I recently saw a pmcia card with built in fingerprint scanner....at least
one of the handhelds on the market can use standard pmcia cards....perhaps
this addresses your question.
A second point, is why are you storing records on your PDA? Why not send the
information to your secure computer right after you collect it?
Cheers,
Joseph
----- Original Message -----
From: "Michael Kramer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, November 29, 2000 12:09 PM
Subject: Re: PDA's not the end --Security
I have been intermittently lurking, Has anyone discussed the issue of
security for PDA's?
A wide variety of applications can store data on the PDA's and they have
effectively been used to collect patient data. I have over 400 patient
records on my PDA. According to some estimates, 1 in 4 PDA's are lost or
stolen every year (Gartner Group). It is clear that a lost or stolen PDA's
place this data at high risk and the number of patient records per PDA may
be quite large.
Currently, many applications use password authentication for their
applications. The most common method is to require authentication each time
the device or application is used. Frequent requirements for password
authentication are cumbersome and reduce the usefulness of the PDA.
Despite adequate password use, most all PDA based healthcare applications
fail to encrypt the actual data. Furthermore, These PDA's are often
synchronized or backed up onto the personal desktop computers of the PDA
user. In the instance where synchronizing computers are attached to an,
"always on," Internet service such as DSL or a cable modem, the exposure of
this unencrypted patient data is extraordinary. With hundreds of PDA users,
it is possible that there is a large exposure to healthcare data on personal
computers attached to the public Internet.
I have been looking for methods to secure the PDA based synchronization
process. One method would be to encrypt the data in the PDA, but palm
devices have limited encryption software and little power to encrypt and
decrypt. Further, the Palm does a complete backup of all devices on the PDA
every 5th synch. I am unsure how to prevent this, allow it only on our
secure "enterprise sych workstations", or exclude certain PDA databases.
Perhaps a enterprise based synchronization strategy that created an
encrypted conduit directly back to the a synch server. I have, however,
been very unimpressed by the PDA industry to provide enterprise/centralized
synchronization services.
The only company that seems to be promoting enterprise PDA management and is
touting the release of a secure conduit is Aether. Licensing for this
starts at >$100 per seat.
Has anyone else found a solution to these issues?
We have been discussing this on the palm-med listserver if anyone is
interested in contributing there as well, send an email to
[EMAIL PROTECTED] with the word "subscribe" in the subject line.
Mike
<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>
J. Michael Kramer, MD
Medical Informatics Fellow, Department of Internal Medicine and
The Michigan Collaboratory for Health Informatics, MiCHI
Web and Alpha Page:
http://www.umich.edu/~jmkramer
Office: (734) 615-0026 Fax: (734) 936-3617
Voice Mail: (734) 615-0605 page: (734 )936-6267
>>> [EMAIL PROTECTED] 11/22/00 01:47PM >>>
PDA's such as the Palm and Psion are not the end of alternative devices
to PC's. Starting this Christmas, a lot of devices based on National
Semiconductors GEODE WebPad hardware is coming out (my personal
favorites in this group are qubit and 3-COM's Audrey):
Acer, Boundless, 3-COM, Qubit, RS Cordless Technology, Samsung, Screen
Media, Tatung and Vestel all have devices ready or nearly ready.
Underneath the hardware (which is i386 compatible) we have OS's such as
BeIa, QNX, Linux and CE running a variety of software, all of which
feature web browser's running javascript (some also include java, CSS,
XML). Some of these platforms have built-in 802.11 wireless
capabilities.
I mention this because our Clincial Information Systems group has
decided to with wireless pad devices running browsers as their target
portable delivery platform. I don't know which pad's they have choosen
yet, nor even if they are using National's platform as there are other
CE based pads available.
