the use of a solution called X-Road. X-Road securely shares information between systems and normalizes data. This system can send large data sets, write data into databases when appropriate, and search across multiple systems at the same time.84 X-Road also provides an extra layer of security and ensures that only known and approved entities and users participate in the data exchange by monitoring and tracking access.
Estonia’s e-Health Record displays relevant data in a patient portal. Providers and organizations can use an EHR and other systems of their choice, and those systems communicate directly with the central e-Health Record. Systems send information using standards-based interface messages (e.g., HL7 messages, the international standard for sending and receiving electronic health information, and DICOM, the standard for exchanging medical imaging data). In this case, the e-ID allows patients to authenticate their own identity and grant access to authorized users before viewing or sharing sensitive information. The card does not store health information.
The cards themselves work with most COTS scanners to read the chips. The chips store encrypted data that can be accessed only by an individual using a private PIN (and potentially biometrics in the future) or through a user granting access.
The e-ID demonstrates that a digital identity can scale across many different industries, scenarios, and environments. Health care can apply these lessons:
| Location | India |
|---|---|
| Industry | Public services |
| Department/agency | Government of India |
| Modality | Fingerprint, iris, facial scan |
| Use | Public services |
| Storage | Centralized database |
India’s Aadhaar program is the world’s most extensive use of biometrics: More than 1.2 billion people have registered and received an Aadhaar number.85 This optional number allows both citizens and noncitizens who reside in India to use multiple biometric modalities to identify themselves when receiving social services, traveling, or opening a bank account. The Aadhaar program collects fingerprints, iris scans, and a digital photograph alongside demographic information.
Any individual, regardless of age, can opt in to the program and receive a 12-digit Aadhaar number after completing the registration process. Individuals can use the number to obtain public services and benefits and confirm identity within the private sector, such as when applying for a job.
Prior to the Aadhaar program, nearly 400 million Indian citizens did not have a way to prove their identity.86 The Unique Identification Authority of India (UIDAI) implemented the voluntary Aadhaar initiative in 2009 as a way for citizens to have a government-sponsored method to confirm their identity.
Despite being lauded for its efficiency and cost-savings, the program has also received criticism about the danger of compromising individuals’ data in the event of a breach, because it collects all biometric modalities (face, finger, and iris).87 The program further raised questions of inequity: Individuals with medical conditions such as leprosy may not be able to take part in the program because their condition prevents them from providing fingerprints or iris scans. Due to these concerns, the Indian Supreme Court found that private companies could not require the use of the Aadhaar number (though individuals can still choose to use their Aadhaar number to confirm identity for private sector services).88
To receive an Aadhaar number, an individual goes to an official enrollment center, which are located across the country. The registration process requires providing demographic information, a verified government-issued ID (e.g., a birth certificate or driver’s license), and biometric information: 10 fingerprints, iris scans, and a facial photograph.89 In situations where individuals do not have supporting documentation or a government-issued ID, they can work with someone who the Indian government has called an “introducer”—an individual who has a verified identity and is a recognized member of the community, such as an elected official, teacher, or health care worker.90 An introducer can vouch for an individual’s identity in lieu of providing supporting documentation.
At the enrollment center, an operator scans the documents, returns them to the resident, and manually enters the demographic data. The operator then collects the biometrics. For children under 5 years old, only a facial image is captured along with one parent’s biometric confirmation.91 For residents over 5 years, all three modalities are captured.92
The government then stores the raw images in a central database called the Central Identities Data Repository (CIDR). The raw images are sent to biometric service providers, where they are converted to proprietary templates in order to be used for matching in the future. India uses three different biometric service providers to offer options for using different organizations to conduct the matching—each with its own templates. Each biometric service provider stores only its proprietary templates and deletes the images once processed. This step completes the enrollment process.
Then, individuals can use their Aadhaar identifier at service providers, such as government departments or private organizations. These service providers go through a certification process and must use registered biometric devices.93 They collect and use biometrics in real time to confirm identity, which occurs through a multistep process:
All biometric images collected for Aadhaar meet ISO standards.94 These standards dictate the format of the collected image, including resolution, content, and size.
