Episode 83:
Biometrics and Compliance: A Deep Dive into Access and Accountability

Watch the demo:

Compliance Manager

See the only all-in-one compliance solution today.

Compliance Manager

From revolutionizing access control to preventing fraud, this podcast episode unveils the powerful impact of biometrics in shaping the compliance landscape of the healthcare industry.

Biometric technology can sometimes feel like sci-fi – which is why it raises so many great compliance questions. 

That’s why we invited Dr. Mohamed Lazzouni, the Chief Technology Officer at Aware, a leading company in the field of biometrics, to join us for our latest episode of Compliance Conversations. 

In this episode, Dr. Lazzouni shares insights into the exciting developments in biometrics and its pivotal role in healthcare. From access control to fraud prevention, Dr. Lazzouni and CJ Wolf, MD discuss the impact on compliance and security in the healthcare industry. 

Listen now to gain a deeper understanding of: 

  • How biometrics enhance healthcare access control 
  • Real-world applications of biometrics in preventing fraud 
  • The intersection of biometrics and compliance in healthcare 
  • The future of wearables and AI in biometric healthcare interventions 

Interested in being a guest on the show? Email CJ directly here.

Episode Transcript

CJ: Hello, everybody! Welcome to another episode of compliance conversations. My name is CJ Wolf, with Healthicity. And today's topic I'm really, really excited about. Our guest is an expert Dr. Mohamed Lazzouni with the company Aware, they deal a lot with biometrics, and I'll let him describe that a little bit more, but so grateful he's the chief technology officer for this company. Welcome, Dr. Lazzouni. 

Mohamed: Thanks so much, CJ! Delighted to be here. 

CJ: Yes, we're really looking forward to this to have somebody with such expertise talk about this. But before we jump into our topic about biometrics, is there anything you'd like to share a little bit about your background, or maybe what your company does, or anything in that regard? 

Mohamed: Sure, happy to do so. I can do so very briefly. I spent all of my career into this particular space of the identity security industry with focus primarily on biometrics and ID documents. And the primary idea is to really find solutions that will allow for the identity in its digital form, which is becoming central and core to everything we do in things ranging from commerce to healthcare to transportation to education, you name it, the digital identity is really at the core of all of this, and I've been extremely privileged to have spent my life and my career working into this particular space and helping many people, customers as well as government applications, in order to make sure that such solutions are, the ambitions of making sure that that works the right way is done and follows all of the rules, the compliance, etc. So that has been my career up to this point.  

CJ: That's wonderful. Thank you for sharing that. You know, and I know we're going to talk about healthcare, but I'll just share with you as you were just talking, you know, when I went to the airport last, they didn't even really need much for me. I just looked at some screen and they said; "OK, you're good to go!" So, I just I am not a technical expert, but I'm amazed at how technology is helping move things along more quickly, and our audience as far as compliance goes, I'm sure will be very interested in something, but maybe the level set us all because maybe a lot of our listeners are like me, we're not real technically savvy as you are. Can you just tell us what biometrics are and how they are used in healthcare? 

Mohamed: Yeah, sure. I would love to help with that. So, let's begin perhaps with the definition first, when we use the term biometrics, what it really refers to is to the measurement of some statistical analysis of people's unique morphological or physical features that could possibly also include behavioral characteristics. When we put this really in practice, what we really mean is we mean that we capture either a portrait or perhaps a voice print, a fingerprint, the imaging of the iris or the retina. Perhaps the way that people type on their keyboards or touch a touch-sensitive screen. And all of these signals are unique to each and every one of us.  

So, some of these are obviously fixed, although they might not be fixed in time, say for example that the portrait of a 5-year-old as the person ages changes, it changes the face's geometry changes things like that, so we adapt to such characteristics. And so, when we take them all into account, have a computer capture them, then digitize them, and then we analyze them. That's the part of the capture, the data collection, etc. To have the foundation. Then comes the world of the use of such biometrics. So, typically what they are used for they are used for two domains, either security or convenience, and I'll give an example of the two.  

