Published in the March 2004 issue of Today’s Hospitalist
How safe is the information you keep on your handheld computer? If you’re like most physicians, you probably haven’t given much thought to the question. In fact, you’re probably not even taking the most basic steps to protect the data on your device.
Not long ago, physicians used PDAs as mere appointment schedulers and electronic phone books. Now, with physicians using palmtop computers to track patient data they’ve imported from electronic medical records systems or typed in themselves, the stakes for security of information on PDAs are considerably higher.
HIPAA legislation requires you to take reasonable steps to protect the security and confidentiality of patient data, but there is an even more basic reason you should start thinking about security: Imagine that you’ve left your PDA in the hospital cafeteria or at a Starbucks, and someone easily opens files containing sensitive patient data.
The good news is that with a minimal amount of effort, you can make the information you store on your PDA much more secure than the paper charts and notes you carry around. With a few simple commands, you can activate the built-in password protection that is standard on most handheld computers. And if you’re more ambitious, there is a wide range of inexpensive products that offer even more protection.
Here is an overview of some of the security strategies you can use to protect clinical information on your PDA, from the high-tech approaches used by large vendors to inexpensive applications you can purchase.
How much is enough?
Security analysts say that the mobility of handheld computers is both a blessing and a curse. Because they can go anywhere, the tiny computers are not only easy to use, but they are also frustratingly easy to lose.
Most machines provide built-in password protection programs that allow users to “lock” either certain documents or the entire device. Activate this feature, and you’ll have to enter a password to access individual documents. You can also set up your PDA so that it requires a password to start up.
(On Palm devices, you can turn on the security features by going to the security icon on the main screen and following the prompts.)
There is some debate about whether these built-in applications are strong enough to protect clinical information. Security experts argue that the passwords generated by PDAs can be easily overpowered using commonly available hacker software. Once your password is broken, they say, all the data on your machine is exposed.
That’s why companies that link PDAs to hospital information systems use password technology that offers more protection and is harder to crack. Most of these large systems also offer a second layer of security, encrypting all the data that PDAs get from the hospital’s system. Even if someone cracks your password, the thinking goes, the data on your machine will be encrypted and require significantly more effort to access.
By discouraging people from bothering with individual PDAs in the first place, vendors hope to steer hackers away from PDAs. The goal is to focus would-be thieves on hospital-wide systems that archive data on all of the hospital’s patients, not just a partial list of one physician’s patients. While the information on these large systems is just as sensitive, the servers behind the scenes have the horsepower to run much stronger security applications than their pint-sized counterparts.
“The effort that you spend trying to hack into a PDA is much greater than what is required to open up a paper chart,” says William T. Lawson, MD, chief technology officer and co-founder of MercuryMD, a company that specializes in software to link PDAs to large hospital information systems.
Time outs and time bombs
MercuryMD features several layers of security to protect the patient data that physicians can tap into via wireless networks. A number of vendors offer similar measures that integrate PDAs into large hospital information systems.
One security measure used by MercuryMD, for example, requires users to enter a four-digit PIN into their handheld computer. Enter that identifier incorrectly three times and you will lose all access to the hospital’s information system. To reconnect your PDA to the system, you have to call your hospital’s information technology department.
MercuryMD’s software also uses a “time-out” feature that monitors how much time has passed since users last accessed the system. If too much time has passedÃ¯Â¿Â½10 minutes, for exampleÃ¯Â¿Â½you’ll have to enter your PIN again.
Dr. Lawson says the 10-minute window gives physicians enough time to log out of the hospital system in order to use another program like Epocrates. They can then re-log into the hospital system without having to enter a PIN again.
In addition to time outs, vendors like MercuryMD also use “time bombs” to protect patient data. All files older than 24 hours, for example, can be automatically deleted from PDAs.
Security vs. convenience
When it comes to protecting patient data, there is often a fine line between security and convenience. For instance, most systems that allow physicians to access the hospital information system wirelessly let physicians view information on their PDA screen, but users can’t store the information on their device.
This means that when you view information on another patient or in another palmtop application, the record you just viewed disappears from your palmtop. You can’t view it again unless you’re still logged into the wireless network.
This type of limited access helps protect data, but it can be frustrating to physicians. “Physicians think the information will always be on their PDAs,” says Tom Walsh, president of Tom Walsh Consulting LLC in Overland Park, Kan., which specializes in health care information security issues. “When they get back to their office, it’s not there.”
Jeff Sutherland, chief technology officer for PatientKeeper, a company that creates systems to link PDAs to hospital information systems, explains that the balancing act between security and functionality is an ongoing concern.
Take the issue of what to do when the wrong PIN is entered three or more times. PatientKeeper’s software can require users to contact the hospital to reset the device, or it can go a step further and delete all the clinical information on that physician’s device.
