Safe in the Palm (Pilot) of Your Hand?
By Cheryl Seaman and Kevin Haney
If you're one of the many people who use a portable communication system laptop, Palm Pilot, Pocket PC, Blackberry or other PDA (personal digital assistant) you better be prepared to lose it, and the information in it. For while the new technology is great the size, convenience, portability and amount of information you can store are phenomenal so are the inherent security risks. If you use portable communication systems to conduct government business, certain rules apply; you are obliged to protect them, and more importantly, the information they contain.
PDAs have become an invaluable tool for remotely getting email, maintaining a calendar, to-do lists, address books and taking notes; however, they also present several security threats. They've fueled a blurring of the partition between work and personal information because people use them to do their jobs as well as to record a trove of personal information. They often contain identification information, birth dates, personal preferences, Internet addresses, even passwords, and commonly contain confidential/sensitive information.
Applying the same safeguards you use to secure your desktop, be particularly careful when storing sensitive information (patient and/or research data, security information, personnel information or information subject to the Privacy Act) on portable systems. If you are remotely accessing NIH IT resources, all requirements of the NIH remote access policy apply. This guidance is found at http://irm.cit.nih.gov/security/GuixSecuData.html.
Guard Against Theft: Think of portable devices as cash and don't tempt people. Easily stolen and concealed, these items are targets. If traveling, consider storing these devices where a thief would not look, for example in a sports bag rather than a computer bag.
Keep the Data Safe: Your first defense is a strong password. If the device came with a default password, change it immediately. Never store passwords especially on a PDA. Sensitive information should be stored encrypted, and if you use a laptop, never save sensitive data on the hard drive. It's a good practice to store data disks separate from the laptop.
Because you can give and receive viruses each time you hook up to the network (or transfer data through an infrared port), make sure you have up-to-date anti-virus software. As with PCs, beware of downloading freeware or shareware software from untrusted sources. They may contain viruses or other malicious code.
Check out the security features on your portable device and enable them (using "private" or "hide" features). Eventually, vendors will add biometric safeguards, like a fingerprint reader.
Provide some contact information at the login prompt so that an honest person could return the device to you, its rightful owner.
Be Careful when Synchronizing PDAs with PCs: It's wise not to leave your PDA in its cradle connected to your PC because someone could enter your office and replace the PDA with their own. They could start sending inappropriate email (with you as the sender), and they could download information from your computer. A screen saver password on your PC is advisable. If you synchronize your PDA with your home computer, you need to be careful that sensitive government information is not being downloaded. Palm Pilot, Version 7, includes a modem and when placed in the cradle to a PC connected to NIHnet, literally establishes an unprotected back door into NIH networks.
Back up Important Information: Should you lose your portable device, a recent back-up of the information will help allay that feeling of sickening panic.
Wireless Communication Isn't Secure: Despite the advances in available encryption technology, secure wireless transmission of sensitive information cannot be assured.
Check with your local IT staff or information system security officer if you need help securing your portable device. The ISSO roster is found at http://irm.cit.nih.gov/nihsecurity/scroster.html.
Up to Top