As the CIDR contains and sends sensitive information, all data is encrypted in transit. Anti-tampering measures are used to safeguard data.95 The system tracks all actions, and the government orders regular audits. The authentication requests to the CIDR are purged every six months.96 Further, the program remains voluntary, and private entities cannot require the use of Aadhaar numbers to confirm an individual’s identity.
This use case demonstrates some challenges with large-scale biometric deployment and the utility of raw images for interoperability:
| Location | Indonesia |
|---|---|
| Industry | Public services |
| Department/agency | Indonesian government (pilot) |
| Modality | Fingerprint, facial scan |
| Use | Digital identification |
| Storage | Decentralized |
The need for digital identity is high in rural and hard-to-reach areas and in countries with high percentages of displaced populations, where many individuals do not have a government-issued form of identification. ID2020, a nongovernmental organization, works across the public and private sectors to develop new models for using digital identification around the world.
Individuals store this digital identity, including biometrics, on a smartphone application. By using this approach to demonstrate their identity, people can receive needed vaccinations, apply for a job, open a bank account, receive government services, and vote. This solution puts users in control of their identification information; they can decide with whom and for what purpose to share data.
ID2020 launched several pilot programs that use a smartphone application to store a digital identity. For example, in Indonesia, local governments used smartphone-driven digital identity to more accurately distribute state-subsidized propane gas; the details of that pilot are the focus of this use case.
Although the Indonesian pilot is a simple workflow, it raised several important considerations for future use. The program noted that in regions where local government was more engaged in the project and in communicating with individuals, it received higher numbers of volunteers for participation, compared to other regions where government was less engaged.98 The program also dealt with challenges collecting biometrics, including dust and dirt obstructing clean fingerprint reads, headscarves and veils worn by women that caused issues with facial recognition software, and network connectivity affecting collection and matching, especially in more rural and remote areas.99 Although the pilot did not solve all of these problems, it provided information on how to improve software and infrastructure to work in remote areas and across all populations.
In the spring of 2020, the media highlighted criticism that ID2020 would be used to track individuals through microchipping to combat the global coronavirus pandemic.100 However, neither the digital identity solution nor any of the pilot programs use microchipping or location tracking. The digital identification system still carries possible risks to privacy and security—as was illustrated with prior examples—that are mitigated through user-driven storage and access.
Health care can apply lessons learned from these examples in determining how to use biometrics for patient matching between organizations. Across the examples, eight main themes emerged:
These themes address possible solutions to challenges—such as privacy, security, equity, interoperability, and consent—and how other industries designed and oversee the data exchange infrastructure. Additionally, the importance of governance—such as standards and compliance—cut across each of the aforementioned themes.
As with any technological solution, health care should always consider pertinent challenges and the gaps they may expose. Unwittingly, biometrics could further perpetuate inequities in health care. Despite recent advances, certain modalities and associated algorithms do not work equitably across populations. There are religious and cultural sensitivities that could prevent an individual from submitting or capturing a facial image. In the ID2020 implementation in Indonesia, facial recognition faced challenges when women wore headscarves in the captured images.108 Health care would also need to find ways to implement solutions and policies that meet the needs of pediatric populations. This could include more frequent collection of images as features and characteristics change with age or allowing parents to provide consent to collect biometrics until the patient reaches a specified age. Further, individuals with dermatological conditions such as eczema cannot provide digital fingerprints that would work in an indexing system. Similarly, those missing digits or those who have degenerative conditions would also require alternative options.109
Specific challenges with the technology also need to be addressed and understood. For example, algorithms for facial recognition struggle to correctly identify women as well as people of color.110 Further, facial images could be collected and used without the knowledge of the individual, challenging traditional notions of privacy and consent.111 Even when algorithms are adjusted and tuned to changes in population size, distribution, and diversity, existing biases could affect care—such as withholding pain management care based on an individual’s race.112 Other industries compensated for these inequities by collecting multiple modalities and through continuous assessment and updates of the algorithms and biometric systems. More inclusive products, developed by a diverse workforce, have the potential to advance, rather than inhibit, health equity. Engaging health equity experts alongside facial recognition and technical professionals could help lead to the implementation of more equitable and privacy-preserving solutions.
