Two-Factor Authentication on iPhone 5s is Not Yet a Game-Changer for Healthcare

The recently introduced  iPhone 5s offers a number of improvements from previous versions, including a faster processor, an off-loaded co-motion processor and an improved camera. But what some consider the most intriguing new feature for healthcare is the new fingerprint biometric scanner.

Apple introduced what it is calling Touch ID into the iPhone 5s home button. The traditional button is replaced with a capacitive sensor, capable of 500 pixels-per-inch resolutions, covered by a sapphire crystal to protect the sensor. This allows users to secure their phone with their fingerprint, which is an identification factor that is difficult to spoof. While the incorporation of biometrics is an innovative method to securing access to the device, does it really have much significance for healthcare?

The short answer is not yet.

While it is necessary to secure any device that may contain protected health information (PHI), there are additional steps Apple can take to make its Touch ID technology truly beneficial to clinicians.

For example, with the eventual release of APIs for developers, Apple will allow healthcare organizations to leverage the finger print identities of their users to sign on to applications. This capability can play an important role in electronic signing, especially for prescriptions, to provide positive proof of who initiated the order.  Until Apple releases its API for developers, however, the iPhone 5s does not meet requirements.

On June 1, 2010 the DEA’s interim final rule on electronic prescribing  for controlled substances” (EPCS) took effective, requiring that any electronic prescriptions for controlled substances meet the NIST Level of Assurance (LOA) 3 for verifying the prescriber’s identity.  Fingerprint biometric sensors meets NIST LOA 3 requirements, but only if the device is FIPS (Federal Information Processing Standards) 240 approved. To achieve FIPS 240 approval, a sensor needs to capture a fingerprint at a minimum of 16.5mm in both directions at a minimum resolution of 320 pixels-per-inch. The iPhone home button is currently 11.2mm in diameter, which is well below the 16.5mm X 16.5mm required minimum image size for FIPS 240 approval.

Also since Apple is not releasing the software development kit (SDK) for Touch ID, the entire fingerprint experience is controlled by Apple. This means that users are able to self-enroll, providing no verifiable chain of custody for the fingerprint data. This means that anyone can enroll or re-enroll their fingerprint, but there is no vetting that that fingerprint actually belongs to the phone’s authorized user. Ideally, there should be a federated identity of the user that must be validated by an approved third party. However, it would be a substantial effort for Apple to introduce federated identities and nearly impossible to do in the current closed finger print system on the iPhone 5s.

So, while the built-in fingerprint scanner is definitely a step in the right direction for healthcare, Apple needs to increase the size of the sensor and open its APIs in order to make any significant impact for multifactor authentication and healthcare.