29
Security and ethical issues of mobile device technology Erik Ranschaert, MD, PhD Vice-president EUSOMII
| Date post: | 19-Mar-2017 |
| Category: |
Healthcare |
| Upload: | erik-r-ranschaert-md-phd |
| View: | 91 times |
| Download: | 0 times |
Security and ethical issues of mobile device technology
Erik Ranschaert, MD, PhDVice-president EUSOMII
Disclosure• No conflicts of interest
2© E R Ranschaert, ECR 2017
3
Introduction• After this lecture you should know about:
1. The secure use of mobile devices in medicine and radiology
2. The ethical issues involved in using mobile devices for medical purposes
© E R Ranschaert, ECR 2017
HCPs and Mobile Devices• Healthcare Professionals are
globally rapidly adapting to mobile technology.
• Smartphones and tablets are regarded as “the most popular technological development for providers since the invention of the stethoscope”.
© E R Ranschaert, ECR 2017 4
Source: “The road to telehealth 2.0 is mobile”, http://www.telenor.com/media/in-focus/the-socio-economic-impact-of-mhealth
© E R Ranschaert, ECR 2017 5
HCPs Mobile Technology Policies
2015 HIMSS Mobile Technology Survey
• 2015 HIMSS Mobile Technology Survey– Only 57 % of HCPs’ organizations
has a mobile technology policy.– Mobile device security is indicated
as a key component of current and future mobile technology policies.
6
Mobile Operating Systems• 5 out of 6 new phones are
running Android• 1 in 7 are running iOS• Mobile devices contain
valuable personal information• Smartphones become
increasingly attractive to criminals*
© E R Ranschaert, ECR 2017
*Symantic Internet Security Threat Report 2016
What’s in it for radiologists?
© E R Ranschaert, ECR 2017 7http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide
• Radiology is on the leading front of the medical field’s adoption of mobile technologies
• Primary purpose of mobile devices is to trade the traditional desktop displays for a more compact display, to be used only occasionally while on the go.
8
Mobile devices in radiologyDevices• Smartphones and tablets
– High res graphical displays: 1920 x 1080 pixels
– Pixel sizes smaller than what human retina can resolve
– Displays can surpass resolution of many PACS monitors
• Hardware and dedicated radiology reviewing apps allow radiologists to incorporate them into their workflow
Operating Systems• Apple iOS
– Runs only on hardware designed by Apple
• Google Android (≈ Linux) Some features of open source SW, no full access to code
• Many common (security) features
© E R Ranschaert, ECR 2017
9
Security risks• Mobile devices = vulnerable to
loss/theft • Patient-related data might be
stored on device• Public cloud apps (social media
etc.) for storing & sharing of medical data – These apps/platforms are NOT
designed for MEDICAL purposes– Patient privacy is not sufficiently
protected
© E R Ranschaert, ECR 2017McEntee et al: 5 April 2012; Proc. of SPIE Vol. 8318 DOI: 10.1117/12.913754
10
RANSOM Survey
• RANSOM survey• March - May 2015• 516 radiologists
© E R Ranschaert, ECR 2017
J Digit Imaging. 2016 Aug;29(4):443-9. doi: 10.1007/s10278-016-9865-1.Radiologists' Usage of Social Media: Results of the RANSOM Survey.Ranschaert ER1, Van Ooijen PM2, McGinty GB3, Parizel PM4.
11
Major concerns in survey
© E R Ranschaert, ECR 2017
12
Security issues1. Device-based – passcode access, encryption, remote wiping, viruses,
malware2. Software-based – wireless security, application availability, enterprise security
Security measures to protect patient information are of critical importance.
© E R Ranschaert, ECR 2017
13
Device-based securityAccess to the device• Multiple security options• 4-digit code • HIPAA and other best-practice guidelines
require more complex passcodes:– More digits/symbols– Configurable tracing pattern– Biometric access
• Stolen devices: remote tracking, reset passcodes, data erasure etc.
Local Encryption• Data stored on electronic HD (flash RAM)• Physical access possible• Content mostly not protected• iOS + Android support encryption of data• Stored personal health information should
be encrypted• Encryption also protects data from
malware or viruses• Apps should run in “virtual sandbox”
© E R Ranschaert, ECR 2017EDPS Guidelines: https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/15-12-17_Mobile_devices_EN.pdf
14
Sandboxing• Sandbox is security mechanism
for separating running programs
• Uses “scratch space” on disk and memory
• To execute untested/untrusted programs without risking harm to host device or OS
• Other apps can’t steal info
© E R Ranschaert, ECR 2017
15
Software-based securityApple iOS
• Stringent control over app store and OS => less threats than Android
• Not immune for malware• Non-jailbroken device is
much more difficult to compromise
Google Android• Much more mobile malware
than iOS– Larger market share– Greater openness of Android,
multiple distribution methods of apps
• Increase in volume of attacks– 230% increase (2015)– More “stealthy”
*Symantic Internet Security Threat Report 2016© E R Ranschaert, ECR 2017
© E R Ranschaert, ECR 2017 16
Enterprise IT-security
• The BYOD concept brings unique security challenges for institutional IT depts.