Security means that, for instance, if you are trying to access a particular building and you are an employee of that building, if the building owners or the people who control the perimeter of that particular building decide to use biometrics and let's say that it is fingerprint or face recognition is the one that uses to unlock the access to that building. So that's a security application, the purpose of which is to ensure that the right people are authorized to come into the building and those who are not authorized cannot come into the building. That's a typical security application.  

Now the flip side of this could be a convenience application. For instance, instead of having to remember a very large number of passwords, if you were to get your computer or your smartphone to unlock using your biometrics, you don't have to remember, renew, reset and work with your passwords or fear that you might lose one and how to recover it, etc. So, this is more of a convenience argument, so that's how the state-of-the-art of the industry and its adoption has progressed to date into this field that we generally refer to as biometrics. 

CJ: That's very, very helpful. So let me throw a little bit of entertainment in. So, we've all seen these movies, science fiction. You tell me how much fiction and how much fact is in this. You know, we see Mission Impossible with when the actor Tom Cruise pulls off the face mask and he's been playing this other part the whole time, right? Iris recognition. You know, people cutting out somebody's eye and using the eye to gain access to the secret room. Tell me, I'm just kind of curious. I know this might not have been on our plan, but how real is some of that and how fake? Is all of that?  

Mohamed: That's actually a fantastic question and it doesn't have to happen, say, with Mission Impossible or a Tom Cruise movie. It actually happens in real life, and it happens every day. And as a matter of fact, there is a in this world of specifically since COVID-19 when a lot of the transactions have gone online. You can only begin to imagine the sort of things that can happen where people are no longer say walking into a branch of a bank in order to transact physically with a teller sitting on the other side of, say, a secure piece of glass.  

When people go online, then obviously those with rather nefarious intent are going to make their best in order to defeat a computer system in either to, say, more log in an unauthorized manner into an account or possibly engage into theft from the balance of that particular account.  

So in our industry, we refer to all of this and now it links back to these sci-fi movies to something that we have, believe it or not, we have technical term for it. It's called a Presentation Attack. A Presentation Attack is when somebody attempts to spoof a computer system by posing to be someone else, so they might put on a mask, or they might have a custom-made latex 3D mask. There are companies where you can actually order this online. Where they can attempt to impersonate someone else and then fool the computer into believing that they are who they are, not in which case they gain authorized access and attack a face recognition system in order to go through the other side of the transaction. 

Luckily for us in our industry, we understand this particular problem and we have been working for years, in order to ensure that we put countermeasures in place so much like there are presentation attacks, we have presentation attack detection systems. We have means by which we can tell whether the person on the other side of that transaction is wearing a mask or not wearing a mask or if they wear glasses, are they still the right person or not? Or if they put makeup, are they still the right person or not? So, as they attempt to do this either physically through mask-wearing or digitally by manipulating some video and creating, say a deep fake, we can tell the difference between one and the other, a live person from a non-live person. And we refer to this entire countermeasure as a liveness detection mechanism that secures the systems and hopefully protects the people who are on the other side of it.  

CJ: That's fascinating. Thank you for entertaining me for a moment. So, tell me a little bit about how biometrics are used in healthcare. Like, I can imagine like I'm, you know, I'm a physician background. I'm trying to, I'm going from room to room and typing into the chart. And every time I have to log into the computer. I mean, is that an example? Of what other things like that?  

Mohamed: That's a fantastic question. I could perhaps just give you few examples and they will fall into a number of categories. So, one, it could be exactly what you said. An access control or a security requirement whereby a particular terminal, somebody who's updated Rep a record update and a chart updating things like this and obviously it does given all of the requirements of the patient data on the other side of the computer that they are accessing. One of the things that could be used in this instance is either fingerprint authentication or face authentication to ensure that if a particular provider comes to that particular computer to either update the record, change something, or read something from it, then only that person for only that session is the one who's authorized to do so. You can think about this logically logging into a computer you can also think about that physically walking into a certain room where perhaps a patient who, who is being attended to for work condition, or the other into a world that requires special access. So, you can get that access control to that to be done via biometrics.  

