While tablets and smart phones create unprecedented opportunities for radiologists to connect with their colleagues and patients, mobile IT also raises a number of questions, especially regarding its safety. A panel of experts are tackling these issues in a dedicated refresher course during the European Congress of Radiology. More and more radiologists succumb to the charms of mobile devices. Apps like Osirix enable cases to be reviewed at home, prepare slides, give a conference, and, increasingly, to communicate with other physicians. Mobile tools may also improve communication with the patient, and a number of institutions are already enabling patients to access their images online, or to discuss their record with physicians during teleconferences. However, in the absence of a clear regulation on the topic, a hefty question has been on everyone’s lips for some time: with mobile IT, how safe is our data?
Hospitals are increasingly a target for hackers. A large number of cases were reported in which cardiac devices, or parameters of a CT examination, had been manipulated at a distance (ref: http://www.wired.com/2014/04/hospital-equipment-vulnerable/). Data security is simply insufficient in healthcare facilities, according to Erik Ranschaert, radiologist at the Jeroen Bosch Ziekenhuis teaching Hospital in ‘s-Hertogenbosch, the Netherlands, a speaker during the course. ‘Hospitals will have to change their security rotection. Hackers are targeting systems that store personal information in electronic medical records,’ he said. ‘In the United States alone, there has been a 600% increase in attacks on hospitals in 2014, according to a report published by security firm Websense (ref: http://www.cnbc.com/id/102030232).’
With mobile devices, patient data are being transported outside the hospital, so the risk of leaking data is multiplied exponentially. There is currently no firewall to protect data on a tablet – just a login and a password. One can certainly remotely cancel access to an iPad, but there is no 100% certified protection for data. What happens if they are stolen? ‘Imagine you are treating Barack Obama and you have, on your tablet, the images of his colonoscopy that you performed a day earlier. Now, suppose the results show he has cancer, and suppose you lose your tablet during a flight. What happens next? You risk having these images exposed to the whole world before even discussing them with your patient,’ said Emmanuele Neri, associate professor of radiology at the University of Pisa, Italy, and Chair of the ECR course.
To make matters worse, most hospital managers are still unaware of those risks. They also do not realise that data can be lost or damaged during their transmission from one device to another, according to Neri. Stakes are high because valuable personal information can be used for commercial purposes; knowing which medication a patient uses offers a unique opportunity to advertise products – just like Facebook already does using your own data. The medico legal loophole concerning the issue only exacerbates the risks. ‘I suspect there will be a great business around data selling. It may even be the biggest business of our century. I expect there will soon be a policy to protect data security. However, I don’t think there will be one regarding privacy so soon. How we will manage these issues in the future is a big issue, because our data are already everywhere,’ Neri pointed out.
I expect there will soon be a policy to protect data security. However, I don’t think there will be one regarding privacy so soon. How we will manage these issues in the future is a big issue, because our data are already everywhereProf. Emmanuele Neri
The European Union is addressing the issue but its resolutions may come too late. The Horizon 2020 research programme plans to offer solutions to security and privacy… by 2020. In the meantime, hospitals can defend their systems by making sure tablets and smartphones are used in a protected environment. Raising the level of protection of an IT system against hackers is of course mandatory, but it is not the only way, Ranschaert explained. ‘One could also develop solutions to deliver access only after identification, or force data to remain within safe containers and make sure it cannot be downloaded or accessible by private apps – e.g. for image or photo sharing. ‘Furthermore, one should be able to remotely wipe the data, and the hospital’s policy should be adapted to usage of social media within the facilities. For instance, Breda hospital in the Netherlands forbids everyone to take pictures in the hospital with mobile devices,’ he said.
Training personnel and radiologists on how to use mobile devices and social media safely is key to improving safety. Part of healthcare will soon become mHealth, so physicians and providers should get ready for the switch. ‘We shouldn’t try to avoid it; the ostrich strategy will not pay off. We have to think how can we use mobile IT for the mutual benefit of our patients and ourselves. There are advantages in using these tools to facilitate our services and improve education but,’ Ranschaert concluded, ‘we have to be aware of the risks, too.’