2015 IEEE Long Island Systems, Applications and Technology Conference (LISAT 2015)

October 16, 2015

The Rise of Mobile Technology in Healthcare: The Challenge of Securing Teleradiology
Sharing DICOM Images on Mobile Devices: Confidentiality, Integrity, & Availability Risks

Abstract— There are many potential security risks associated with viewing, accessing, and storage of DICOM files on mobile devices. Digital Imaging and Communications in Medicine (DICOM) is the industry standard for the communication and management of medical imaging. DICOM files contain multi-dimensional image data and associated meta-data (e.g., patient name, date of birth, etc.) designated as electronic protected health information (e-PHI).

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule, the HIPAA Security Rule, the ARRA (American Recovery and Reinvestment Act), the Health Information Technology for Economic and Clinical Health Act (HITECH), and applicable state law mandate comprehensive administrative, physical, and technical security safeguards to protect e-PHI, which includes (DICOM) medical images. Implementation of HIPAA security safeguards is difficult and often falls short. Mobile device use is proliferating among healthcare providers, along with associated risks to data confidentiality, integrity, and availability (CIA). Mobile devices and laptops are implicated in wide-spread data breaches of millions of patients’ data.

These risks arise in many ways, including:

  • inherent vulnerabilities of popular mobile operating systems (e.g., iOS, Android, Windows Phone);           

  • sharing of mobile devices by multiple users;      

  • lost or stolen devices;      

  • transmission of clinical images over public (unsecured) wireless networks;      

  • lack of adequate password protection;    

  • failure to use recommended safety precautions to protect data on a lost device (e.g., data wiping); 

CEWIT-2015-Piliouras-Suss-Yu-et-al-Submitted.png

Analysis of commonly used methods for DICOM image sharing on mobile devices elucidates areas of vulnerability and points to the need for holistic security approaches to ensure HIPAA compliance within and across clinical settings. Innovative information governance strategies and new security approaches are needed to protect against data breaches, and to aid in the collection and analysis of compliance data. Generally, it is difficult to share DICOM images across different HIPAA-compliant Picture Archive and Communication Systems (PACS) and certified electronic health record (EHR) systems – while it is easy to share images using non-FDA approved, personal devices on unsecured networks. End-users in clinical settings must understand and strictly adhere to recommended mobile security precautions, and should be held to greater standards of personal accountability when they fail to do so.