Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and ethical issues of mobile device technology

3,230 views

Published on

How secure or unsafe are mobile devices when used for medical purposes and for radiology? Presentation given at the ECR 2017 meeting, Vienna.

Published in: Healthcare
  • Be the first to comment

Security and ethical issues of mobile device technology

  1. 1. Security and ethical issues of mobile device technology Erik Ranschaert, MD, PhD Vice-president EUSOMII
  2. 2. Disclosure • No conflicts of interest 2© E R Ranschaert, ECR 2017
  3. 3. Introduction • After this lecture you should know about: 1. The secure use of mobile devices in medicine and radiology 2. The ethical issues involved in using mobile devices for medical purposes © E R Ranschaert, ECR 2017 3
  4. 4. HCPs and Mobile Devices • Healthcare Professionals are globally rapidly adapting to mobile technology. • Smartphones and tablets are regarded as “the most popular technological development for providers since the invention of the stethoscope”. © E R Ranschaert, ECR 2017 4 Source: “The road to telehealth 2.0 is mobile”, http://www.telenor.com/media/in-focus/the-socio-economic- impact-of-mhealth
  5. 5. HCPs Mobile Technology Policies © E R Ranschaert, ECR 2017 5 2015 HIMSS Mobile Technology Survey • 2015 HIMSS Mobile Technology Survey – Only 57 % of HCPs’ organizations has a mobile technology policy. – Mobile device security is indicated as a key component of current and future mobile technology policies.
  6. 6. Mobile Operating Systems • 5 out of 6 new phones are running Android • 1 in 7 are running iOS • Mobile devices contain valuable personal information • Smartphones become increasingly attractive to criminals* © E R Ranschaert, ECR 2017 6 *Symantic Internet Security Threat Report 2016
  7. 7. What’s in it for radiologists? © E R Ranschaert, ECR 2017 7http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide • Radiology is on the leading front of the medical field’s adoption of mobile technologies • Primary purpose of mobile devices is to trade the traditional desktop displays for a more compact display, to be used only occasionally while on the go.
  8. 8. Mobile devices in radiology Devices • Smartphones and tablets – High res graphical displays: 1920 x 1080 pixels – Pixel sizes smaller than what human retina can resolve – Displays can surpass resolution of many PACS monitors • Hardware and dedicated radiology reviewing apps allow radiologists to incorporate them into their workflow Operating Systems • Apple iOS – Runs only on hardware designed by Apple • Google Android (≈ Linux) Some features of open source SW, no full access to code • Many common (security) features © E R Ranschaert, ECR 2017 8
  9. 9. Security risks • Mobile devices = vulnerable to loss/theft • Patient-related data might be stored on device • Public cloud apps (social media etc.) for storing & sharing of medical data – These apps/platforms are NOT designed for MEDICAL purposes – Patient privacy is not sufficiently protected © E R Ranschaert, ECR 2017 9 McEntee et al: 5 April 2012; Proc. of SPIE Vol. 8318 DOI: 10.1117/12.913754
  10. 10. RANSOM Survey • RANSOM survey • March - May 2015 • 516 radiologists © E R Ranschaert, ECR 2017 10 J Digit Imaging. 2016 Aug;29(4):443-9. doi: 10.1007/s10278-016-9865-1. Radiologists' Usage of Social Media: Results of the RANSOM Survey. Ranschaert ER1, Van Ooijen PM2, McGinty GB3, Parizel PM4.
  11. 11. Major concerns in survey Insufficient legislation, guidelines and policies for SoMe in healthcare 75% Risk for privacy of the patients 39% Risk for privacy of radiologists 39% Insufficient knowledge about social media among radiologists 37% Distraction from clinical activities 28% Deprivation from real social contact with others 18% Danger of negative comments on our practice 13% © E R Ranschaert, ECR 2017 11
  12. 12. Security issues 1. Device-based – passcode access, encryption, remote wiping, viruses, malware 2. Software-based – wireless security, application availability, enterprise security Security measures to protect patient information are of critical importance. © E R Ranschaert, ECR 2017 12
  13. 13. Device-based security Access to the device • Multiple security options • 4-digit code • HIPAA and other best-practice guidelines require more complex passcodes: – More digits/symbols – Configurable tracing pattern – Biometric access • Stolen devices: remote tracking, reset passcodes, data erasure etc. Local Encryption • Data stored on electronic HD (flash RAM) • Physical access possible • Content mostly not protected • iOS + Android support encryption of data • Stored personal health information should be encrypted • Encryption also protects data from malware or viruses • Apps should run in “virtual sandbox” © E R Ranschaert, ECR 2017 13 EDPS Guidelines: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/15-12-17_Mobile_devices_EN.pdf
  14. 14. Sandboxing • Sandbox is security mechanism for separating running programs • Uses “scratch space” on disk and memory • To execute untested/untrusted programs without risking harm to host device or OS • Other apps can’t steal info © E R Ranschaert, ECR 2017 14
  15. 15. Software-based security Apple iOS • Stringent control over app store and OS => less threats than Android • Not immune for malware • Non-jailbroken device is much more difficult to compromise Google Android • Much more mobile malware than iOS – Larger market share – Greater openness of Android, multiple distribution methods of apps • Increase in volume of attacks – 230% increase (2015) – More “stealthy” *Symantic Internet Security Threat Report 2016 © E R Ranschaert, ECR 2017 15
