Skip Over Navigation Links
Interface Online Center for Information Technology (CIT)
Search Interface Issues:

March 4, 2002 [Number 222]     Printable Version Printable version (469k PDF)

Index

Previous Story

Next Story

Safe in the Palm (Pilot) of Your Hand—Advice on Securing Portable Systems

If you’re one of the many people who use a portable communication system—laptop, Palm Pilot, Pocket PC, BlackBerry or other PDA (personal digital assistant)—you better be prepared to lose it, and the information in it. While PDA size, convenience, portability and amount of information you can store are phenomenal, the technology is new and has major inherent security risks. If you use portable communication systems to conduct government business, certain rules apply; you are obliged to protect them, and more importantly, the information they contain.

PDAs have become an invaluable tool for remotely getting email, maintaining a calendar, to-do lists, and address books, and for taking notes; however, they also present several security threats. They have blurred the partition between work and personal information because people use them to do their jobs as well as to record a trove of personal information. They often contain identification information, birth dates, personal preferences, Internet addresses, even passwords, and commonly contain confidential/sensitive information.

Applying the same safeguards you use to secure your desktop system, be particularly careful when storing sensitive information (patient and/or research data, security information, personnel information or information subject to the Privacy Act) on portable systems. If you are remotely accessing NIH IT resources, all requirements of the NIH remote access policy apply. This guidance is found online.

Guard Against Theft

Think of portable devices as cash—don’t tempt people. Easily stolen and concealed, these items are targets. If traveling, consider storing these devices where a thief would not look, for example in a sports bag rather than a computer bag.

Keep the Data Safe

Your first defense is a strong password. If the device came with a default password, change it immediately. Never store passwords—especially on a PDA. Sensitive information should be stored encrypted, and if you use a laptop, never save sensitive data on the hard drive. It’s a good practice to store data disks apart from the laptop.

Because you can give and receive viruses each time you connect to the network (or transfer data through an infrared port), make sure you have up-to-date anti-virus software, and be careful with whom you exchange data. As with PCs, beware of downloading freeware or shareware software from untrusted sources since they may contain viruses or other malicious code.

Check out the security features on your portable device and enable them (using "private" or "hide" features). Third party vendors have already developed PDA biometric safeguards, like a fingerprint reader, and a variety of encryption password technologies exist. However, while the information is encrypted or marked "private" on the handheld, it may not be encrypted on the desktop unless additional software is used. Opening the database for the address book, memo pad, or other files in the Palm directory with Notepad can allow a person to display and copy contents of these files. This is of particular concern if you lose your PDA, or synchronize your PDA to a laptop that is stolen or lost. Provide some contact information at the login prompt so that an honest person could return a lost device to you.

Be Careful when Synchronizing PDAs with PCs

It’s wise not to leave your PDA in its cradle connected to your PC because someone could enter your office and replace the PDA with their own. They could start sending inappropriate email (with you as the sender), and they could download information from your computer. A screen saver password on your PC is advisable. If you synchronize your PDA with your home computer, you need to be careful that sensitive government information is not being transferred between the two. The Palm VII and VIIx include a wireless modem that—when placed in a cradle on a PC connected to NIHnet—literally establishes an unprotected back door into NIH networks. The same issue applies to standard dialup modems that are used with PDAs.

Backup Important Information

Should you lose your portable device, a recent backup of the information will help allay that feeling of panic. However, be aware that a backup of a device may not always backup third party applications installed on your PDA. Consider using products like BackupBuddy (from Bluenomad) or backing up your PDA to a secure digital/multimedia card, compact flash or memory stick device that are available for most recent hardware releases from virtually all PDA manufacturers.

Understand Wireless Communication

It is essential to understand how your device communicates to the outside world. While "syncing" is a way that information is exchanged, actual wireless communication (where information is transferred without physical connections) must be highly secured.

Two types of wireless communication particularly relevant to the use of handheld devices include:

  • Personal Area Networking (PAN)
    Infrared or Bluetooth technologies are cable replacement tools that allow you to synchronize information in close proximity. Bluetooth allows you to automatically update your cell phone’s address book by placing it next to your computer. However, there are no security measures in this type of wireless networking. The National Security Agency (NSA) advises that Bluetooth should be turned off on every device that comes in contact with Federal data. In addition, remember that the infrared communications port on your PDA is also a route for virus transmission or the transfer or capture of malicious code or sensitive data.

    Always practice "safe beaming." If you beam someone information, be it an address or a document file, there is nothing to prevent someone else from intercepting the data if they are within range. And just like opening your e-mail on your desktop, be careful and make sure you know the person from whom you are accepting information—this becomes even more of a necessity with Bluetooth, and other wireless enabled devices like mobile phones, if no encryption/security is present. As mobile devices proliferate the virus threat to them will be on the increase.

  • Wireless Wide Area Networking (WWAN)
    This refers to the cellular technologies that people have been using for cell phones and pagers. It allows users to travel between buildings—even across the globe—and still have access to their information. Devices like Palms and PocketPCs allow users to add software for secured wireless communication and some of the newest devices, like the Palm i705 and PocketPC 2002 have built-in encryption.

    The Federal government has certified the BlackBerry device as providing secure wireless communication. NSA has certified it for all non-secret data transmission, and the Food and Drug Administration, which deals in proprietary and highly confidential data, has approved it for use in all situations where wireless technology is needed.

It is always important to add device-level security as well as wireless security. This is the only way you can truly achieve end-to-end security.

Remember These Things

  • Understand how your portable system functions—including security features and communication services.
  • Use the device in accordance with NIH policies and guidance—in particular, password protection, anti-virus software and encryption.
  • Protect the device from theft or unauthorized disclosure.
  • Exercise good common sense.

Check with your local IT staff or information system security officer if you need help securing your portable device. The ISSO roster is on the Web.
 
Published by Center for Information Technology, National Institutes of Health
Interface Comments |  Accessibility