Smartphones help medicos, but security is a problem An Australian doctor has warned the profession that while smartphones provide good support for telemedicine, medicos need to remember they're not secure by default. Dr Paul Stevenson is lead author of a paper abstract in the Medical Journal of Australia. In it, he warns doctors that if they're careless with images they use in …
I had to visit the ER after a cycling injury in fall 2014 and the doctor wanted to have a specialist check on something before stitching me up and sending me home. She took a few pictures with her smartphone and texted to him, which I'm pretty sure has to be a HIPAA violation in the US. I didn't care since the alternate was me waiting around an extra half hour while he drove to the hospital to examine me in person.
I'm sure the solution to this will be use of a camera to take photos that are passed to a computer then sent via secure email to a special app on a hospital issued smartphone or tablet the doctor will carry. Which despite being simple to do the "HIPAA approved" software will be marked up to an astronomical level since health care is a cost insensitive business. And that's the reason why health care costs will continue to spiral!
But it will require the specialist to return to their office to check the image on their secure terminal, or rather range of terminals since every hospital, insurer, ct scanner manufacturer etc will have their own incompatible system. This will result in a $500 bill for looking at your image.
So you will first have to fill out 20pages of forms approving this, and the doctor will have to get approval for the consult from 3 insurance companies (if in the US) or from a dozen hospital managers, budget committees and PPI consultants if in the UK/Oz/Canada.
In the meantime they will just email a picture of the wound to a colleague's phone
To be fair, it's hard to spot a HIPPA violation in your 2014 story.
HIPPA is written-out common sense with some oddities regarding federal prisoners. But, HIPPA is not interpreted in the spirit of common sense. Bureaucrats are not fired for making work for other bureaucrats.
"cost insensitive business"? Let me fix that: "cost enhancing business". See the previous paragraph for one minor example.
One more fix: "solution to this will be" -> "solution to this was". Past tense.
As someone who works in this field I'd see no issues with photographs being taken, the key here is whether the images include anything that would identify the patient, arguably most don't as clinicians are only interested in the injury and unless that's on the face it's likely the patient would never be identified purely by a cut, wound, mole etc.
A larger issue is video, however I've still to see a clinician use a clip over a decent quality photograph.
Lastly healthcare is not a cost insensitive business, we're simply given so any hoops to jump through during procurement that invariable even before a project kids off we're pay double whilst getting "double the discount" from suppliers, throw in project management which is insanely stretched (or own PMs are expected to handle several multi-million pound projects whilst earning £25k/year) and you're always going to hit problems.
Good resource.
It's interesting how PGP (or GPG) has never been universally adopted for email. I think it is that it has always swum against the tide of human psychology and preference for convenience over security. I have worked in security conscious organisations and the use of PGP has always been something of a pain. But I don't understand why SMIME isn't suggested more.
The first problem for PGP is that the need for authenticated key exchange just doesn't suit human psychology. It is a barrier preventing the user from doing the thing he/she really wants to do "right now." Systems that simply aren't convenient always encounter user avoidance patterns ( remember Network logout software that would refuse a user machine shutdown if there was too much data in the user's profile? What was the result? 95% of the time a five second press of the power switch).
A second problem is that PGP plugins for common mail clients add complexity and can cause problems in relation to automated system updates. It's so last decade to be prepared to suffer systems with such version/dependency management fragilities.
SMIME is then a good pragmatic solution that mostly avoids both these problems (makes the first one automatic and painless if not instant and the second is not an issue because all the major clients support it out the box), albeit that you have to - you know - actually trust your security certificate chain of trust (which in the post Snowden world is more of a thing than it should be). But if your concerns are more about commercial secrecy than being sure to have stopped the NSA or GCHQ, then it is way more user friendly than PGP.
I think the main reason SMIME isn't being used more is that it didn't become a universally available standard all at once (so never had momentous "launch" awareness), and it used to cost money to get a certificate, so people have kind of never really woken up to the fact it is a practical working solution. Hmm sorry long post, and it seems I've ended up answering my own question about SMIME.
"But if your concerns are more about commercial secrecy than being sure to have stopped the NSA or GCHQ, then it is way more user friendly than PGP."
To be honest, considering that "the line between government and corporations isn't blurred; it simply isn't there any more" (quote from "The Corporation" iirc) I wouldn't say there's much of a distinction if you're a big company or nipping at the heels of US corporations.
Or, you could do what I do and tell the mail client to store outbound emails in the inbox.
This works well with a good email client that understands threading, since it means any reply you get is listed right beneath the message you sent, meaning you can easily refer to it to pick up on the reply's context, and if there is something that needs cleaning up, it's right there in front of you instead of being "out of sight, out of mind", so less likely to forget.
