EDUCAUSE 2002 From Toys to Mobile Tools PDAs in Medical School - Tackling Confidentiality

From Toys to Mobile Tools EDUCAUSE 2002 Presenters Sharon CollinsComputer Consultant Information Technology & Computing Services East Carolina University Julius Q. MalletteMD FACOG Senior Associate Dean Brody School of Medicine East Carolina University Susan ThorntonComputer Consultant Information Technology & Computer Services Brody School of Medicine East Carolina University

From Toys to Mobile Tools EDUCAUSE 2002 Copyright Statement Copyright Sharon Collins, Julius Q. Mallette and Susan Thornton, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

From Toys to Mobile Tools EDUCAUSE 2002 Introduction East Carolina University has introduced PDAs for medical students, yet answers to questions surrounding patient confidentiality are unclear. How do we enforce students and faculty to keep information on their devices secure and confidential? HIPAA may impose new standards and we must be prepared. This session outlines steps taken to get policies/technology in place.

From Toys to Mobile Tools EDUCAUSE 2002

From Toys to Mobile Tools EDUCAUSE 2002 Number of students What PDA/OS we require What software is available New Toys – New Tricks Introduction to the “Toy”

From Toys to Mobile Tools EDUCAUSE st Year Medical Students 52% 48% 35% 40% 100% Male Female Internet Access PDA Use Wireless Use Percent

From Toys to Mobile Tools EDUCAUSE 2002 Challenges Different types of devices/OS Battery Life By 2003, an estimated 86% of physicians are expected to use PDAs over traditional paper Rx pads Training How to protect patient information that is stored on device How to protect patient information transmitted during synchronization or through wireless

From Toys to Mobile Tools EDUCAUSE 2002 Gearing Up for Confidentiality Institutions must analyze their electronic communication and exchange of health information that occurs over networks and ensure that it includes strong authentication, adequate encryption, and administration of keys and passwords for encryption. During transmission of data, maintain an audit trail Also automatic logoff/lockout after a specified period of inactivity of interaction with that application or device

From Toys to Mobile Tools EDUCAUSE 2002

From Toys to Mobile Tools EDUCAUSE 2002 HIPAA National standards Deploy national standards for electronic data interchange (EDI) across the industry

HIP- HIP- ha -AA? HIPAA’s role in health care and medical education

From Toys to Mobile Tools EDUCAUSE 2002 Protected Health Information Encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form Name Address Birth Date Social Security Number Medical Record Number Telephone Numbers Addresses Names of Relatives URL Address Account Number Certificate/License Number IP Address Finger or Voice Prints Photographic Images Name of Employer Health Plan Beneficiary Number Any Other Unique Identifier

From Toys to Mobile Tools EDUCAUSE 2002 Security Secure electronic individual health information Security is the means to control access to your information

From Toys to Mobile Tools EDUCAUSE 2002 Privacy Ensure uniform privacy related to access and disclosure of patient information Definition of Privacy Privacy is freedom from intrusion into your affairs and the right to maintain control over your information Confidentiality is the organization’s responsibility to limit disclosure of your private matters

From Toys to Mobile Tools EDUCAUSE 2002 Compliance Require documentation of organization-wide compliance with security and privacy regulations When?

From Toys to Mobile Tools EDUCAUSE 2002 OpenPendingSecurity April, 2003December, 2000Privacy October, 2002August, 2000EDI Compliance DateEffective DateHIPAA Component

From Toys to Mobile Tools EDUCAUSE 2002 Penalties HIPAA penalties Unintentional violations could result in fines ranging from $100 - $25,000 for each violation Intentional violations could result in — Up to 10 years imprisonment — Up to $250,000 per offense

From Toys to Mobile Tools EDUCAUSE 2002

From Toys to Mobile Tools EDUCAUSE 2002 Day to Day Operations with HIPAA HIPAA affects the way we work with PDAs Patient scheduling — Office visits — Operating room schedules — Delivery room schedules Education — Conferences — Presentations — Credentialing — Accreditation (LCME)

From Toys to Mobile Tools EDUCAUSE 2002 Education Education of our students, faculty and staff on HIPAA requirements Orientation requirements for students and faculty - confidentiality statement and oath Instruction on the use of security mechanism “…..All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men …

From Toys to Mobile Tools EDUCAUSE 2002 “Which ought not to be spread abroad, I will keep secret and will never reveal. If I keep this oath faithfully… May I enjoy my life and practice my art, respected by all men and in all times; but if I swerve from it or violate it, may the reverse be my lot.” Taken from the Oath of Hippocrates circa 400 B.C.

