Are biometric security systems regulated by compliance standards?

regulation issues around the technology. Have any major compliance standards such as HIPAA or PCI DSS directly addressed biometric security systems?

Security experts have long considered biometric security systems, such as the use of fingerprint and eye scans, a strong way to implement multifactor authentication. Combined with a password or other knowledge-based authentication approach, biometrics offer strong security that provide solid proof of a user's claimed identity.

While biometric authentication is a strong approach and is widely used by a variety of organizations, it is not required by any major compliance scheme. This is mainly because of the difficulty of implementing remote biometric authentication in some systems. For example, biometric security systems are not easily integrated into the Web-based authentication schemes that dominate many enterprise technology platforms. Organizations often instead choose to use device-based approaches that use smartphones or authentication tokens to achieve multifactor authentication.

HIPAA does not explicitly require the use of two-factor authentication, although many healthcare organizations choose to use it anyway. The HIPAA requirements merely state that covered entities must "implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed," which could include biometric verification methods.

PCI DSS gets a little more specific in section 8.3, where it states that organizations must "incorporate two-factor authentication for remote network access originating from outside the network." PCI DSS does not go so far as to require biometric security systems, however, and leaves the door open to the more popular device-based approach to two-factor authentication.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)