It is important for users to invest in foundational infrastructure that allows biometric solutions to be nationally accessible and scalable. Several examples highlighted challenges with system delays because of network connectivity, slowness in uploading images, and access issues in remote communities. The U.S. struggles with broadband access and network connectivity, both in rural areas (because of a lack) and in highly concentrated urban areas (because of volume).113 Prior to a national-level implementation of biometrics, health care may need to upgrade infrastructure and address issues of network access.
Recent advances in technology allow personal devices to collect biometrics, leading to similar innovations that make national deployment of a biometric solution more feasible. Smartphones, tablets, COTS cameras and scanners, and embedded chip technology all can collect and store biometric images and digital identities, creating an opportunity for easier—and more affordable—deployment. Many examples, such as the use of two-factor authentication for EPCS, the KTDI travel program, and ID2020, highlighted the use of a smartphone or COTS technology to collect biometric images. Webcams and tablets can take facial images that meet NIST standards (as demonstrated in the CBP Biometric Exit program), smartphone apps can store digital identities, and embedded chips on credit cards house encrypted biometric templates. These more affordable technologies increase accessibility, making it feasible for smaller health care facilities to implement biometrics.
Often, those facilities use these technologies already for other reasons—such as checking patients in, creating patient portal accounts, or using apps to assist with care management—and thus they could be repurposed. Additionally, many places of care today already collect patient photos using digital cameras or tablets for manual identity confirmation.114 Providers sometimes use images for diagnosing certain clinical conditions, such as genetic disorders.115 Facilities could use these existing images to support patient matching. This approach would not add new workflow procedures to capture the photo but would require some technological adjustments to use the information for cross-organization matching.
Further, cards with embedded chips, such as those used in Estonia, could replace health insurance cards, with the chip containing a biometric template, such as a fingerprint, allowing for easy identity confirmation. Given the variety of available technologies and systems, health care organizations could choose their own vendors, devices, and methodologies for collecting and using biometrics, yet still achieve interoperability with adherence to standards for images and exchange.
Although biometric implementations have traditionally focused on the use of capital equipment purchased and used by facilities, the near ubiquitous emergence of smartphones introduces patient-centric approaches. Given that smartphones and other mobile devices (such as iPads or other tablets) can take images that meet NIST standards, patients could play an active role in capturing facial images and managing their personal biometrics.
Although some solutions still require in-house technology and systems—such as chip readers, fingerprint or palm scanners, and centralized databases for storing images—the proliferation of cases that work with personal devices means that even patients living in remote or less affluent areas of the country can use biometrics. The ID2020 example in Indonesia used a smartphone app-based process because of widespread use; even displaced refugees, who often had no form of government identification, still had access to some form of personal device.116
In health care, patients often use smartphones to access portals with their health information and to use apps that help with disease management. Patients could also use smartphones to provide a facial image or a fingerprint to a health care facility so that the biometric image becomes part of their health record, just as providers did in the EPCS example. Similar to how facilities exchange demographic information for patient matching, biometric images could be shared as a component used for matching. Smartphone apps, similar to the KTDI example, could allow patients to provide consent and grant appropriate access to health information.
Matching across systems and databases requires either the exchange of raw images or a common template. Many of the examples—the CBP Biometric Exit, FCC Protocol, and eu-LISA system, particularly—demonstrated cooperation across government agencies and even across countries; in order for participants to share information, they exchanged raw images. Once the recipient received the raw image, it was converted into a proprietary template in order to run the matching algorithm. The sharing of images ensured interoperability across technologies and locations.
Organizations used encryption, data retention policies, access restrictions, and audits to address the associated security concerns with exchanging raw images. Although these efforts mitigated concerns, they did not eliminate them. Health care should weigh concerns with exchanging raw images against the interoperability benefits and develop sufficient privacy and security solutions to protect the information.