Face recognition is very helpful in that one might say, for instance, that it might be fairly difficult to apply a camera in this particular instance. Could we do it with voice? The answer is yes, you could apply voice recognition also to do this for people who then are coming into places where they don't have gloves on and fingerprint could be sufficient, they can use fingerprint as well. So that's one domain that I will refer to the use case as really an access security use case.  

The other one could be really applied to fraud prevention. So, if people are trying to gain access in an unauthorized way for hsecurealthcare, for fraud purposes, insurance funders and things like that, biometrics can be extremely important to combat that fraud and ensure that there is no abuse in the system. So, for example, say that a particular patient with some privileges that has access to something and they might want to pass the credentials to someone else who poses to be a patient in order to take care of those benefits, to ensure that you are really dispensing the benefits to the right person, you could use biometrics in order to make that system control well.  

The third perhaps example I could give would be into the world of say employee verification. Say for instance that you have a special word like the neonatal or prenatal care, where nurses have to come in and out for only that particular word that you want to make sure that the contact with those newborns is only through very strictly authorized personnel. You could very easily, instead of somebody having to punch keys onto a keypad or having to have a special key to open the door or whatnot, a mere camera sitting on the lock would very quickly verify the identity of the person, and the person can come in or can come out of that of that particular facility. So, these are few examples. As you can imagine, one can go wild with the number of ideas that one can apply to this domain, but these are places where it could apply very, very successfully.  

CJ: Those are all wonderful examples. Thank you for sharing those. We're going to take a quick break because we want to talk some more about some specific things that a lot of us as compliance officers are dealing with. And I know Dr. Lazzouni has some really good insights there. So, let's take a quick break and we'll be right back.  

Welcome back everybody from the break. I'm here talking with Dr. Lazzouni about biometrics. He's sharing a lot of great ideas about how they can be used in healthcare and doctor; you know as a compliance officer; I deal a lot with HIPPA. And so, I'm curious if biometrics and also other compliance issues, but I'm curious about your thoughts on how biometrics can be used to support compliance. A lot of our listeners are compliance officers in healthcare. Any thoughts on that?  

Mohamed: Absolutely! So, let's take some specific examples of the problem statements and let's think about compliance in its various containers if you wish, and the different rubrics. Let's think about the idea of auditing and the idea of access. Perhaps the idea of storage and then the idea of the ways in which the information can be shared or disseminated, and for each one of these cases for compliance purposes I'll take few examples of where biometrics can apply very well.  

So, let's think first and foremost about the idea of user authentication. Obviously, HIPAA mandates very strict access controls to protect patient information, and those access controls specifically, when they are exchanged via computers require all kinds of ways in which we should ensure that the identity of the person accessing for the purposes of using that particular information is the person who's authorized to do so through the fact that they are an employee, an insurance company, a provider, or whatever the case might be. Here, biometrics plays a significant role and could actually be a very good  for this particular solution, because it will work very well from a security and convenience perspective, but it will also be extremely potent in preventing unauthorized access to reduce the risk of data losses and data breaches and things of that nature. So that's one example.  

CJ: Okay!  

Mohamed: The second example would be into the domain of, say, secure access to electronic health records. Obviously with the EHR systems today requiring very stringent security when clinicians, staff access patient records, it will be very, very important to ensure that this way in which that access is control is done via biometrics so that would be the element of access to the HIPAA governed records that one should access to.  

