|
From the October 2002 Issue Order in Chaos: Transforming Best-of-Breed Solutions Into Integrated Solutions |
Viewpoint
PDAs and the Emerging Security Crisis
Clinicians continue to embrace handheld and mobile technology. An Aberdeen Group report in 2001 stated that the personal digital assistant (PDA) market will reach $6.6 billion by 2005 with approximately 39 million units shipped. In August 2001, a Harris Interactive poll stated the number of physicians who use handhelds increased from 15 percent in 1999 to 26 percent in 2001, and concluded that 50 percent of all physicians will use a handheld by 2005. The growth of handheld technology is reminiscent of the explosion of PC technology and its rapid adoption in the 1980s and 1990s. Those who managed information technology through this revolution remember the difficulty in securing information on PCs, and the initial perception that the PC was not part of the enterprise. PCs often were purchased by individuals or departments, and the hardware and software were not scrutinized by the information systems organization. Unfortunately with handhelds, this is déjà vu. In some ways, securing information on handhelds is more difficult than securing information on PCs. Many users regard the devices as their own, security technologies are only now emerging and the wireless standards and protocols that support handhelds have their own security risks. IS managers in the 1980s never had to worry about end users losing a PC because it slipped out of a pocket. Facing HIPAA How can IT professionals secure clinical mobile information and applications while meeting increasingly aggressive, HIPAA-driven regulatory requirements? The key is to begin treating information on handheld devices and the devices themselves the same as a personal computer or enterprise Web application. Enforcing fundamental password policies and taking advantage of basic security shipped with the device can go a long way. Palm OS offers various ways to lock the device, and numerous third party applications provide encryption of local data and even client certificates. Palm OS 5 offers system-wide strong encryption (128-bit) as a standard feature. Through a partnership with RSA Security, it includes stronger support for encryption standards than its predecessors. Pocket PC 2002 offers Windows 2000 strong passwords in addition to the standard four-digit passwords. Microsoft is currently developing tools to support encryption for mobile applications as part of its .NET initiative. Browsers on both the Palm OS and Pocket PC operating systems support 128-bit encryption and SSL. Smart cards also may be used in conjunction with new Palm and Pocket PC offerings. (Unfortunately, the default security settings on handhelds are often set for the users’ convenience—which means none.) Importance of Architecture Application architecture has an enormous impact on the security risk that handheld devices present. Applications and products that rely on storing kilobytes (and in many cases megabytes) of protected health information on the handheld are a cause for concern. Data must be password protected, and also encrypted, on the device in case of loss or theft. Many handheld applications will leverage wireless network technology such as 802.11b or Wi-Fi. 802.11x technologies offer high-speed connectivity (11 Mbps for 802.11b, 54 Mbps for 802.11a) but are confined to an office or office building. Since this hardware is inexpensive and provides enough speed for all but the most demanding applications (such as viewing radiology images), it is certainly worth considering for mobile clinical applications. Wireless networks present a challenge. Wired equivalent privacy (WEP), a feature of most wireless networking products, only provides 40-bit encryption vs. 128-bit encryption used by secure Web applications (the longer the encryption key, the more difficult it is for a hacker to break into the network). Because the WEP secret key is static, a hacker using a wireless sniffer (a device that retrieves and stores network packets) can crack it within one second after 100 MB to 1 GIG data has been sniffed. Although WEP is not a very strong way to secure a wireless application, many vendors have WEP turned off by default, leaving the wireless network open to hackers. IS personnel must ensure that wireless devices are using the available security, and that there are standards for installing and configuring wireless access points and network cards. Organizations that find the convenience and speed of the wireless networking/handheld combination attractive should consider leveraging Internet technologies and a thin client architecture (a browser running on the handheld requesting data over a wireless network from a Web server on the network). Thin client architectures for handheld applications are much easier to secure than applications that require syncing and local data stores on the handheld. Other thin client architecture advantages for mobile applications include:
Information systems departments could not prevent the PC from becoming the preferred platform for deploying applications or the use of the Internet as an information delivery mechanism. The age of the handheld is upon us. Treating the handheld as a real computer, enforcing standards for handheld security, and selecting the appropriate application architecture can secure clinical information. Meeting the challenge is not a choice. We can prevent déjà vu. Bob LaRochelle is vice president of product development at Axolotl, Mountain View, CA. Contact him at blarochelle@axolotl.com © 2002 Nelson Publishing, Inc |
By Bob LaRochelle