It is one thing to be able to read and understand the upcoming Health Insurance Portability and Accountability Act (HIPAA), but it is quite another to be able to interpret the rule and apply it to the daily operation of an imaging department or clinic. First of all, there seems to be a consensus that the rule with regard to security and privacy makes sense from the perspectives of logic and ethics. Most people would agree that publicizing a patient’s mammogram, clearly indicating an implant or a microcalcification or mass, is a violation of privacy. Publicizing personally identifiable health information does not imply the use of consumer media, but refers rather to exposure on a light box or workstation that is clearly visible to any unauthorized passerby.
The challenge is to determine how many restrictions to implement before those measures start to negatively impact the efficiency and effectiveness of health care delivery. The problem is that technology has not really kept up with these requirements. Try timing the number of seconds or worse, even minutes, that it takes between entering a password and having? the desired application available on the computer screen. Perhaps the old character-based terminals that connected to a mainframe-remember those?-were not so bad: they delivered an immediate response after authorization. Technology is available that could be applied from other areas. A good example is the proximity tag that some gas vendors use at the pump; it is necessary only to wave a card in front of the pump before access is granted. Auto log on and even, maybe more important, log off when the carrier of a tag gets close to a workstation is technically feasible, but I have not seen any imaging vendor implementing this type of innovative approach.
Auditing and Limiting Access
What could be the potential impact from HIPAA on an imaging department? This depends on the extent of the image distribution. Imagine the impact on a CT scanner. A technologist signs on in the morning with her own password. The acquisition screen with the displayed images is always hidden from the patient. The films are either locally printed and hung on an alternator in radiology or sent in soft copy to a workstation also in radiology. The radiology department is protected with a lock; one needs a pass to enter it. The CT images are backed up on a magneto-optical (MOD) disk and stored in a locked cabinet next to the CT scanner. The images are sent to the workstation on a private local area network.
This may sound fairly secure and in fact goes a long way toward HIPAA compliance. However, there are still a couple of issues to be addressed. HIPAA requires audit trails detailing exactly who accessed the information and when it was accessed. Physical access protection is a HIPAA requirement. Look around any department, and there are likely to be wall connectors in almost every room. What would happen if someone connected an Ethernet? cable with a network card? There is a good chance that they could access the CT scanner’s database and pull from it any desired image. Another major area of concern is remote access for the purpose of servicing equipment. Several institutions have taken steps to prohibit the connection of a public phone to imaging devices. A person who knew the number used would have access via the public phone system to the complete image database. A special task force from the National Electrical Manufacturers Association is currently reviewing this issue. Even if service engineers get access only after the proper (digital) authorization, the HIPAA prohibits pulling over images without anonymizing them first.
Distribution Extends Concerns
In general, the problems within a department seem to be somewhat localized and manageable. But the wider the scope of the image and information distribution and the further access is extended beyond radiology, the more the issues arise. In many ICUs, images of the patients are hung right at the entrance, easily accessible for the physicians, but also accessible to family members and other visitors. There is no difference between a light box and a viewing station in the eyes of HIPAA; exposure on a light box or clearly visible at the screen of a viewing station represents the same potential for violations. Most of the time, this area is still somewhat controlled in a radiology department, but what happens if these images also are accessible by the referring physicians in their offices, or at any nursing station on every hospital floor. The greatest level of exposure would be for images to be available on a Web browser at any place at any time for physicians to access. There are quite a few institutions that are currently not allowing any image distribution beyond their controlled premises before some serious security and privacy issues are addressed. The challenges are there.
Images are typically communicated using the Digital Imaging and Communications in Medicine (DICOM) standard. An image that is sent to a physician at night for emergency coverage or for a second opinion through the by-definition unsecure Internet is a potential breach of security. Anyone listening in could potentially view the data. The solution would be to encrypt the information. Encrypting information using industry standard mechanisms has been part of DICOM for about a year. Exchanging DICOM images using secure communications (aka TLS, or transport layer security) is as secure as the exchange of credit card information when an airline ticket is purchased over the Internet. In this exchange, the information is encrypted using a private key, which only the receiver can decode. Anyone listening in to the conversation would not be able to understand and/or decode it.
However, the problem with using encryption is that the overhead and therefore performance impact of encrypting and decrypting the information are significant. Therefore, one should not assume that just encrypting anything that goes across the network is the solution. For example, some institutions extend their Virtual Private Network (VPN) to their physicians’ homes and/or offices, which makes the specific TLS encryption unnecessary. VPNs, however, are not cheap. The major advantage of a VPN is that the security provision is transparent to the communication. However, if information is ever sent to a physician who happens to be outside the secure private network (VPN), the TLS encryption is a requirement.
Two more additions will soon be made? to the DICOM standard. One of them is the “attribute level confidentiality.” This security measure allows encryption of all the information in the image header, information that would typically identify the patient associated with the image. This information includes the patient name, identification, and birth date. Attribute level confidentiality would allow an image to leave a secure environment without disclosing the identity of the patient. This measure will definitely be a major step toward satisfying the patient privacy requirements. Another addition is media level security. Images such as cardiology cine runs are often stored on CDs. When a patient takes this CD with him to another facility, it would be optimal to encrypt the information, so that not just anyone can see what is on that CD.
As a final note, one should realize that the digital communication is only part of the overall chain. Many more provisions have to be made and precautions taken.
Herman Oosterwijk is president of OTech Inc, a health care technology training and consulting firm, [email protected]. OTech is co-sponsoring a conference on August 21 in Dallas entitled