ility Act of 1996 (HIPAA), which will go into full effect in 2003. HIPAA contains stringent provisions for the security and privacy of patient data. Any system that Moses Cone chose to implement would have to comply with HIPAA regulations as they exist today; the regulations are still in development.
MercuryMD's MData Enterprise System complies with all of the existing regulations. "We set the bar well above the proposed security regulations," says B.J. Lawson, chief technology officer for MercuryMD in Durham, N.C. The system includes many layers of security.
First, all data flowing between hospital information systems and the MData system--and from the MData system to the handheld devices--is protected by 128-bit encryption. Once the user is authenticated on the system, data is automatically encrypted on the server for display on the PDA and encrypted data is stored on the device. No user interaction is required to launch the encryption process. "The Palm may not be the Ferrari of security devices but it does support robust encryption," says Lawson.
Second, there is both user-level and device-level authentication. Each doctor registers his personal PDA and the system assigns a login ID to that device. Although it is possible for multiple devices to use the same login, the system discourages this practice by slowing down the synchronization process if it detects a different device is syncing against the server using the same login. The system detects this based on checksums assigned to the individual databases on the PDA.
A doctor must enter a randomly generated personal identification number as well as the medical record number for the patient before the system will download the relevant data. The doctor has three tries to enter the correct PIN; after three failed attempts, the system purges all data on the device. Also, if the data on a doctor's PDA is not synchronized for seven days, all of the data is automatically deleted.