Quick Filters in Thunderbird are a good way to see new email without the distraction of previous emails, or you can move the whole lot into another folder when you're done with the thread.
"even a hospital-provided account might not be as secure as Gmail)." I tend to agree with this observaton. Amid all the prvacy broohaha related to safe harbour it is easy to forget or ignore how deplorable the state of many small providers is with regards to both the process-adherence and the technical security.
I'd just rather the doctors got the diagnosis right. Having spent the last 10 years being diagnosed by several medical professionals as a chronic asthmatic, it is only since late last year that the correct diagnosis of heart failure has resulted in remedial drugs that work. I've gone from out of puff after walking 50 metres to being not out of puff after an hour's brisk walking and half an hour of weight training. Any concept of privacy comes way behind feeling at least 1000% better.
FWIW a doctor told me 2 weeks ago it is exceeding rare for someone in my age group to become asthmatic. Nearly always the symptoms of breathlessness are caused by heart failure. Go figure...
I'm glad you're better (treatment for heart failure is amazing); I'm not sure that demanding doctors don't do any IT security until they're better at diagnosis is helpful though. They don't seem to be mutually exclusive.
I'm also sceptical about "exceedingly rare" for any age group to develop asthma. Older patients are more likely to have something else, but asthma is common enough.
And keep up the exercise: almost certainly the best treatment for heart failure (NNT 3, for death).
It's really great to be better :-)
While the incidence of asthma might be reasonably constant between age groups, I believe the doctor's comment related to the sudden onset of asthma in later years. I believe I had a single asthma attack (brought on by stress) when I was in my mid 20s. As I relate, the chronic shortage of breath began in my mid 50s, was diagnosed as asthma and appears far more likely the beginning of my heart failure. The likelihood that it was not asthma is reinforced by the poor response to Ventolin.
An attack of acute bronchitis was also diagnosed as an asthma attack and very nearly led to my death. After being sent home from ER with a Ventolin puffer, I collapsed due to a shortage of oxygen. I thanked the paramedic who put me on oxygen and told him I had felt like I was dying. The paramedic said that was because I was dying. Needless to say* when I returned to the hospital the oxygen was taken away. Upon being called in for treatment 6-8 hours later, I asked for a wheelchair, but was told that I had to walk into the treatment area if I expected to receive treatment. I collapsed before getting that far.
I don't believe that I was demanding "doctors don't do any IT security", rather I was talking priorities. I would far rather be accurately diagnosed and treated correctly (and with a modicum of respect).
My walking exercise is conducted by walking around my rather large living room to the sound of music. I particularly enjoy the Cure ;-) After three months my weight has declined from 105 kg to 91.4. My initial goal of 90 kg is within reach!
* The Royal Hobart Hospital (RHH) is known locally as the Royal Hobart Habbatoir.
Boys don't cry? TFIC :-)
Good work with the weight loss; all walking or paying more attention to diet too? I'd guess some of that would be fluid as well.
I've not worked in Oz; fee-for-service environments appear to encourage what I would charitably refer to as "variability" in care - some excellence, but rather a lot of poor practice... not that there's any actual evidence about this. Which is embarrassing, but (as my point above suggests) doesn't excuse your care (or the lack thereof).
"TFIC" initially had me flummoxed as it also means Tasmanian Fishing Industry Council here :-) As it happens this boy did cry when on one memorable occasion he was treated with respect by hospital staff, but that was interstate and another story.
Australia has both a public system and a private system. I have discussed the differences between the two with several friends and concluded that the only real difference is the quality of food and accommodation is nearly always better in the private hospitals. The standard and quality of medical care is equally variable in both. Sometimes good, more often bad, or indifferent. Occasionally atrocious and readily preventable deaths occur. See:
http://www.themercury.com.au/news/scales-of-justice/coroner-critical-of-rhh-medical-team-after-75yearold-woman-dies/news-story/835e3047c8652b926093e9583d4ad9c2
My initial weight reduction was of course fluid loss, but 2/3 is due to exercise. It's a bit difficult to eat better than I do; I grow most of my own food or purchase locally grown. I am notorious for my gourmet cookery and have received high praise from an internationally renowned chef who was a dinner guest. I specialise in European peasant cuisine and frequently prepare SE Asian dishes for my dinner guests. Meat is nearly always for added flavour, not central to the dish. I have on occasion been ordered by a GP to reduce my intake of junk food, but that has just led to me finding another GP when they are unable to tell me which fresh vegetables/unprocessed meats qualify as junk. It's a bit hard to reduce one's intake of something below zero!
Is that we haven't made secure email routine.
