My organization is exploring biometric verification but it has some reservations about potential compliance or...
regulation issues around the technology. Have any major compliance standards such as HIPAA or PCI DSS directly addressed biometric security systems?
Security experts have long considered biometric security systems, such as the use of fingerprint and eye scans, a strong way to implement multifactor authentication. Combined with a password or other knowledge-based authentication approach, biometrics offer strong security that provide solid proof of a user's claimed identity.
While biometric authentication is a strong approach and is widely used by a variety of organizations, it is not required by any major compliance scheme. This is mainly because of the difficulty of implementing remote biometric authentication in some systems. For example, biometric security systems are not easily integrated into the Web-based authentication schemes that dominate many enterprise technology platforms. Organizations often instead choose to use device-based approaches that use smartphones or authentication tokens to achieve multifactor authentication.
HIPAA does not explicitly require the use of two-factor authentication, although many healthcare organizations choose to use it anyway. The HIPAA requirements merely state that covered entities must "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed," which could include biometric verification methods.
PCI DSS gets a little more specific in section 8.3, where it states that organizations must "incorporate two-factor authentication for remote network access originating from outside the network." PCI DSS does not go so far as to require biometric security systems, however, and leaves the door open to the more popular device-based approach to two-factor authentication.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out how small companies can ease the PCI DSS compliance burden
Learn how to react when biometric data is compromised
Discover the benefits of behavioral biometrics
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading