Technology in Practice 

Securing Confidential Data On Your Personal Digital Assistant (PDA): Using the Security Options Built Into The Palm Operating System (Part I)

Gwen Liu BSc (Pharm)1; Robert M. Balen, B.Sc.(Pharm), Pharm.D.

1Pharm.D. Student, , External Doctor of Pharmacy Program, Faculty of Pharmacy, University of Washington/Washington State University, USA; 2Associate Editor Journal of Informed Pharmacotherapy.
Email: rbalen@informedpharmacotherapy.com 
J Inform Pharmacother 2004;15:500.


Send FEEDBACK to the Editors about this article


Introduction

Do you feel you can't live without your PDA? Do you rely on the device to help you get through your workday? Perhaps much of your clinical practice and research data resides on this portable device. Imagine the anxiety surrounding the theft or loss of this information repository. Losing a PDA is undoubtedly inconvenient, but for health care professionals the consequences may be more significant than merely inconvenience. Loss of a PDA that contains patient information places patient confidentiality at risk. It behooves healthcare providers to take measures to protect PDA based confidential data. Some authors suggest that, at a minimum, health care providers should use four basic strategies to safeguard the PDA at all times: 1) activate password protection to control access to information on the device; 2) ensure proper user and device authentication before transmitting information during synchronization; 3) avoid wireless data transmission in public areas, and; 4) employ data encryption technology. (1,2)  Encryption refers to the translation of data into a secret code that is not readable without first "decrypting" it. Unencrypted data is known as plain text while encrypted data is called ciphertext. This is the first of a two-part article that outlines some PDA security options relevant to health care providers. 

The purpose of Part I of the article is to describe how to use the built-in security features of the Palm Operating System (OS) to password protect and lock the device from unauthorized access. Part II of this series will outline some strategies for enhancing PDA security with data encryption and more rigorous access control.

Password Protecting PDA Access Using Security Features Of The Palm OS

The Palm OS includes security features that can be enabled to lock access to the device. A very basic way to protect data is to enable the auto lock security feature on the PDA. This provides a minimal level of data protection whereby a security screen prompts the user to enter a password upon turning on the device. Several steps are required in order to activate the auto lock feature on Palm OS PDAs. These steps are described below.

Procedures For Activating The Palm OS "auto lock" Security Feature

Step 1. Tap the security icon on the main application launcher screen (Figure 1). Figure 1. Application launcher screen

 

Step 2. Click on the password "Unassigned" area on the security screen (Figure 2). Figure 2. Security Screen

 

Step 3. Enter a password on the password screen (Figure 3). A "hint" can be entered to help users remember a forgotten password. Users will be prompted to re-enter the password on a subsequent screen for verification before the assigned password takes effect. Click "OK" and this will return you to the security screen (Figure 2). Figure 3. Password entry screen

 

Step 4. After entering and verifying a password, click on the "Auto Lock Handheld" on the security screen (Figure 2). This will bring up the "Lock Handheld" screen where users can specify when the PDA should be locked (Figure 4). Choosing the "On power off" option will require password entry whenever the PDA is turned on. Figure 4. Lock Handheld Screen

Locking Your PDA With A Pen Stroke 

A quick method of powering off and locking access to the PDA requires taking advantage of the pen stroke customization features built into the Palm OS. These customization options can be set to enable the PDA user to power off and lock the PDA by sliding the stylus from the bottom to the top of the PDA screen. This option can be set by tapping on the "Prefs" button on the application launcher screen (Figure 1) and selecting the "pen" option from the bottom of the "Preferences" screen (Figure 5). The subsequent screen (Figure 6) provides a list of options or functions that the PDA will perform when the user slides the stylus from the bottom of the writing area to the top of the PDA screen. The pen stroke locking feature is a convenient way for healthcare professionals to seamlessly lock their devices after inputting or reviewing information on the PDA.

Figure 5. Preferences screen. 

The Pen button on the bottom of the screen provides a list of controls that can be executed by subsequent pen (stylus) strokes.

Figure 6. Pen options screen. 

Selecting "Turn Off & Lock" will enable the user to turn off and lock the PDA by sliding the pen (stylus) from the bottom to the top of the PDA screen.

Limitations Of Palm OS Built-in Security Features

Although the security features built into the Palm OS are easy to activate and convenient to use, they provide only a low level of protection that a knowledgeable programmer can bypass. Version 5 of the OS includes more robust protection than the preceding versions, but some limitations still remain. There are no lower limits on password lengths and thus users can choose inappropriately short or simple passwords. Also, the password obfuscation is weak. (3,4) Short passwords that consist of only alpha characters are not as secure as passwords that exceed four characters in length and include both alpha and numeric characters. Security experts indicate that the password storage methods on the palm PDA are not well encrypted and are vulnerable to decoding. Other security vulnerabilities that are related to the HotSync procedure, data ownership, network and wireless data transmission and programming code also exist. (3,4)

Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires both improved efficiency in healthcare delivery by standardizing electronic data interchange, and better protection of confidentiality and security of health data through setting and enforcing standards. While the HIPAA Privacy Rule is specific to the US, all health care professionals have an ethical obligation to protect the confidentiality of patient information. HIPAA dictates that there must be a reasonable assurance that the PDA will not be accessible to unauthorized users. (1,5) While HIPAA does not mandate that PDA-based records be secured with data encryption technology, some authors suggest that health care professionals who store patient information on a PDA should employ strategies that include data encryption, as well as both user and device authentication. (1,2,6,7)

Summary

Health care providers who store confidential data on PDAs need to take steps to ensure information confidentiality. The Palm OS includes some convenient security features that prevent unauthorized access to the PDA. Some experts recommend that enhanced security, above what the built-in OS features can offer, is prudent in the health care setting. Part II of this series will outline some strategies for enhancing PDA security by including data encryption and more rigorous data access control.

Authors Competing Interests

None declared. The authors have not received any research funding, speaker honoraria, complementary hardware or software from any company for any product pertaining to this manuscript.

References: 

  1. Pancoast PE, Patrick TB, Mitchell JA. Physician PDA Use and the HIPAA Privacy Rule. J Am Med Inform Assoc. 2003;10:611-12
  2. Johnson L, Rivers S. Feature - Implications of HIPAA on Hand Held Clinical Applications, Part 2. http://www.pdamd.com/vertical/features/HIPAA2.xml  (Accessed Dec 7, 2003)
  3. Vandepas M, Olsrud K. Security Analysis of Palm Operating System ECE478: Computer and Network Security Department of Electrical and Computer Engineering Oregon State University Corvallis, Oregon http://islab.oregonstate.edu/koc/ece478/project/2002RP/VOb.pdf  (Accessed December 7, 2003)
  4. Kingpin and Mudge. Security Analysis of the Palm Operating System and its Weaknesses Against Malicious Code Threats http://www.usenix.org/events/sec01/full_papers/kingpin/kingpin_html  (Accessed December 7, 2003)
  5. Phoenix Health Systems, HIPAA Primer. http://www.hipaadvisory.com/regs/HIPAAprimer.htm  (Accessed December 7, 2003)
  6. Johnson L, Rivers S. Feature - Implications of HIPAA on Hand Held Clinical Applications, Part 1. http://www.pdamd.com/vertical/features/HIPAA1.xml  (Accessed December 7, 2003)
  7. Johnson L, Rivers S. Feature - Implications of HIPAA on Hand Held Clinical Applications, Part 3. http://www.pdamd.com/vertical/features/HIPAA3.xml (Accessed December 7, 2003)

Copyright © 2004 by the Journal of Informed Pharmacotherapy. All rights reserved.