The document discusses security and ethical issues related to the use of mobile devices in medicine and radiology. It covers how healthcare professionals are adopting mobile technology, but many organizations still lack mobile security policies. It also examines the security risks of different mobile operating systems and provides recommendations for securing mobile devices and data, including implementing access controls, encryption, and mobile device management. The document stresses the importance of protecting patient privacy and following guidelines and legislation on medical data usage and security.

1. Security and ethical issues of
mobile device technology
Erik Ranschaert, MD, PhD
Vice-president EUSOMII

2. Disclosure
• No conflicts of interest
2© E R Ranschaert, ECR 2017

3. Introduction
• After this lecture you should know about:
1. The secure use of mobile devices in
medicine and radiology
2. The ethical issues involved in using mobile
devices for medical purposes
© E R Ranschaert, ECR 2017 3

4. HCPs and Mobile Devices
• Healthcare Professionals are
globally rapidly adapting to
mobile technology.
• Smartphones and tablets
are regarded as “the most
popular technological
development for providers
since the invention of the
stethoscope”.
© E R Ranschaert, ECR 2017 4
Source: “The road to telehealth 2.0 is mobile”,
http://www.telenor.com/media/in-focus/the-socio-economic-
impact-of-mhealth

5. HCPs Mobile Technology Policies
© E R Ranschaert, ECR 2017 5
2015 HIMSS Mobile Technology Survey
• 2015 HIMSS Mobile Technology
Survey
– Only 57 % of HCPs’ organizations
has a mobile technology policy.
– Mobile device security is
indicated as a key component of
current and future mobile
technology policies.

6. Mobile Operating Systems
• 5 out of 6 new phones are
running Android
• 1 in 7 are running iOS
• Mobile devices contain
valuable personal
information
• Smartphones become
increasingly attractive to
criminals*
© E R Ranschaert, ECR 2017 6
*Symantic Internet Security Threat Report 2016

7. What’s in it for radiologists?
© E R Ranschaert, ECR 2017 7http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide
• Radiology is on the leading front of the medical
field’s adoption of mobile technologies
• Primary purpose of mobile devices is to trade the
traditional desktop displays for a more compact
display, to be used only occasionally while on the
go.

8. Mobile devices in radiology
Devices
• Smartphones and tablets
– High res graphical displays:
1920 x 1080 pixels
– Pixel sizes smaller than what
human retina can resolve
– Displays can surpass resolution of
many PACS monitors
• Hardware and dedicated radiology
reviewing apps allow radiologists to
incorporate them into their
workflow
Operating Systems
• Apple iOS
– Runs only on hardware designed
by Apple
• Google Android (≈ Linux)
Some features of open source SW, no
full access to code
• Many common (security) features
© E R Ranschaert, ECR 2017 8

9. Security risks
• Mobile devices = vulnerable to
loss/theft
• Patient-related data might be
stored on device
• Public cloud apps (social media
etc.) for storing & sharing of
medical data
– These apps/platforms are NOT
designed for MEDICAL purposes
– Patient privacy is not sufficiently
protected
© E R Ranschaert, ECR 2017 9
McEntee et al: 5 April 2012; Proc. of SPIE Vol. 8318
DOI: 10.1117/12.913754

10. RANSOM Survey
• RANSOM survey
• March - May 2015
• 516 radiologists
© E R Ranschaert, ECR 2017 10
J Digit Imaging. 2016 Aug;29(4):443-9. doi: 10.1007/s10278-016-9865-1.
Radiologists' Usage of Social Media: Results of the RANSOM Survey.
Ranschaert ER1, Van Ooijen PM2, McGinty GB3, Parizel PM4.

11. Major concerns in survey
Insufficient legislation, guidelines and policies for SoMe in healthcare 75%
Risk for privacy of the patients 39%
Risk for privacy of radiologists 39%
Insufficient knowledge about social media among radiologists 37%
Distraction from clinical activities 28%
Deprivation from real social contact with others 18%
Danger of negative comments on our practice 13%
© E R Ranschaert, ECR 2017 11

12. Security issues
1. Device-based
– passcode access, encryption, remote wiping, viruses,
malware
2. Software-based
– wireless security, application availability, enterprise
security
Security measures to protect patient information
are of critical importance.
© E R Ranschaert, ECR 2017 12

13. Device-based security
Access to the device
• Multiple security options
• 4-digit code
• HIPAA and other best-practice guidelines
require more complex passcodes:
– More digits/symbols
– Configurable tracing pattern
– Biometric access
• Stolen devices: remote tracking, reset
passcodes, data erasure etc.
Local Encryption
• Data stored on electronic HD (flash RAM)
• Physical access possible
• Content mostly not protected
• iOS + Android support encryption of data
• Stored personal health information should
be encrypted
• Encryption also protects data from
malware or viruses
• Apps should run in “virtual sandbox”
© E R Ranschaert, ECR 2017 13
EDPS Guidelines: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/15-12-17_Mobile_devices_EN.pdf

14. Sandboxing
• Sandbox is security
mechanism for separating
running programs
• Uses “scratch space” on disk
and memory
• To execute
untested/untrusted programs
without risking harm to host
device or OS
• Other apps can’t steal info
© E R Ranschaert, ECR 2017 14

15. Software-based security
Apple iOS
• Stringent control over app
store and OS
=> less threats than Android
• Not immune for malware
• Non-jailbroken device is
much more difficult to
compromise
Google Android
• Much more mobile malware
than iOS
– Larger market share
– Greater openness of Android,
multiple distribution methods
of apps
• Increase in volume of attacks
– 230% increase (2015)
– More “stealthy”
*Symantic Internet Security Threat Report 2016
© E R Ranschaert, ECR 2017 15

