MUSCMedical LinksCharleston LinksArchivesMedical EducatorSpeakers BureauSeminars and EventsResearch StudiesResearch GrantsCatalyst PDF FileCommunity HappeningsCampus News

Return to Main Menu

PDAs pose potential patient privacy problems 


by George Spain
CCIT Technical Publisher
Easy to pocket and difficult to protect, Personal Digital Assistants (PDA) pose special problems for patient privacy and confidentiality says Sharon Knowles, Information Security Officer for the Medical University Hospital Authority. 
 
Knowles, whose primary job is to monitor patient confidentiality mandated by HIPAA, says anyone who uses a PDA should do a “personal risk assessment” to determine if the benefits of portable access to a patient’s data outweigh the risks to the patient’s information. 

Richard Gadsden, Director of Computer and Network Security, agrees, adding, “Anyone who uses a PDA for convenience only and doesn’t weigh the risks is acting irresponsibly.”
 
The thing that makes a PDA so convenient is the same thing that makes it a risk: size. “They are easier to steal, lose, and break, and they also have relatively primitive operating systems with skimpier built-in security.” Gadsden said.
 
Neither Knowles or Gadsden would venture a guess as to how many of the PDAs were in use around the medical center, but both agree that the vast majority is privately-owned and not department-sponsored. 
 
While there’s no special computing policy on PDAs, Knowles has begun “a first draft of a policy to address the issue.” Until then, the MUSC Computer Use Policy (http://www.musc.edu/ccit/cup) and MUHA’s Policy C-27, “Confidentiality of Patient Information and Medical Record Security” should be used as guides for reasonable, responsible use. 
 
Among other things, the draft recommends no PDA be used without password-protected access to data, logins to any patient databases be timed to logout after a period of inactivity, and whoever owns the PDA is personally responsible for any breach. 
 
“The law is clear, the patient owns patient data. Healthcare professionals may use and exchange the data only in pursuit of the patient’s medical interests and not for their [the professional’s] own convenience,” Knowles said. 
 
Gadsden noted some PDA applications can be configured so that every piece of data stored in the PDA has a limited lifespan, and is automatically erased after a specified period. Combining this sort of feature with a good password system can provide reasonably good protection for the data stored on the PDA.
 
“The greater risk of the electronic form is the potential for loss, destruction, or undetectable modification,” said Gadsden. “If at the end of a few days of rounds you drop a clipboard full of notes, worst case is you have to pick it up. With a PDA, you may be picking up the pieces, and patient data stored on the device may be irretrievably lost.”

Catalyst Online is published weekly, updated as needed and improved from time to time by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to petersnd@musc.edu or catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Community Press at 849-1778.