While medical imaging is not the major focus of HIPAA or HITECH, it is important that practitioners be wary of the unique issues associated with this type of protected health information (PHI). Medical images are typically dense data files often much larger than their other medical record counterparts. It’s not unusual to find studies or series of images that exceed one gigabyte in size. Their storage, sharing and archive pose unique challenges for the practitioner. Hence, it is important to understand how best utilize this important diagnostic tool while not running afoul of regulations.
Securing Medical Image Repositories
Medical images most often exist in a DICOM (Digital Imaging and Communications in Medicine) that combines sets or series of images with a description of the patient and the modality. Together they are considered protected health information. Under federal law, HIPAA covered entities must implement procedures to protect and secure access to this type of data.
The repository for DICOM data is typically a PACS (Picture Archive and Communication System). You can consider a PACS as a purpose-built medical image database. PACS may exist on a computer within your facility or may be accessed remotely from the Cloud. Either way, the information contained in the PACS must be secure from unwarranted intrusion or access.
Information contained in a PACS should be accessible only to those with the appropriate security credentials. Authorized personnel must present such appropriate credentials in order to obtain access. But beyond authorized access it is also important to protect this PHI against unwarranted intrusion. This often means encrypting the data to protect it should the gated defenses against unauthorized access fail. Encryption can be accomplished by either encrypting the digital data structure of these DICOM files or by encrypting the underlying data within the files. Both are effective.
While keeping these repositories safe and secure is important, it is equally important (and required by these regulations) to ensure that they remain available even in the event of a natural or man-induced disaster. Often backups of the DICOM data serve this purpose, with the most effective being maintained regularly at a separate geographic location. Ensuring sufficient distance between the primary storage and its backup can be helpful to avoid issues associated with weather, earthquakes or even man induced disasters. It’s important for compliance purposes to have effective procedures in place to ensure the availability of this information no matter the events. It is good practice to not just have procedures in place, but also to test these procedures on a regular basis to ensure their effectiveness.
Most often data in a PACS is backed up rather than mirrored. While backup is sufficient to comply with most regulations, it means that in the event of a disaster that recovered data must be reloaded on a live PACS in order to make it available. This can be problematic if the data is voluminous or if the need for access is immediate. Alternatively, a PACS can be mirrored or stored in a duplicate PACS in another location. Should a disaster arise, the primary system can be redirected to access the live data on that alternative PACS. Even better would be that remote PACS being available for access via a web based application, ensuring that in the event your onsite systems are disabled, like in a malicious ransomware scenario, your medical images would be accessible using alternate systems, tablets or even smartphones.
Medical images are an increasingly popular diagnostic tool. Their electronic format and large size often make them burdensome to protect. However, with modern tools, including the cloud, they can be made available whenever and wherever they are required for effective patient diagnosis and treatment. To learn more, check out AAOS Now. We made the October edition!