Pocket PC magazine, Apr/May 2004
Page 18
As an example, if there is an FDA newsflash on a specific cancer treatment, I don’t have to review all alerts to find it—a link to it will automatically appear when I am reviewing the cancer information and smARTlink to ARTbeat. No other product I have reviewed provides this functionality. This enables medical professionals to practice at a higher level of expertise and immediately have the information required to make the most informed decisions.
This is a different and better approach than simply pushing a newsletter onto the PDA. While doctors can subscribe to e-mail updates, we are not going to remember which newsletter from four or five months ago contained the information we need. With ARTbeat, we don’t have to remember—it is brought to us.
ARTbeat includes a variety of free information sources such as MedWatch, CDC Spotlights, and the Connections channel. In addition, users can subscribe to a number of premium channels including Drug News Weekly and DrugLink on an annual basis. Skyscape states that in the future it will add the highest quality sources of medical information as additional channels through ARTbeat. The initial ARTbeat channels are:
MedWatch—Free—The Food and Drug Administration’s Safety Information and Adverse Event Reporting Program (Fig. 1)
Fig.1. MedWatch provides clinical information about safety issues involving medical products, including prescription and over-the-counter drugs, biologics, medical and radiation-emitting devices, and special nutritional products.
Drug News Weekly—A weekly that features brief articles on the latest in critical drug information and news
DrugLink—A monthly newsletter that provides abstracts of drug-related articles from various journals (Fig. 2)
Fig. 2. Information in DrugLink is dynamically integrated via smARTlink with other Skyscape-powered channels and references and is updated whenever users synchronize their PDAs.
CDC Spotlights—Free—A weekly update from the Centers for Disease Control (CDC) Web site (Fig. 3)
Fig. 3. Drug News Weekly, a subscription ARTbeat channel, features brief articles on the latest drug news and information and is delivered weekly directly to the subscriber’s Pocket PC.
Connections—Free—A newsletter channel that provides customers with Tips & Tricks, Store Specials, New Releases, Your Voice, Top Solutions, and In The News sections
And how well does it work?
While this information is helpful, it all boils down to: how well does it work?
The answer is that it works very well indeed. Users can quickly install the software, and every time they synchronize their PDAs, ARTbeat automatically checks whether there is new information to download. Users can set the parameters for downloads—they can download selectively, or have the updates happen automatically. They can also purge older files, but I did not find this necessary since they take up very little space. (Users can have up to 100 cross-referencing medical information books on a Pocket PC. I currently have 54 references on my 512 MB Simpletech SD card, using about 250MB of that card, and very little internal memory.)
The company also states that ARTbeat enables hospitals and other organizations to disseminate well-known medical journals, newsletters, FDA drug alerts, Web site content, and custom information to medical practitioners. I haven’t experienced it myself, but based on the way the existing newsletters are sent via the platform, it makes sense.
Key benefits
Seamless cross-referencing of dynamic information—the updated content was brought to me, I didn’t have to seek it out.
Many references from important sources are available for free.
Easy-to-use interface (it worked just like other powered-by-Skyscape references).
Drawbacks
This is the initial version of ARTbeat, but I would like to see expanded channel selection. Now that a PDA can provide me with dynamic medical information, I don’t want to have to sort through piles of old newsletters anymore. Based on what I have been told by Skyscape, I expect to see more channels in 2004.
I would also like to see information more clearly flagged when new related information is available. For example, a drug should be flagged with a note when a new FDA alert has been issued about it. (Skyscape states that this new functionality is in the works and such enhancements will be seamlessly added to the user’s device.)
Live updates are currently not possible without syncing the device to a PC with a live Internet connection. I would love to see the ability to update using a Pocket PC Phone Edition with a live Internet connection (such as the Samsung i700). With this addition, I could update my ARTbeat right before I treated any patient, and be assured that I had the very latest information at my fingertips. I am looking forward to seeing Skyscape discuss this implementation.
As a full-time practicing physician, I find that the benefits of a program such as ARTbeat are impossible to measure. If it saves one life, or allows me to more safely and efficiently practice medicine, it’s priceless!
For more information on ARTbeat and over 100 other medical and nursing titles, go to http://www.skyscape.com. You can also download ARTbeat for free at http://www.skyscape.com/artbeat.
For excellent customer support on all Skyscape products, call 888-SKYSCAPE. n
* * *
Edward M. Zabrek, M.D., F.A.C.O.G. is our staff medical writer, and a full time, practicing Ob-Gyn at Memorial City-Memorial Hermann Hospital in Houston, Texas, USA. He has an ambitious dream to “evolutionize” the practice of patient care with a Pocket PC. Ed may be reached at Ed@PocketPCmag.com.