Let's think now about the other side of compliance equally important, which is the audit traders and accountability. So given that HIPAA requires organizations to maintain audit traders to obviously track who accessed patient records and whatnot. So, you can imagine that if all you had is merely a log or a table, claims and counterclaims can be made as to the entry of that table of the identity that did that. But once you have a biometric associated with it, it becomes highly reliable to link the action to a person, to link the entry in the table to a person, and obviously if any security incident were to happen then you would have like that irrefutable proof of putting the person at the time of the transaction and the right person with evidence of their particular biometric, so that gives you a small flavor of the possibilities of how this applies directly in support of compliance.  

CJ: Yeah, those are all great examples. Maybe could I ask maybe from a practical standpoint, do you find that it works most efficiently from an operational standpoint? Is it the facial recognition is the best or is it fingerprint? What are you finding like on a practical sense? As you know, doctor is going from one room to another and logging into terminals. What works the best?  

Mohamed: Yeah, you could say that perhaps at this point the most convenient, the term best obviously has to be a balancing act between security and convenience and more friction. The modality that lends itself best to these applications would be indeed the face, because when providers specifically are supported via Omni channels, so whatever they use as a tool must work on their desktop, must work on their tablet, must work on their smartphone. You find that these extraordinary compute power devices that available to us today, with the cameras being high resolution, good quality and whatnot, the transferability of the face modality and its use being as simple as taking a selfie is extraordinarily easy and doesn't require any learning curve in order to adapt how this gets done. And so that's the one that takes it. But fingerprint is not a distant second, it's equally available and in the case of desktops, obviously some external device might have to be specifically attached to the desk where the computer is sitting, but in many of the smartphones today, the finger fingerprint read capability comes into the device by itself.  

CJ: Right! And so, like in healthcare, you know, obviously we all went through COVID and we were wearing masks. I was surprised in just my own personal devices can still read my face even when I'm wearing a mask. Is that kind of what you're, you know, to be true?  

Mohamed: Yeah, that's a fantastic question. That is in fact related to that first answer, I provided that related to the attempting to spoof a system by wearing masks, the purpose of which and the intent of which is to defeat the security system and wearing a mask, the purpose of which is to ensure the protection of the patient, we can tell the difference between the two. We have mechanisms into the software that are able to detect, if you wish, that particular type of mask, or the use of that particular mask and make a determination as to whether this mask is intended for really health prevention services, whereas the other one is intended for other purposes, and we can tell the difference between these two things.  

CJ: Yeah! I think you would be like a great consultant if I were like, a science fiction writer. You could tell futuristic things that we could maybe we could create a movie together, but actually seriously, what are some futuristic ways that biometrics might be used to support compliance and you know, are theoretically out there or maybe they're in kind of beta testing, but they're maybe not there quite yet.  

Mohamed: Now there we're really in luck. There is a lot going on and it's all incredibly exciting. So, I'll start probably with the ones that are not too far-fetched and then we will distance it further and further and further. So, let's think about the first case, which is to make really the access to, say medicine and controlled drugs easily, if you wish, providing the security and the convenience that I just talked about a minute ago. So, you can think about the medication dispensing. You can think about biometric protected medicine cabinets even in home that could have something so say a child or perhaps only the patient, the parent patient in in the home is the only one that can authorize this. This can be done today extremely conveniently with a fingerprint or a camera attached to those cabinets very inexpensively, very trivially, and it can be done. So, you can have, I call them the smart dispensing cabinet so you can get into that world very, very quickly. 

CJ: Yeah! And that would, sorry to interrupt. That would also be like a protecting, like children don't get into medications, they shouldn't have and that could really be beneficial.  

Mohamed: Indeed, very, very much so and you can see it in many industries today where really this sort of thing is starting to happen. You have cars now that when you arrive to them, it's really your fingerprint that unlocks the car. You have cars that in order to get them started, you have to speak your voice pass in order to get them started. So that sort of thing that is futuristic can be brought in very fast into application with this particular domain.  

