Tight security protects patient data
MercuryMD's MData Enterprise System complies with all of the existing regulations. "We set the bar well above the proposed security regulations," says B.J. Lawson, chief technology officer for MercuryMD in Durham, N.C. The system includes many layers of security.
First, all data flowing between hospital information systems and the MData system--and from the MData system to the handheld devices--is protected by 128-bit encryption. Once the user is authenticated on the system, data is automatically encrypted on the server for display on the PDA and encrypted data is stored on the device. No user interaction is required to launch the encryption process. "The Palm may not be the Ferrari of security devices but it does support robust encryption," says Lawson.
Second, there is both user-level and device-level authentication. Each doctor registers his personal PDA and the system assigns a login ID to that device. Although it is possible for multiple devices to use the same login, the system discourages this practice by slowing down the synchronization process if it detects a different device is syncing against the server using the same login. The system detects this based on checksums assigned to the individual databases on the PDA.
A doctor must enter a randomly generated personal identification number as well as the medical record number for the patient before the system will download the relevant data. The doctor has three tries to enter the correct PIN; after three failed attempts, the system purges all data on the device. Also, if the data on a doctor's PDA is not synchronized for seven days, all of the data is automatically deleted.