HIPAA and Mobility
What the new regulations mean for the healthcare industry
by Nathan Clevenger
T he Health Insurance Portability and Accountability Act (HIPAA) provides federal regulations regarding the privacy and security of patient data, as well as standardized formats for exchanging electronic information. Healthcare organizations were required to be in compliance on privacy regulations by April 2003 and must comply with common, security rules by April 2005. These deadlines have been posing a unique challenge to the healthcare industry, in which unregulated PDAs are being used by doctors in great numbers.
Although mobile computing technology has been adopted quickly in the healthcare industry, handheld devices have mostly remained personal devices, unsupported by the institutions. While most institutions have implemented only what is blatantly required, this mandatory technological revamp is the perfect opportunity to implement and deploy mobile solutions that can truly impact long-term efficiency, productivity, and the quality of the healthcare services they provide.
High usage of PDAs in healthcare
The Health Information Management Systems Society (HIMSS) recently published the results of a survey in which 72 percent of responding medical practices had at least one physician who had used mobile computing for business purposes. These numbers demonstrate a very high usage rate within the healthcare industry but, unlike most other enterprise technologies, PDAs have often been brought into the workplace by the workers themselves. This has allowed for a very widespread, rapid adoption of the technology, but has not allowed any time for the healthcare organizations to adjust. In the meantime, HIPAA compliance efforts have drained budgets and manpower that would normally be used to help with this adjustment. That has caused many organizations to simply ignore mobile computers for now. While that may be a legitimate option for some, the prevalence of the technology within their own organization requires that the issues created by PDAs are immediately addressed in order to comply with HIPAA privacy and security regulations.
The PDA: a potential liability
The basic problem is that if the device is personally owned by a physician who happens to take patient-related notes or dictation on the device, then the hospital has a potentially severe HIPAA liability. Because the device is personally owned by the physician, the hospital might not even be aware of how the physician is using his or her own device. Unfortunately, some organizations have gone so far as to ban mobile devices compl
etely, but that prevents the use of many highly beneficial time-saving applications.
Recommended strategies
I recommend the following strategies to healthcare organizations and institutions:
Centralized security and auditing policies for mobile and wireless devices should be implemented, possibly including such methods as power-on passwords, data storage encryption, data self-destruct mechanisms upon breach, and biometric fingerprint authentication mechanisms (Fig. 1).
Fig. 1. Fingerprint identification for biometric authentication.
Fig. 2. Procedure entry screen for health information system.
Usage guidelines should be developed and issued that offer limitations on the type of functions that can be performed on the device, as well as on the type and format of any data stored on the device.
Maintenance and support should be centrally offered for mobile and wireless hardware and software to prevent third-party access to handheld devices.
Wireless networks should not be installed or maintained by anyone other than authorized IS personnel, and must at least offer authentication and encryption technologies.
Procedures and mechanisms for reporting lost or stolen devices should be implemented, so that access from a stolen device to all wireless networks and databases can be blocked.
Imagine the possibilities!
As for specific applications, there are hundreds of ways that mobile computing can improve the capability, efficiency, profit, and quality of healthcare. Patient documentation systems, with integrated billing mechanisms and automated procedure/diagnosis code verification, can dramatically reduce unbilled services, documentation errors, and rebilling. Research and medical references can be contained locally or delivered wirelessly for always-available interactive content, and real-time health insurance eligibility inquiries can be made. From accessing drug-interaction databases to streaming real-time DICOM video, Pocket PCs can place an incredible amount of raw computing power in the hands of physicians.
Overall, mobile technology such as Pocket PCs has incredible potential to enhance both the quality and profitability of healthcare services. If you’re in the industry, most likely mobile computing is already being used within your organization. Take advantage of it! n
* * *
Nathan Clevenger has been developing for mobile computers since 1998. As President and CEO of Clevrware, Inc., he has brought his company to the forefront as one of the industry's leading consulting and development firms for Windows CE-based mobile computing solutions. His firm also operates HIPAA-PDA.com, a Web site offering privacy and security strategies for mobile computing in the health industry. His e-mail is nathan@clevrware.com.
Closing the Back Door and Closing the Deal
Ensuring the safety of both data and device
by Tom Goodman
Imagine a traveling sales manager sitting in a coffee shop or airport lounge using his PDA to update confidential prospect information just days before he’s set to close his biggest, most competitive deal ever. While this seems harmless enough—especially since his Fortune 1000 company gave him the device—he is potentially exposing this closely guarded intellectual property to his competitors, as well as to the garden-variety hacker.
