Making your Handheld Secure
“The only real security that a man will have in this world is a reserve of knowledge, experience, and ability.”
Henry Ford (1863 – 1947)
The male changing room in the surgical theatre of my clinical school has a security camera. I know this because my Palm Pilot was stolen from me during my time as a clinical student, and the camera spotted the thief. When the police returned my machine, I found that all my data was lost. The data loss was planned, because I had installed security software.
There are several levels at which you can make your data safe on your handheld. The main point, however, is that the existing software that comes with your machine does not provide any reliable security. Furthermore when you connect your handheld computer to your personal computer, the data is copied to there as well, so you must secure both machines.
To start with, you can password-protect your handheld computer. For Palm-compatible machines, TealLock provides excellent security, and the equivalent on Pocket PC machines is SafeGuard PDA. Both can lock the machine after a specific period (15 minutes is a ward round-friendly duration) and can be unlocked quickly by the correct user (the keypad is thumbfriendly).
The next layer of protection is to secure particular data of your handheld. For example eWallet requires a password before granting access to my credit cards details, while
HanDBase allows password-protection of my clinical databases. Both are available for the Palm and Pocket PC, and both encrypt the data.
In the long run, however, security of data might be improved by wireless networks. These would allow the sensitive data to be stored on a central computer, which would only be
accessed through password-protected machines within range. Once outside this range (for example when a clinician takes their handheld home) the data would no longer be on the
An alternative aspect to security is protection from viruses. At the moment, there are few viruses that target handheld computers, and most of them enter the machines when they
connect to personal computers. That’s why most anti-viral packages, such as those by Norton and McAfee, monitor the connection for malicious code. But there is still the risk of viruses when two handheld computers connect to each other through their infra-red beams. Software is already available that monitors this route, at considerable expense.
But perhaps the most important defense against such dangers may well be education. Kevin Mitnick, one of the world’s most notorious hackers, was able to access so much “secure” computer data because he manipulated the humans who were using the computers. They routinely gave him their passwords.
Such education begins with risk analysis. The team involved in deploying the handhelds should consider the gaps in security; take reasonable steps to plug the gaps; and most
importantly, educate the end users about the gaps. The NHS Information Authority provides a rather useful toolkit for going through these steps, as part of compliance with British Standard 7799. This is available on request from the NHSIA’s Security Risk Manager, Tom Lillywhite. Good security must include good habits, such as holding onto your machine rather than leaving it in the surgical theatre changing rooms.
published in British Medical Informatics Today Summer 2003 issue