Rather than sharing raw images, another option that allows for interoperability is developing and using a standard template for each modality. Currently, an ISO standard template exists for fingerprints, but not for other modalities.117 Working with ISO and NIST to create a standard for other modalities would allow health care to exchange these templates across organizations, rather than a raw image. However, to be interoperable, all biometric systems and vendors would need to agree to and develop products in line with these standards. Further, if all vendors agreed to a standard template, it would be public—meaning that the template standard could be found easily and used nefariously in breaches or attacks. A public, standard template would confer limited—if any—protections beyond raw images.
Although standards for templates of all biometric modalities do not yet exist, they do for images. Standards for images of biometric modalities used in all examples (facial images, fingerprints, iris scans, and palms) exist through NIST/ANSI that determine details such as the image quality and the specifications for formatting. NIST/ ANSI also developed a standard message for how to exchange and share biometric images between systems.118
All examples adhered to image standards; meeting these ensured that the image quality is high enough for template conversion and for running a matching algorithm. Further, adherence to standards allows organizations to exchange raw images among systems. Using the standard message for exchange lets different organizations, agencies, and countries share images.119 Regardless of the method health care chooses for exchange—raw images or standard templates—using standards for the collected modalities remains essential.
However the health care industry implements biometrics, the necessary standards could be appended to the United States Core Data for Interoperability (USCDI). This is a required set of data elements, including demographic information such as names and addresses but also certain medical information, that EHRs must make available in a standard manner. Inclusion in the USCDI would ensure all health IT products certified to federal standards contain uniform functionality for collecting and sharing standard biometric data.
Individuals opt in to using biometric solutions that make their lives easier. Across the travel-related and identityconfirmation examples, users chose the biometric option when weighing other concerns, including security of personal data, often because the biometric option reduced wait times. Travelers must choose to create mobile passports to board planes and pass through customs with a smartphone app and facial recognition, rather than manual review of a physical passport and other travel documents. In several examples, users chose to create and use digital identities to access government services, rather than using manual processes (for example, showing proof of address with utility bills or government-issued ID) to confirm identity. Once created and confirmed, individuals could use their digital identity with only their smartphone. The choice that individuals made to use biometric options over others demonstrates the willingness to opt in to solutions that gain efficiency.
In past patient focus groups conducted by Pew, many individuals stated their preference for a solution for matching that didn’t involve a card or a number.120 Further statements expressed a desire for a solution that could be used while an individual is unconscious, or otherwise in an emergency situation.121 Biometrics could help meet these patient preferences and therefore offer solutions to make their lives easier.
For the ease of use to outweigh privacy concerns, many industries allow individuals to grant and audit access to their personal data. For international travel, individuals could determine if they planned to use a mobile passport and then share their passport information—including a facial image—through the app on their smartphone with airport and airline officials. Personal data could not be accessed without the individual granting it.
In other examples of digital identity, users act as the auditor of their own data. Individuals can retroactively review any access to their data to understand who reviewed information and when. Applications also let users remove consent, terminating previously permitted access. Giving individuals ultimate control over their own data, including the ability to grant, audit, restrict, and remove access, could help mitigate privacy concerns. Health care could similarly use apps and smart phones to streamline patient consent, as well as for individuals to control access to and use of their personal health information.
Privacy and security concerns associated with using biometrics are not specific to health care. The industries in the examples understood the risks that came with collecting, storing, and sharing biometric images and templates. Although no single solution can promise protection from all breaches or attacks, the examples demonstrated that multiple strategies used in conjunction can mitigate threats.
For those examples that used centralized databases, organizations employed armed security guards; limited physical access to facilities; allowed only authorized users and required dual authentication to search and view data; held frequent audits; and used encryption to secure sensitive data. Others gave the individual control over their own data, and the user could grant, revoke, and review access. All examples encrypted data at exchange, including for sharing raw images. Access to data was always limited to ensure that officials only had the access needed to carry out essential job functions; these organizations also conducted frequent audits.