Another thing that I'm very, very excited about is obviously the ubiquitous and incredibly successful fast adoption of Telemedicine. This is if you were to make obviously on the other side of the phone from a provider, they are not going to really become an identity vetting provider if they are a healthcare provider, somebody called somebody is on the other line of the session. They are asking for something, consultation, help, whatever the case might be. The provider just dispenses it. Now the idea of having biometric enabled Telemedicine can take us into all kinds of things where that relationship could be a lot more intimate on how you can get into things and feel very safe on both sides of that computer-intermediated transaction that you are talking to the right person and you are talking to the right provider. So, I'm very excited about seeing this develop over time. 

The one that if you were to ask me to pick one which would be my favorite, I think it's the development in the world of these wearables that are coming in. You end up with all of these extremely smart devices that can be packed and condensed into very small form factors or whether they can be put on the wristband or they can be put ring around the finger or they can be put much like an earring or in whichever capacity they can be put on the body in some way. So, you can imagine that these wearables now are basically computer with computers with healthcare data and one has to be very careful about this data that is distributed on the device on many other things and whatnot. And the idea of applying biometrics to do that would be would be great.  

And if I were to end up with one and that would be my final thought on this would be around the area that has to do with everything that is emerging around the AI algorithms and the deep learning discussions and the application of those in real-time. So, you can start really applying very smart biometric enabled at point of service in case of emergency responses or in case of things where an AI algorithm can work in real-time in order to make some important decisions and through the biometric verify that those decisions are really for the right person significantly minimize the risk and incredibly improve the odds of a fast intervention in order to do the best by our patients. So, these are some of the things that I try to read about and get interested in and quite frankly they are also very excited. So, it's an absolute thrill to kind of follow them, read about them, and see where they are going.  

CJ: I think it's fascinating too, and I'm not even in this expertise area as you, I just find it fascinating how this technology can really have some great uses in healthcare. We're getting kind of towards the end of our time, but I do want to know. So, you're the company Aware, maybe tell us a little bit about them, do they do work in biometrics, in all industries primarily in healthcare, new to healthcare? I mean tell us a little bit about that.  

Mohamed: Yeah, happy to help. We are generalists. So, we have what is called a portfolio of a biometric identity platform that we use for government and commercial application and it just applies to just about everything. So, the way that we typically refer to our use is we refer to it as uses that have to do with support of compliance, combating fraud, and helping with identity management. And wherever these applications are needed, whether they are needed in online education or whether they are needed in healthcare or whether they are needed in transportation, government applications or what have you, we are able to take that platform and adopt it to the use cases that are pertinent to these various industries, and precisely because of the fact that we know that there are such a variety of ways in which this gets implemented, we build into this platform extraordinary richness and adaptability so they can be easily ingested within the domains that are specific to one industry versus the other.  

CJ: That makes a lot of sense. Fascinating! Any last-minute thoughts before we end here? It's been, your expertise is such, so appreciated. I love the way that you break things down and you organize things even just in your responses. It helps me see clearly kind of these different categories. So, I entertain any last-minute thoughts or comments that you might have before we wrap up here.  

Mohamed: My pleasure. It's very kind of you to say that. Just in case your audience might be interested in finding out a little bit more about this our website is a very good resource for this, which is www.aware.com. And obviously, I'm on LinkedIn, and I invite everyone who might want or wish to reach out and have a deeper conversation, I'll be more than happy and it will be an absolute pleasure to entertain questions and further clarifications. And just wish everyone just a wonderful time and thanks so much for having me on the show. Very much appreciated.  

CJ: Thank you, Dr. Lazzouni for your expertise and experience and your willingness to share, and we'll include some of those links that doctor Lazzouni just mentioned in the show notes so that you can reach out both to the company and to him on LinkedIn. And just thank you to all of those who listened to this podcast on a regular basis. We appreciate your participation. Please share with your colleagues and I always try to make this plug. If you know of other speakers or topics that you'd like to hear, you know, speakers you'd like to hear from or other topics you'd like to hear about. Please don't be shy in sharing that with us and I'll echo what Dr. Lazzouni said, thank you and take care, everybody, until next time, be safe!