Our sensibilities and our standards have become reasonable - we no longer require complex bespoke PKI infrastructure to provide a backbone for "routine" secure messaging and our general privacy exposure is such that we can be quite pragmatic about this sort of thing now
Our ability to execute has, in turn, refined - to the point where a free app and built-in data-at-rest technologies can provide a level of security that most informed people would agree provide a reasonable level of security
The question is, why are these technologies not ubiquitous? Why is secure messaging the exception, not the standard? Dr Jo Bloggs shouldn't have to build up the intellectual curiosity to investigate available crypto options, the technical savvy to evaluate them, and the gumption to take a leap of faith - along with a reasonable number of her colleagues - before my prostate scans are secured from prying eyes.
There is the existing (in many countries) or potential (lets say in all the rest) hostility to properly constructed crypto, but the handset and mobile OS vendors seem to want to buck that trend. There is resistance to change, but iMessage proved that the software can magic a lot of that away (from the sight of tremulous users, at least). There is software quality, but the Open Whisper people - among many, many, others - worked that one out.
Its about time that SMS, as we know it, goes the way of telegrams and pagers. Its about time the first "S" stood for "Secure".
IAAD and this is a real problem. In the ED we quite often want to take pictures of wounds, particularly if there is bone sticking out, as we don't want to keep unwrapping them to let people have a look as it makes infection more likely.
The NHS rules are very clear that taking pictures yourself would be a major offence .
The other way to do this is to use the patient's own phone to take the picture, and very few patients don't have a phone with a camera these days.
There is a wider problem with consumer technology being touted as a medical device e.g. heart sensors etc without going through proper (ISO 13485) accreditation. This means that Billy No Mates can create an app for health use with no quality control in either software or hardware engineering. This is why Apple has just shut down a lot of its health programmes - the risk of harm (= swingeing lawsuits) is not worth it.
The NHS needs to get its act together and regulate on this or face a lot of pain when these apps are shown to be as effective as the Bomb Detectors the UK sold to Iraq. Reminds me of a quote from that great philosopher Benny Hill - 'just because no one complains, it doesn't mean all parachutes are perfect;,
The FDA has (amazingly) greatly simplified the process - if you are using a regular app for its regular purpose, but simply in a medical setting, it generally doesn't need approval.
This was after it was highlighted that using your iPhone's flashlight to look into a patients eyes would require so many levels of medical device approval of the iPhone it would cost $10K to build.
The pulling of so many medical apps was because they made snake-oil claims to diagnose/treat you. You are allowed to play Tetris in hospital, you aren't allowed to claim that it will train your brain without some clinical evidence.
It's not like getting more secure than gmail is hard, the problem is that todays E-mail software is just horrible.
What it would need to do is to include GPG by default, even commercial vendors can include the unmodified binary without needing to open any of their code, and then apply sensible rules. If the software gets used for the first time, create a key pair. Then sign _every_ outgoing mail with your public key by default. Then store keys of incoming mail and try to make sensible suggestions to the user when sending mail to addresses you already got the key from.
I agree. I set up Claws Mail on my Arch Linux installation as it had good GPG support. But oh, the PAIN getting GPG linked up to Claws! I literally waded through hundreds of FAQs and HOWTOs, and eventually the combined knowledge gleaned made it possible to get encrypted/signed mail working.
It needs to be a whole lot easier if it's to go anywhere.
Several years ago I broke the triquetrum in my left wrist. My GP sought advice from a colleague interstate as I discovered when discussing it with the landlord of the business I was working for. He, a plastic surgeon and renowned for his ability fixing wrists, had been the final recipient of the original query. He was unaware that I was the patient until we had our conversation. Security of patient information was assured by my GP having included none in her original email. How often does patient information have to accompany an electronic medical query?
HTTPS is probably good enough for email in transit but I don't think I'd be happy with my medical images passing through Google. Not good enough in the EU anyway with DPA and the new GDPR.
It's all possible but what is needed is a medical application which is secure AND as easy as the clinicians favourite apps. Even then you'll still get clinicians sending stuff via their favourite insecure app because that's human nature and humans are generally pretty thick.
Dr. Stevenson and others interested in this topic.
We have developed the app which allows people to securely exchange visual medical findings and made it available free to general use. While it works for the iPhone only today, we are working on the Android version this year. It is medically secure from the HIPAA standpoint as well as it provides proper medical contexts to photos and allow you to securely share the images.
Next month, we are releasing a significant update to this and you will be able to do chat sessions among users with imaging contexts. The upgrade will also be provided free.
Please look for "BodyMapSnap" by WinguMD on the Apple iTunes download, and we are definitely looking forward to getting a lot more clinical inputs from people, and that's the reason why it stays free.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