  16. 16. Enterprise IT-security •The BYOD concept brings unique security challenges for institutional IT depts. •Most hospitals tolerate these devices, provided that they adhere to institutional security policies. BYOD Bring Your Own Device •The existing security features in iOS and Android should be implemented •Institutional security policies for mobile devices should be enforced •Third-party mobile device management tools for monitoring and detection of malicious behavior of apps should be used. Mobile device management © E R Ranschaert, ECR 2017 16
  17. 17. Messaging Apps E. R. Ranschaert, EUSOMII Valencia, 2016
  18. 18. WhatsApp from radiologist • “I got this picture of an angiogram at 11 PM from another radiologist. The patient was in coma, almost dead.” • “He wanted to know what this structure on the angiogram is. I’m specialised in cerebral stroke and could see that it was a thrombosis of the basilar artery with a rare anatomic variant.” • “I could explain the colleague how to deal with this abnormality so the patient could be treated quickly. The patient woke up after treatment and could go home.” E. R. Ranschaert, EUSOMII Valencia, 2016 Croonen H. Veilig whatsappen een must voor dokters. Med Contact 2015(48):2312-5.
  19. 19. News 24 Feb. 2016 • Dutch DPA : “WhatsApp does not meet the standards for sharing medical data.” • The individual doctor and/or institution may receive a fine for breaching protection of personal data • Medical doctors should find alternative solutions © E R Ranschaert, ECR 2017 19 http://linkis.com/medischcontact.nl/oRWkJ
  20. 20. Dedicated apps © E R Ranschaert, ECR 2017 20 Secure and dedicated alternatives are being tested in Dutch hospitals Secure file transfer State of the art encryption Secure authentication
  21. 21. Figure 1: patient privacy • Patients' faces are automatically obscured • Users must manually block identifying marks (e.g. tattoos). • Each picture is reviewed by moderators before storage in data base © E R Ranschaert, ECR 2017 21
  22. 22. Ethical concerns 1. Security and Privacy are ETHICAL issues 2. Main ethical concern = hacking of mobile devices 3. Patient-centred principle: do not harm patients 4. Ethical guidance can prevent all risks. 5. Guidelines need to be re(de)fined © E R Ranschaert, ECR 2017 22
  23. 23. Golden Rule “If you would like to discuss a patient case via social media, then the patient should thereby remain anonymous or the patient must have given explicit consent.” © E R Ranschaert, ECR 2017 23 Hooghiemstra TF, Nouwt S. Een juridische blik op trends in e-Health. Ned Tijdschr Geneeskd 2014;158:A8423.
  24. 24. What should radiologists use? • “It’s the responsibility of the radiologist to securely and effectively utilize mobile technology in the best interests of patient care.” © E R Ranschaert, ECR 2017 24 http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide
  25. 25. How secure are radiology data? © E R Ranschaert, ECR 2017 25
  26. 26. Security study of DICOM servers • 2744 Unprotected DICOM servers • 719 Completely open to communication with patient data • Downloading of pt data was theoretically possible and easy • Geographic differences in lack of DICOM server security: – Iran: 34/40 (85%) – Thailand: 10/14 (71%) – Spain: 11/23 (48%) – Argentina: 6/13 (46%) – Russia: 8/18 (44%) – Germany: 9/22 (41%) – USA: 346/1335 (26%) 26 Stites, M., & Pianykh, O. S. (2016). How Secure Is Your Radiology Department? Mapping Digital Radiology Adoption and Security Worldwide. American Journal of Roentgenology, 206(4), 797–804. http://doi.org/10.2214/AJR.15.15283
  27. 27. European legislation • Protection of natural persons with regard to processing of personal data by competent authorities for purposes of prevention, investigation, detection, prosecution of criminal offences or execution of criminal penalties, and on free movement of such data • The protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data • Guarantees the processing of personal data and the protection of privacy in the electronic communications sector • Protection of natural persons with regard to the processing of personal data and on the free movement of such data Regulation 2016/679 GDPR 25 May 2018 ePrivacy Regulation (Proposal jan.’17) 25 May 2018 Directive 2016/680 May 2018 Regulation 45/2001 © E R Ranschaert, ECR 2017 27
  28. 28. General Data Protection Regulation • Move to 1 single regulation for EU, replaces patchwork of national laws (May 2018) • GDPR facilitates free flow of patient data within EU. • It ensures that personal data can only be gathered under strict conditions and for legitimate purposes. • Data controllers have to respect rights of data subject. • Cloud provider (data processor) must protect information on behalf of data controller. © E R Ranschaert, ECR 2017 28 Data subject Data controller Data processor
  29. 29. Conclusions • It’s the responsibility of the radiologist to securely and effectively utilize mobile technology in the best interests of patient care. • Guidelines and additional training of radiologists are needed to support the use of mobile devices and to protect the patient’s privacy & security. • Effective implementation of security settings within the enterprise setting can maximize the benefit of mobile devices to patients. • The existing EU privacy legislation should be implemented and respected. © E R Ranschaert, ECR 2017 29DOI: http://dx.doi.org/10.1148/rg.2015140039

×