Much of the data caseworkers collect must remain confidential. Security provisions for older paper based systems are not adequate for digital technologies. Security measures exist on several levels, namely data security in repositories or networks, security of data transmission, and security of data in portable devices. The following is a brief overview of the security concerns for each district using these categories.

The security concerns associated with the voice recognition software were related to the devices needed to make the technology portable (digital recorder or a laptop). Existing security technologies are not capable of securing the data on the digital recorder or digital pens. If such devices are used to store identifying information (names, addresses, social security numbers, etc.) the data is subject to loss or theft. When digital recorders or digital pens are connected to a PC for downloading, however, those PC’s are parts of networks that may be vulnerable. Data can be encrypted on the PC, but not on the other portable devices. Allowing work with these devices at home increases all of these risks, particularly if workers use their home PC’s for part of the process. The integrity and security of those home PC’s are virtually impossible to ensure or maintain.

All three security concerns are applicable to working with connected laptops. The laptops that were deployed during the pilot were capable of connecting to the Internet and public networks. The data was secured on the laptops by requiring caseworkers to have a series of logins and passwords. The data connections were secured by use of a secure socket layer (SSL), a commonly-used protocol for managing the security of data transmission over a network. While several measures were taken to secure the storage and transmission of data, the existing infrastructure did not secure the devices themselves. The laptops’ hard drives that were used during the pilot were not encrypted, and did not have a central “kill switch” that could be triggered in the event that a laptop was lost or stolen.

The security concerns with the third party transcription service provider were different from the other technologies. Data was transmitted in two different phases. The first was when the caseworker called into the system and the second was when the caseworker retrieved the typed progress notes from the Web site. Caseworkers reported being very careful of their surroundings when calling in their progress notes to ensure privacy of the data. There was virtually no security concerns related to the transmission of data over the cellular provider’s network. And no confidential data are stored on the phone. Initially there were concerns about how the digitized notes on the service provider’s servers were encrypted, how they were secured, and what the login protocol was for retrieving the digitized notes from the Web site. In the end, all involved parties reviewed the service provider’s policies and accepted the security measures taken. Finally, caseworkers accessed the typed progress notes from the service provider’s Web site using their desktop computer in the office (that had basic security measures such as password protection and SSL communications), and copied and pasted them into CONNECTIONS. However, workers could also access the service provider’s database from their home PC’s, opening a wide range of security risks such as storing sensitive information on a non-agency device. This still needs further investigation.