One of the sessions at this week’s PHI Protection Network Conference in Philadelphia concerned telemedicine. Although some of the discussion concerned the risk of hacking devices that deliver patient care, there’s still the older and yet devilishly persistent problem that many (dare I say, “most”) doctors still don’t get the risks of BYOD and the need for greater security. If you – or your employer – are allowing BYOD but don’t have a comprehensive plan to address the risks and to stay on top of monitoring, updating, and re-educating employees regularly, you’re inviting a patient privacy disaster.
In other words: we shouldn’t need “news” stories like this one by Lisa Yallamas, but sadly, we still do:
Doctors who photograph skin conditions using unsecured, personal mobile phones could be breaching patient privacy, new Queensland research warns.
In an article in the Medical Journal of Australia, researchers from the University of Queensland and Princess Alexandra Hospital, led by Paul Stevenson, say using telemedicine for diagnosing dermatological conditions was popular because it sped up treatment and improved patient outcomes, particularly in regional areas where there are few specialists.
However doctors and medical institutions endangered patient privacy, as well as their own indemnity insurance and confidentiality clauses of their employment contracts, if they failed to protect confidential patient records by using unsecured mobile phones and emails.
Here are a few bullet points from the article so you can do a little self-test to assess whether you’re using good security hygiene if you use your device to take images that will be transferred to the patients’ charts:
- obtain informed, written consent from patients to use the images
- restrict access to the contents of mobile phones with appropriate controls, such as passcode locks
- delete images or content from the phone after transferring it to patient records
- Disable automatic forwarding on emails
- Delete emails from your sent folder
To which I’d add: don’t assume that your backup is secure or encrypted. Contact your hospital’s IT department to discuss how to securely backup any files with PHI that may require backup.
Read more on Brisbane Times.