• Most hospitals tolerate these devices, provided that they adhere to institutional security policies.
BYODBring Your Own Device
• The existing security features in iOS and Android should be implemented
• Institutional security policies for mobile devices should be enforced• Third-party mobile device management tools for monitoring and
detection of malicious behavior of apps should be used.
Mobile device management
E. R. Ranschaert, EUSOMII Valencia, 2016
Messaging Apps
WhatsApp from radiologist• “I got this picture of an angiogram at 11 PM
from another radiologist. The patient was in coma, almost dead.”
• “He wanted to know what this structure on the angiogram is. I’m specialised in cerebral stroke and could see that it was a thrombosis of the basilar artery with a rare anatomic variant.”
• “I could explain the colleague how to deal with this abnormality so the patient could be treated quickly. The patient woke up after treatment and could go home.”
E. R. Ranschaert, EUSOMII Valencia, 2016
Croonen H. Veilig whatsappen een must voor dokters. Med Contact 2015(48):2312-5.
19
News 24 Feb. 2016 • Dutch DPA : “WhatsApp does
not meet the standards for sharing medical data.”
• The individual doctor and/or institution may receive a fine for breaching protection of personal data
• Medical doctors should find alternative solutions
© E R Ranschaert, ECR 2017http://linkis.com/medischcontact.nl/oRWkJ
20
Dedicated apps
© E R Ranschaert, ECR 2017
Secure and dedicated alternatives are being tested in Dutch hospitals
Secure file transferState of the art encryptionSecure authentication
21
Figure 1: patient privacy• Patients' faces are automatically
obscured • Users must manually block
identifying marks (e.g. tattoos).• Each picture is reviewed by
moderators before storage in data base
© E R Ranschaert, ECR 2017
22
Ethical concerns1. Security and Privacy are ETHICAL issues2. Main ethical concern = hacking of mobile
devices 3. Patient-centred principle: do not harm patients4. Ethical guidance can prevent all risks.5. Guidelines need to be re(de)fined
© E R Ranschaert, ECR 2017
23
Golden Rule“If you would like to discuss a patient case
via social media, then the patient should thereby remain
anonymous or the patient must have given explicit
consent.”© E R Ranschaert, ECR 2017
Hooghiemstra TF, Nouwt S. Een juridische blik op trends in e-Health. Ned Tijdschr Geneeskd 2014;158:A8423.
What should radiologists use?• “It’s the responsibility
of the radiologist to securely and effectively utilize mobile technology in the best interests of patient care.”
© E R Ranschaert, ECR 2017 24http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide
© E R Ranschaert, ECR 2017 25
How secure are radiology data?
26
Security study of DICOM servers• 2744 Unprotected DICOM servers• 719 Completely open to communication with patient data• Downloading of pt data was theoretically possible and easy• Geographic differences in lack of DICOM server security:
– Iran: 34/40 (85%)– Thailand: 10/14 (71%)– Spain: 11/23 (48%)– Argentina: 6/13 (46%)– Russia: 8/18 (44%)– Germany: 9/22 (41%)– USA: 346/1335 (26%)
Stites, M., & Pianykh, O. S. (2016). How Secure Is Your Radiology Department? Mapping Digital Radiology Adoption and Security Worldwide. American Journal of Roentgenology, 206(4), 797–804. http://doi.org/10.2214/AJR.15.15283
© E R Ranschaert, ECR 2017 27
European legislation
•Protection of natural
persons with regard to processing of personal
data by competent authorities for purposes
of prevention, investigation, detection,
prosecution of criminal offences or execution of
criminal penalties, and on free movement of such
data
• The protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
• Guarantees the processing of personal data and the protection of privacy in the electronic communications sector
• Protection of natural persons with regard to the processing of personal data and on the free movement of such data
Regulation 2016/679
GDPR25 May 2018
ePrivacy Regulation(Proposal jan.’17)
25 May 2018
Directive 2016/680May 2018
Regulation 45/2001
© E R Ranschaert, ECR 2017 28
General Data Protection Regulation • Move to 1 single regulation for EU, replaces
patchwork of national laws (May 2018)• GDPR facilitates free flow of patient data within EU.• It ensures that personal data can only be gathered
under strict conditions and for legitimate purposes. • Data controllers have to respect rights of data subject.• Cloud provider (data processor) must protect
information on behalf of data controller.
Data subject
Data controller
Data processor
29
Conclusions• It’s the responsibility of the radiologist to securely and effectively
utilize mobile technology in the best interests of patient care.• Guidelines and additional training of radiologists are needed to
support the use of mobile devices and to protect the patient’s privacy & security.
• Effective implementation of security settings within the enterprise setting can maximize the benefit of mobile devices to patients.
• The existing EU privacy legislation should be implemented and respected.
© E R Ranschaert, ECR 2017DOI: http://dx.doi.org/10.1148/rg.2015140039
