New system addresses portable security concerns

August 19, 2002

While the healthcare industry makes major HIPAA-era efforts to begin securing private patient information, relatively little attention focuses on the physical security of the computers that store the data. Physicians' laptops, tablets, and palm devices

While the healthcare industry makes major HIPAA-era efforts to begin securing private patient information, relatively little attention focuses on the physical security of the computers that store the data.

Physicians' laptops, tablets, and palm devices capable of carrying digital images and patient data are particularly vulnerable to theft, greatly increasing the likelihood of exposing sensitive files. Missing laptops are already a concern for government agencies that deal with national security documents, and they may soon become a routine worry for healthcare privacy administrators as well.

Engineers at the University of Michigan have developed a security framework for mobile computing devices that automatically encrypts sensitive information when owners stray too far from their machines, or vice versa. Called ZIA, for Zero-Interaction Authentication, the system could help protect sensitive documents, including medical images and records, from falling into the wrong hands.

Healthcare seems a natural application for ZIA. In fact, the project was born from a collaboration with some physicians in the internal medicine department of the University of Michigan health system.

"We think that handheld devices with medical records are an obvious application of this technology, especially in light of the upcoming HIPAA restrictions on disclosure," said Brian Noble, Ph.D., an assistant professor of electrical engineering and computer science at Michigan.

Current methods that force users to frequently reestablish their identity can be tedious and intrusive, inspiring users to circumvent or disable authentication and encryption entirely.

"Usually, users must identify themselves to their computer at regular intervals and then, if desired, actively tell it when to decrypt or encrypt documents," Noble said. "People who find this process overly burdensome often disable the security measures intended to protect their data."

At other times, users merely leave devices unattended, as when physicians walk away from their PDAs or leave retrieved images posted on a monitor.

ZIA overcomes these problems by reducing the amount of participation required from the user. ZIA automatically manages the identification and authentication process with the laptop via an "authentication token" worn by the user. The token, which could take the form of a wristwatch, lapel pin, or name badge, continuously communicates with the laptop via a wireless link. As long as the token is present in the immediate vicinity, the computer functions normally. But when the user - and token - wander away from the machine, the laptop automatically encrypts all of its data.

"When users walk away from their laptop to get a cup of coffee, ZIA senses them leaving and begins securing the computer," Noble said. "As soon as the user returns within radio range, ZIA begins unlocking the computer so that it is ready to resume work when the user sits down."