This is a guest post by Jyotin Gambhir, of SecureFLO, based in Arlington, Massachusetts.
Security is a crucial topic of conversation when discussing picture archiving and communication system (PACS) options. Image-based medical records are not only considered sensitive information that requires special handling, they also hold value from a cyber security perspective, as hackers and other threat actors seek to obtain secure medical information.
Given that these concerns can translate into significant regulatory, business and legal problems for health care facilities, security around PACS and medical image sharing is a critical conversation to have - but where should you start?
Defining Security Across the Image Lifecycle
Before you and your staff can dive into medical image sharing security, your clinicians and imaging technicians need to be familiar with the lifecycle surrounding medical imaging, which typically progresses as follows:
- Image capture
- Diagnostic use
- Sharing and collaboration
When something is defined as sensitive data, it becomes critical for administrators and medical professionals to secure the lifecycle of the data. From capture to storage, each stage of the medical image lifecycle poses new security concerns. Medical professionals must be sure to view images only on secure devices and to follow IT security policies, such as changing their password at regular intervals.
In addition, they should have software installed to protect against malware and viruses, and they should clear their browser cache often. Also, those working with protected health information (PHI) should be sure to use a secure method for sharing images and collaborating on studies, such as a purpose-built cloud PACS rather than a file-sharing service like Dropbox or using email, both of which can leave your data exposed.
When it comes to storage, standards in many regions dictate a seven-year retention requirement for medical images. After those seven years, health care organizations can keep the records but are often not required to by regulations. That said, many health care providers choose to hold onto medical data for a longer period of time, and in some cases indefinitely, as the medical images may prove to be valuable as comparison data down the road.
For these reasons, it is important to ensure that you have a long-term, secure image storage solution in place, such as a cloud PACS that meets industry security standards.
The Cloud and Data Security
The cloud is a platform that allows your data to be stored and managed outside of your local enterprise. As such, patients and professionals alike trust that cloud vendors implement certain security standards and protocols. Unfortunately, many do not.
Security specialists ask that people who use the cloud to store and manage data confirm that the vendor abides by certain safety standards. These measures may include data center security and monitoring; redundancy of key supply components such as power, internet, heating and cooling; multiple data center locations with fail-over capacity; and top-notch server security practices to mitigate the risk of a cyber attack.
You should ask your vendor to furnish you a copy of the security protocols they follow and they should be willing to answer any and all questions on the topic to your satisfaction. When your cloud vendor follows standards of good security practices, you will be able to sleep easier knowing that your data is protected and in good hands.
Mobile Security for Data and Images
A cloud-based PACS solution allows users to access medical imaging on any device, rather than with a specific application on a specific desktop computer. That mobility, however, comes with security challenges.
First, be sure that you use a cloud PACS that streams medical imaging data in the browser or app rather than downloading it to your device. Downloading PHI to your laptop or phone can pose serious security risks if your device were to be lost or stolen. That said, if you are storing PHI on your laptop or mobile appliance, be sure to password protect your devices with strong passwords and two-factor identification if possible. Many devices also offer the functionality to encrypt your hard drive so in the event it is stolen, the data cannot be deciphered.
You should also clear out saved login and password information to any web portals for your cloud PACS to ensure unintended users do not gain access if your device goes missing. Additionally, be sure that your vendor sets your account to auto logout after a certain amount of idle time in a session. It is also important to ensure that you are accessing the internet through a secure network.
From a mobile perspective, a health care entity should follow some form of data security standards. Those standards must be set by either the institution or by whoever is granting access to a particular image. If it's a personal device that's being used, the person using it must consent to those policies and be monitored.
What's more, although users don't typically download images from a cloud-based PACS unless they request it, the image can be cached in the browser. In such cases, users must be sure to clear their cache regularly, or even after every session if they're using a shared or unsecured device.
How HIPAA Compliance Factors Into Security
When health care vendors handle electronic protected health information (ePHI) in the United States, they must be compliant with federal HIPAA regulations.
However, there are also state mandates to comply with at the same time. What's more, companies must consider legal, regulatory and compliance risks to ensure they're not going against relevant regulations and continue managing risks accordingly. It is always prudent to check with your legal counsel to determine exactly what the regulatory requirements are in your given region.
Your Patients Trust You - Don't Let It Be Misguided
Patients giving up their personal information are trusting that it will be kept secure by their health care professionals. As such, clinicians must understand how they are storing and sharing information, who has access, and whether or not third-party vendors are following appropriate security protocols.
Health care professionals must be sure to remain compliant with federal and state regulations regarding data security and incorporate best practices into their data management practices.