Security Software for Hand-Held Computers
Protecting the patient information stored on your PDA isn't just a good idea; it could be required under HIPAA.
Fam Pract Manag. 2002 Jun;9(6):59-60.
What five-letter acronym currently strikes terror in physicians' hearts? If you guessed HIPAA, the Health Insurance Portability and Accountability Act of 1996, you're correct. The very name evokes images of trying to see patients while carrying a HIPAA hippo on your back. Among other things, HIPAA requires that all health care organizations take specific physical, procedural and technological security measures to ensure the confidentiality of patients' medical information. If you own a personal digital assistant (PDA) and have downloaded medical software programs that contain patient-identifiable health data, you will be required to keep this information secure once the HIPAA privacy and security rules take effect. (The deadline for meeting the privacy regulations is April 2003; the security regulations haven't been issued yet.)
How can you protect the patient information and other private information you have stored on your PDA? Here are some options.
Built-in PDA security features
Most PDAs come with a built-in locking feature. PDAs that use either the Palm or Pocket PC operating systems have something called a “Lock & Turn Off” password protection feature, but it has two distinct disadvantages. First, it is difficult to locate, and, second, you must remember to activate it each time you turn off your PDA. If you have a PDA with a Palm platform, you'll find this feature under “Security” on the main menu. Selecting the Security icon brings up a screen (see figure 1) that will allow you to assign a password and lock the PDA to prevent further use. Re-entering the password unlocks it. The feature works the same way on the Pocket PC and can be found by selecting “Settings” on the main menu, then “Personal,” and finally “Password.” Some PDAs also come with an automatic locking feature enabling users to preset times they want to lock the PDA (see figure 2). This is a nice upgrade, preventing users from having to remember to activate the lock-out feature each time they turn off the PDA.
Shoring up your security
It's not that difficult to circumvent the built-in security feature on most PDAs. In fact, programs exist specifically to bypass this function. To boost PDA security, a host of new software programs have been designed (see the list). These programs offer added security features, such as enabling users to preserve their password during soft resets and preventing transfer of information (by synchronizing or “beaming”) to another computer during the lock-out times. PDAs with Palm operating systems prior to version 4.0 contained debugging shortcuts for software development purposes. Since these shortcuts work even when the PDA is locked, they can be used to breach the locking feature. Some security programs on the market will check for debugging shortcuts and delete them. Some of the security programs also feature limited password attempts. If the maximum number of attempts allowed is exceeded, the PDA will then permanently lock itself or delete all the information stored in it.
Even with these extra security software features, patient information stored in your PDA still isn't completely safe. Someone could still take apart your PDA to get to the information stored in its memory chip. Granted, the average thief couldn't do this, but that's not much comfort to people who want their medical information protected from even the most unlikely events.
Securing the information stored in memory chips requires encrypting it. In addition to encoding the memory chip, encryption also provides password protection for specific files and data. Encryption comes in a variety of types and bit sizes. The higher the bit size, the more secure the encryption and, usually, the more expensive the product. Typically, encryption software that uses higher bit sizes will also use more active memory and process more slowly. Some encryption programs also feature “transparent” encryption; use of the correct password automatically encrypts each data record when it is stored and decrypts it when accessed.
SECURITY SOFTWARE PROGRAMS
The following software options allow you to add various levels of protection to your personal digital assistant (PDA).
Cradle Robber (www.dentonsoftware.com/software%20pages/cradle_robber/cradle_robber.htm). Palm OS only. Disables PDA and triggers alarm if PDA is removed from its cradle. $9.95. Free demo version available.
GridLock (www.pdabusiness.com/gridlock). Palm OS only. features a square grid pattern instead of a traditional password. Free. GridLock Pro ($9.95) offers a maximum number of password attempts feature and owner name display when locked.
JotLoc (www.pdabusiness.com/jotloc). Palm OS only. features a pass picture (such as a signature) instead of a traditional password and can be set for multiple lock-on and lock-off times. $11.95. Free demo version available.
Microsoft Password for Pocket PC (www.microsoft.com/mobile/pocketpc/downloads/powertoys.asp). Pocket PC only. An upgrade from the original four-digit password security feature built into the Pocket PC. This application is already built into Pocket PC 2002 software. It is not compatible with Hewlett Packard Jornado computers. Free.
MovianCrypt (www.certicom.com/products/movian/moviancrypt.html). Palm OS or Pocket PC. Incorporates password log-in with 128-bit transparent encryption software. features enhanced speed by using idle CPU time for re-encryption. $39.95.
OnlyMe by Tranzoa (www.tranzoa.com/onlyme/onlyme.htm). Palm OS only. features a large keyboard for quick password entry and timed lockouts if maximum number of password attempts is exceeded. Returns to the last-viewed screen when password is entered. $9.95. Free trial available.
PDA Defense (previously known as PDABomb) (www.pdadefense.com). Palm OS and Pocket PC. Encryption software available in either 64-bit (standard) or 128-bit (professional) version. Includes a “bomb” feature that wipes out all RAM database information if user exceeds the maximum number of password attempts. $19.95 standard and $29.95 professional. Free trial available.
PDASecure(www.goati.com/pdasecure.shtml). Palm OS and Pocket PC. Password protection and encryption software. Users can choose from six different encryption standards and select which applications to protect. $29 standard and $49 premium. Free trial available.
PocketLock (www.applian.com/pocketpc/pocketlock). Pocket PC only. Password protection of individual files or entire folders with a choice of seven different encryption standards. $19.95. Free trial available.
Sentry 2020 (www.softwinter.com/sentry_ce.html). Pocket PC only. Features 128-bit or more transparent encryption. $50. Free trial available.
Sign-On (www.shopcic.com/product_details/signonpalm_details.asp). Palm OS and Pocket PC. Uses personal signature for password protection. $19.99. Free trial available.
TealLock (www.tealpoint.com/softlock.htm). Palm OS only. 128-bit encryption software with customization options. $16.95. Free trial available.
Complying with HIPAA
The HIPAA privacy and security regulations do not specifically identify what measures will need to be taken to protect patient-identifiable health information stored or transmitted on PDAs. But protecting this information from breaches of privacy will probably require more than the built-in security features that come installed on most PDAs.
If you're serious about patient privacy, choose security software that incorporates password protection and data encryption. As physicians, we have always honored patient confidentiality. Regulations aside, adding a little extra security to your PDA is just another way to show respect for that long-held value.
Copyright © 2002 by the American Academy of Family Physicians.
This content is owned by the AAFP. A person viewing it online may make one printout of the material and may use that printout only for his or her personal, non-commercial reference. This material may not otherwise be downloaded, copied, printed, stored, transmitted or reproduced in any medium, whether now known or later invented, except as authorized in writing by the AAFP. Contact email@example.com for copyright questions and/or permission requests.
Want to use this article elsewhere? Get Permissions