From Toys to Mobile Tools EDUCAUSE 2002 Regulations Information on PDAs related to the following are subject to HIPAA regulations Lab Results  Patient demographics  Charge coding  Prescription writing  Patient tracking programs  Databases

From Toys to Mobile Tools EDUCAUSE 2002 FAQ’s and Future Anticipated Questions (the other FAQ’s) Is it possible that the loss or theft of a PDA could implicate national security?

From Toys to Mobile Tools EDUCAUSE 2002

From Toys to Mobile Tools EDUCAUSE 2002 Don’t Compromise Your PDA! Ownership – who is responsible — IT Managers — Owners What information on the device can be compromised Everything! – Contacts/clients; meetings; patient data; legal and financial information

From Toys to Mobile Tools EDUCAUSE 2002 Guidelines Patient identifiable data on device? — Data should be encrypted and access should be password protected. Patient identifiable data transmitted during synchronization? — Ensure proper user/device authentication before transmitting data and maintain an audit trail. Patient identifiable data transmitted wirelessly? — Ensure proper user/device authentication before transmission, encrypt data during the transmission and maintain an audit trail.

From Toys to Mobile Tools EDUCAUSE 2002 Confidentiality Solutions Passwords – good first line defense User ID/Power – passwords — Alphanumeric — 4 Character — Problems – data not encrypted Security specific software Biometrics

From Toys to Mobile Tools EDUCAUSE 2002 Some Common Sense The lonely PDA…not for long Left on a desk Left on an airplane Dropped from a pocket or bag Stolen! The PDA and all its contents immediately are released to another individual unless protected SECURITY IS PARAMOUNT!

From Toys to Mobile Tools EDUCAUSE 2002 Defense PocketPC: 4-digit userid password Card Backup: backup the databases on a PalmOS device and store them on an expansion card Backup Buddy: performs a complete backup of your entire Palm Computing organizer each and every time you HotSync SecureCard: encrypting a single or multiple files, or the entire card

From Toys to Mobile Tools EDUCAUSE 2002 Beam me – Lose me.. Transmitted Information (Infrared) — Need user and device validation to ensure proper user authentication with the matching device — Maintenance of an audit trail of synchronization

From Toys to Mobile Tools EDUCAUSE 2002 Software Protection EasyLock TealLock

From Toys to Mobile Tools EDUCAUSE 2002 Biometrics Types – signature, fingerprint, voice, face or iris Fingerprint sensor would probably be the most effective Biometrics are natural technologies to use on all handheld devices from cellphones to PDAs to tablets Biometrics solutions: — Indentix — Sign-On — SmartCard

From Toys to Mobile Tools EDUCAUSE 2002 Comparisons SoftwarePricePalmPocketPCStandardEnterpriseFeatures Cloak$19.95XX Password Encrypt database PDA Secure PDA Standard PDA Premium PDA Enterprise $29-$49XXXX Encrypt files/card Protects data stored on expansion memory cards Blocks synchronization/download to a desktop PC Control wireless access Six different encryption standards Secure password and data encryption PDA Defense PDA Defense Stand. PDA Defense Prof. PDA Defense Enter. $ $29.95 XXXX 128-bit encryption Decryption on-demand Hardware button password entry Auto-lock setting Stealth mode Auto-encryption of new databases JotLoc$11.95X Picture based security Lock delay Lock only between certain days Simple to use, low memory footprint

From Toys to Mobile Tools EDUCAUSE 2002 Comparison, cont. SoftwarePricePalmPocketPCStandardEnterpriseFeatures MovianCrypt$39.95XXXX Advanced password security Enterprise IPSec-based software Client PocketLock$19.95XX Seven different encryption standards. Lets you password protect individual files Lets you password entire folders Optional numeric PINS for quick entry SafeGuard Easy$480.00x Symbol PIN or password Choice of different Symbol PIN sets Authenticated ActiveSync connection Emergency mechanisms in case of forgotten passwords Timed delay, alarm or even complete reset wiping all data of the PDA in case of repeated false logon Protection against unauthorized de-installation Encrypted data storage Self extracting encrypted files for secure data exchange with other users Data compression "secure wipe" of files Biometric signature recognition

From Toys to Mobile Tools EDUCAUSE 2002 Are You Protected? Policies Infrastructure/Network Encryption software

From Toys to Mobile Tools EDUCAUSE 2002 PDA Resources American Medical Student Association PDA Resources Brody School of Medicine at East Carolina University PDA resource page: East Carolina University PDA Resource Page Thanks to Laurie Godwin and David Jones from East Carolina University’s University Multimedia Center for assistance in this presentation.