While the ability to destroy all the data on a machine that may have fallen into unauthorized hands is the safest route, Mr. Sutherland says that no hospital has ever chosen this option. The reason? Physicians would be furious at losing all their data simply because they were having a bad day and entered the wrong PIN a few times.
“There’s a tradeoff between the ultimate level of security and keeping users happy,” Mr. Sutherland explains.
Another example is the ability to “beam” information from one handheld to another through the infrared ports that are standard on most PDAs. While physicians love this featureÃ¯Â¿Â½during patient handoffs, you can beam your patient list to a colleagueÃ¯Â¿Â½security experts view it as a back door around the security systems they have built. As a result, some hospitals do not allow physicians to beam clinical data to each other.
PatientKeeper’s software lets physicians beam informaÃ¯Â¿Â½tion to each other, but in a way that protects the security of clinical data. When a physician identifies information she wants to beam to a colleague, the PatientKeeper system creates an electronic “token” that lists that information.
When the physician beams the patient information to her colleague, she is actually sending this “token,” not the information itself. When that token is transferred to her colÃ¯Â¿Â½league’s PDA, the second handheld computer goes through the hospital’s system to retrieve the patient information.
The whole process takes place so quickly that end users may think the information was beamed from one device to another. But the transfer of information actually takes place within the confines of the hospital system and its security protections.
While many of the technologies being used by large vendors aren’t commonly available to individual PDA users, there are a number of steps you can take to protect the information on your machine.
Security analysts may argue that built-in password-protection software is too easy to hack into, but not everyone agrees. Nilay Shah, MD, a neurologist with Crystal Run Healthcare in Middletown, N.Y., for example, uses some built-in features on his PDA.
Because his hospital doesn’t offer computerized access to patient notes, he often copies parts of the patient record from his office system onto his PDA and takes those notes with him when he sees the patient in the hospital.
“I have all the demographic information with me,” he explains, “so I don’t have to ask the patient to repeat all that information. I can be more efficient about writing my hospital encounter note.”
Dr. Shah, who is also vice president of MedicalPocketPC.com, a Web site that specializes in handheld hardware and software for physicians, uses the password protection feature on his word processing program to set a password for the program. If his handheld is lost or stolen, someone will first have to crack the password. And as soon as he is done with the patient note, he makes sure he deletes the file from his machine.
Dr. Shah admits that the technology behind this password protection is not impossible to crack, but he says the goal is deterrence, not impenetrable security. “Most people will get frustrated and purge all the data from the machine rather than try to crack the passwords on these documents,” he explains.
Dr. Shah also uses password protection on nonpatient data he carries on his PDA. His DEA number, medical license number and medical society membership information are all stored on a password-protected database. The program, FlexWallet, encrypts all the data on his PDA and won’t open the files without a password. It is inexpensive and also runs on his desktop computer, so it’s easy to make sure that he has the same information on both machines. (For a list of products that offer password protection and encryption, see “Software to protect the data on your PDA,Ã¯Â¿Â½ above).
You can purchase other software to give your PDA even more protection. The medical library at MetroHealth Medical Center in Cleveland recommends that all health care professionals using PDAs in its facilities use a stand-alone password-protection program, OnlyMe.
MetroHealth began exploring the idea of beefing up password security for PDAs in part because of concerns about HIPAA regulations. In addition, the medical center recently began allowing interns and residents to use their book funds to purchase a PDA.
If residents and interns buy a device using department funds, MetroHealth automatically installs OnlyMe. Physicians who have their own PDAs can also have the medical center install OnlyMe on their devices. Christine Dziedzina, chief librarian at MetroHealth’s Brittingham Memorial Library, describes the effort as a “first step” in securing PDAs. Physicians don’t yet have direct access to MetroHealth’s electronic medical records system, she said, but it is in the works.
OnlyMe requires users to enter a password to start the device. Instead of entering text, physicians use a six-button keypad that appears on the screen to create and enter a password.
MetroHealth gives physicians an added incentive to put OnlyMe on their PDAs: When the information technology department loads the security software on a physician’s PDA, it also installs the medical center’s phone list that users can easily update.
While technology experts may argue about whether physicians should use their machines’ built-in security measures or purchase stand-alone software like OnlyMe, they all agree on one simple point: Don’t wait until it’s too late to think about protecting your patient data.
“Nobody wants to think about security until after they’ve lost their device and they start thinking about all the data they had on there,” says Mr. Walsh, the security consultant. “You almost never have a problem convincing someone to use a password after they’ve lost one of these devices.”
Edward Doyle is the editor of Today’s Hospitalist.
Related link:Handheld devices for physicians