16. Enterprise IT-security
•The BYOD concept brings unique security challenges for institutional
IT depts.
•Most hospitals tolerate these devices, provided that they adhere to
institutional security policies.
BYOD
Bring Your Own Device
•The existing security features in iOS and Android should be
implemented
•Institutional security policies for mobile devices should be enforced
•Third-party mobile device management tools for monitoring and
detection of malicious behavior of apps should be used.
Mobile device
management
© E R Ranschaert, ECR 2017 16

17. Messaging Apps
E. R. Ranschaert, EUSOMII Valencia, 2016

18. WhatsApp from radiologist
• “I got this picture of an angiogram at 11 PM
from another radiologist. The patient was in
coma, almost dead.”
• “He wanted to know what this structure on the
angiogram is. I’m specialised in cerebral stroke
and could see that it was a thrombosis of the
basilar artery with a rare anatomic variant.”
• “I could explain the colleague how to deal with
this abnormality so the patient could be treated
quickly. The patient woke up after treatment and
could go home.”
E. R. Ranschaert, EUSOMII Valencia, 2016
Croonen H. Veilig whatsappen een must voor dokters.
Med Contact 2015(48):2312-5.

19. News 24 Feb. 2016
• Dutch DPA : “WhatsApp does
not meet the standards for
sharing medical data.”
• The individual doctor and/or
institution may receive a fine
for breaching protection of
personal data
• Medical doctors should find
alternative solutions
© E R Ranschaert, ECR 2017 19
http://linkis.com/medischcontact.nl/oRWkJ

20. Dedicated apps
© E R Ranschaert, ECR 2017 20
Secure and dedicated alternatives are being tested in Dutch hospitals
Secure file transfer
State of the art encryption
Secure authentication

21. Figure 1: patient privacy
• Patients' faces are automatically
obscured
• Users must manually block
identifying marks (e.g. tattoos).
• Each picture is reviewed by
moderators before storage in data
base
© E R Ranschaert, ECR 2017 21

22. Ethical concerns
1. Security and Privacy are ETHICAL issues
2. Main ethical concern = hacking of mobile
devices
3. Patient-centred principle: do not harm
patients
4. Ethical guidance can prevent all risks.
5. Guidelines need to be re(de)fined
© E R Ranschaert, ECR 2017 22

23. Golden Rule
“If you would like to discuss a patient case via
social media,
then the patient should thereby remain
anonymous
or the patient must have given explicit consent.”
© E R Ranschaert, ECR 2017 23
Hooghiemstra TF, Nouwt S. Een juridische blik op trends in e-Health. Ned Tijdschr Geneeskd 2014;158:A8423.

24. What should radiologists use?
• “It’s the responsibility
of the radiologist to
securely and
effectively utilize
mobile technology in
the best interests of
patient care.”
© E R Ranschaert, ECR 2017 24
http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide

25. How secure are radiology data?
© E R Ranschaert, ECR 2017 25

26. Security study of DICOM servers
• 2744 Unprotected DICOM servers
• 719 Completely open to communication with patient data
• Downloading of pt data was theoretically possible and easy
• Geographic differences in lack of DICOM server security:
– Iran: 34/40 (85%)
– Thailand: 10/14 (71%)
– Spain: 11/23 (48%)
– Argentina: 6/13 (46%)
– Russia: 8/18 (44%)
– Germany: 9/22 (41%)
– USA: 346/1335 (26%)
26
Stites, M., & Pianykh, O. S. (2016). How Secure Is Your Radiology Department? Mapping Digital Radiology Adoption and Security Worldwide. American Journal of
Roentgenology, 206(4), 797–804. http://doi.org/10.2214/AJR.15.15283

27. European legislation
• Protection of natural
persons with regard to
processing of personal data
by competent authorities for
purposes of prevention,
investigation, detection,
prosecution of criminal
offences or execution of
criminal penalties, and on free
movement of such data
• The protection of
individuals with regard to the
processing of personal data
by the Community
institutions and bodies and
on the free movement of
such data
• Guarantees the processing
of personal data and the
protection of privacy in the
electronic communications
sector
• Protection of natural
persons with regard to the
processing of personal data
and on the free movement
of such data
Regulation
2016/679
GDPR
25 May 2018
ePrivacy
Regulation
(Proposal
jan.’17)
25 May 2018
Directive
2016/680
May 2018
Regulation
45/2001
© E R Ranschaert, ECR 2017 27

28. General Data Protection Regulation
• Move to 1 single regulation for EU, replaces
patchwork of national laws (May 2018)
• GDPR facilitates free flow of patient data within EU.
• It ensures that personal data can only be gathered
under strict conditions and for legitimate purposes.
• Data controllers have to respect rights of data
subject.
• Cloud provider (data processor) must protect
information on behalf of data controller.
© E R Ranschaert, ECR 2017 28
Data subject
Data controller
Data processor

29. Conclusions
• It’s the responsibility of the radiologist to securely and effectively
utilize mobile technology in the best interests of patient care.
• Guidelines and additional training of radiologists are needed to
support the use of mobile devices and to protect the patient’s
privacy & security.
• Effective implementation of security settings within the enterprise
setting can maximize the benefit of mobile devices to patients.
• The existing EU privacy legislation should be implemented and
respected.
© E R Ranschaert, ECR 2017 29DOI: http://dx.doi.org/10.1148/rg.2015140039