As the Estonian e-ID example demonstrated, even with protections in place, breaches occur. However, because Estonia had risk mitigation plans and invested users, the country quickly addressed the breach, had open channels of communication with citizens, and pushed out a technical fix to every national e-ID card. Despite this threat, citizens continued using their e-IDs; Estonians’ access to digital tools and services through their e-ID became an expected way of life.122
Because health care data is sensitive and already enjoys some protections, users who access this information are regulated and audited. Similar protections could be implemented in a biometric-based system and may already confer from existing policies, such as those implementing HIPAA. In addition, health care already adheres to policies and procedures for HIPAA violations and inappropriate access to data; these same approaches may transfer to biometric data.
Further, state and national regulations and legislation could address breaches to biometric data as well. The European Union addresses biometric data in the General Data Protection Regulation, but there is no similar national-level law in the U.S.123 Several states (Illinois, Texas, Washington, and California) passed legislation regulating the collection, use, and retention of biometric data.124 Updating privacy law, either at the state or federal level, could provide further protections for the use of biometric data in health care.
Particularly because biometrics come with multiple decision points—modality, format, and storage—government involvement could set standards and determine the foundational elements necessary for implementing an interoperable, equitable, and secure biometrics solution. For example, using existing standards, from NIST and ISO, and providing a forum to determine a cooperative agreement that outlined privacy, security, and antidiscrimination protections could help health care begin to understand how to design and implement a biometrics solution to enhance patient matching. The FCC Protocol and the eu-LISA system illustrate how cooperation around a set of standards and policies can provide guidance without sacrificing flexibility.
ONC, with other government agencies, has demonstrated how incentives and the creation of standards can encourage adoption of and adherence to technological solutions. USCDI is an example of a governmentmandated specification created to ensure common and necessary data elements are exchanged between health care providers and facilities, regardless of the system in place. Additionally, TEFCA demonstrates how a national collaboration and public-private partnerships can create common approaches and agreements on data exchange.
The use of biometrics in industries around the world provides valuable insight for implementing any solution to resolve one of the most persistent and vexing problems in health care: patient matching. Building on the lessons learned from these applications, patients, the health care industry, and policymakers can weigh concerns against benefits and make informed decisions about the best methods and strategies for integrating biometrics.
This technology can help providers and patients have more complete and accurate health information to inform treatment decisions when used as part of a larger solution for patient matching. With collaborative, cross-sector leadership, health care can design a system incorporating biometrics that prioritizes both interoperability and privacy while working to better link records across different sites of care.
| Use case | Crossentity | Geography | Industry | Technology | Modality | Rationale |
|---|---|---|---|---|---|---|
| CBP Biometric Exit | Yes | U.S. | Travel | Centralized | Face | Provides lessons learned from a security and privacy perspective. |
| KTDI | Yes | Canada, Netherlands | Travel | Decentralized | Face | Decentralized example with emphasis on innovation to inform future possibilities for health. |
| Mastercard | No | Global | Financial services | Centralized | Fingerprint (FP) | Unique technology with capture and match on card. |
| ID.me and Allscripts | Yes | U.S. | Health | Centralized | Face | Innovation in facial recognition and self-service mobile capabilities. |
| DHS US-VISIT | Yes | U.S. | Government/
travel |
Centralized | FP (limited face, iris) | Large-scale implementation, multimodality and 60 agencies involved. |
| Five Country Conference Protocol | Yes | U.S., Canada,
U.K., New Zealand, Australia |
Public safety | Federated | FP | High complexity in sharing sensitive data across entities with different privacy and security requirements. |
| eu-LISA biometric matching | Yes | Schengen area | Public safety | Centralized | FP | Cross-entity use with large expansion between countries and across borders. |
| Estonia national e-ID | Yes | Estonia | Government | Centralized | PIN | Uses Xroad, which is an integration architecture that enables data-sharing across disparate entities. |
| India’s Aadhaar program | Yes | India | Government/
public services |
Centralized | Face, FP, iris | One of the most prominent biometric use cases. Largest database in the world. |
| ID2020 | Yes | Developing countries | Government/
public services |
Decentralized | FP, face | Similar to KTDI, has direct application in health care, decentralized architecture. |
The examples listed below were researched and considered but not selected because of one or several of the following reasons: too early in implementation stages to have lessons learned, not enough publicly available data, or too similar to already-selected examples.