Of course, this doesn’t apply to the average PDA user, right? Wrong. You may not store sensitive data on your PDA, but the reality is that the handheld security issue is bigger than just your device. Handhelds usually connect to a network somewhere, somehow. Because they connect with that network behind the firewall, they can be used as entry points into corporate networks, making information theft and hacking a walk in the park. Sound far-fetched? That’s what many thought when security companies said laptops would be hit by viruses…
While many companies have chosen to ignore the threats posed by unprotected enterprise handhelds, claiming that they’ll “get to it when it’s really an issue,” countless others wrongly believe that their existing network and wireless security infrastructure already address the challenges that these devices may create.
The unfortunate reality is that any mobile security strategy will ultimately fail if it does not include the installation of security software on the handheld itself. By ignoring the handheld, organizations are leaving a back door to the enterprise wide open and giving hackers and competitors a tempting invitation to use either the device or the Internet to sneak a peak at top-secret information.
For example: When that sales manager takes his PDA on the road and connects to his corporate network through a hotspot at the local coffee shop, the device became susceptible to a variety of threats and can be easily compromised—that’s strike one. However, an even greater danger exists when he returns the compromised device to its in-office cradle, because the handheld is recognized by the network as a trusted user and is given access to mission-critical information behind the firewall—strike two. Now, not only has our friend the sales manager lost his prospect sheet, but he’s given his competitor free access to his company’s entire database by circumventing network firewall protection—strike three, and you’re out.
To make matters worse, a sophisticated hacker could enter a corporate network through the handheld and use it to plant a snooping program that would stream information back to the hacker undetected for an extended period of time. Scenarios like this make organizations using unsecured mobile devices even more vulnerable to information theft or the copying of proprietary data that could impact a company’s market performance—not to mention an individual’s job security.
Closing the door
Over the last year, mobile devices have become more popular targets for attack and corporate espionage. Traditional security products, such as laptop firewalls, will not be effective in defending the handheld because those products were not created to address the mobile platform’s unique size and design. Using a traditional security tool that has been ported to the mobile platform will likely drain the power from the device and the user’s productivity, thereby eliminating the benefits of mobile devices.
To prevent the loss of confidential data and ensure privacy, organizations that empower employees to use mobile devices should implement device-side security measures to minimize corporate risk and close the back door.
While attacks on mobile devices are not as widely publicized or as common as the viruses and worms that infiltrate network security defenses, they do exist and can be equally dangerous. In fact, while they are functionally rich, the open handheld operating systems are completely insecure, lacking even the most rudimentary security measures such as power-on password enforcement. This makes the devices relatively easy to penetrate.
Depending on an organization’s appetite for risk and its mobile usage goals, a number of technologies exist to address mobile vulnerabilities and threats. For instance, if users will be able to access the Internet from public places such as hotspots, a device-level firewall should be used to protect the handheld (Fig. 1). If users are able to access both the Internet and corporate resources remotely, then a firewall and a virtual private network (VPN) are needed. By using a mobile usage strategy as the basis for choosing various combinations of security solutions, organizations can ensure that corporate information remains safe in the wireless environment.
(above) Fig. 1. Bluefire mobile firewall includes four built-in security levels.
Use best practices and corporate goals to develop a policy
After coming to an understanding of both the security vulnerabilities presented by wireless devices and an organization’s mobility needs and restrictions, a comprehensive mobile security policy should be developed to protect sensitive information on the handheld as well as resources housed on the corporate network.
Now that you’re ready to craft a mobile security policy, be sure to follow industry best practices so that you can optimize your policy’s effectiveness. Ensure that the following issues are addressed in your mobile security policy:
Corporate-owned technologies: This sho
uld include mobile device hardware, networking equipment (access points), and wireless applications.
Privately owned hardware: Supporting mobile devices in the corporate environment will require policies that outline how to handle privately owned hardware versus corporate-owned hardware.
Internet access: Using mobile devices to access the Internet and connect to the corporate infrastructure are key areas of concern. This includes allowing users to connect to the corporate infrastructure from a public access point (e.g., a hotel’s hotspot) or to connect from within the corporate infrastructure to the rest of the world. Since this is a remote connection, the same standard that would apply to any other type of user connecting remotely should apply to mobile devices.
Information storage: This should include an analysis of what information is confidential and what data can and cannot be stored on a mobile device.
Device safeguards: Mobile devices are vulnerable to outside attacks, theft, damage, and loss. Accordingly, an organization should implement the same type of security strategy that it would for any other type of computing platform on the network: strong passwords, protection from outside attacks, and security for file attributes and directory-level settings and encryption. A good information-security process is implemented in layers, affording the maximum level of protection while still supporting the needs of the mobile work force.