This document discusses the use of messaging apps like WhatsApp in radiology. It notes that while messaging apps allow for quick sharing of images and information, using unsecure apps like WhatsApp to share patient medical information poses privacy and compliance risks. The document reviews surveys finding increasing use of messaging apps by doctors, outlines legal and ethical concerns around privacy and security, and discusses the GDPR and HIPAA compliance of WhatsApp. It concludes by advocating for the use of secure, dedicated medical messaging apps that comply with regulations and protect patient information.
3. Objectives
• After this lecture you should know more about:
1. The secure use of messaging services in
medicine and radiology
2. The ethical and legal issues involved in using
messaging services for medical purposes
E R Ranschaert, RSNA 2018
4. Messaging apps
• Real-time transmission of
information
• Possible to have group-
chats
• Possible to exchange
pictures, video,
documents, sound
recordings
Statista, 2018
E R Ranschaert, RSNA 2018
6. WhatsApp in the Netherlands
• Albert Schweitzer Hospital,
Dordrecht, Netherlands
• Online survey, 86 participants
• Types of images sent:
– Chest Xray
– Skin, wound,…
E R Ranschaert, RSNA 2018
Increasing number of specialists
is using WhatsApp
GUIDELINES NEEDED FOR USING MODERN COMMUNICATION TECHNIQUES
7. Communication in the Albert Schweitzer Hospital
E-MAIL 84% sends data by e-mail
• Including patient’s name
• Including picture of patient
83%
45%
WHATSAPP 40% sends data by WhatsApp
• Including patient’s name
• Including picture of patient
33%
62%
PRIVATE PHONE 44% has PHI on own smartphone
HCP OPINION E-mail is the right medium
WhatsApp is the right medium
Guidelines are needed for communication
45%
22%
32%
E R Ranschaert, RSNA 2018
Usage of communication tools by medical specialists of the AS Hospital.
34 % of 252 medical specialists completed the survey (2015)
Medisch Contact, 26 November 2015
8. UK Survey 2015
• UK Survey, n = 2107 doctors
– Nearly 100% owns a smartphone
– 75% owns a tablet
• ¾ owns iPhone, ¼ Android-based handset
• 90% of doctors is using medical apps in clinical
practice.
E R Ranschaert, RSNA 2018
BMJ Innovations 2015;1:174-181.
9. Demand for messaging apps
• Large proportions of doctors are using messaging services
to convey patient-related clinical information to colleagues
• Growing demand for medical apps enabling to perform
work-related tasks more efficiently.
• 72% of doctors expressed a desire for a secure messaging
app to allow transmission of patient-related information to
colleagues in a secure way
E R Ranschaert, RSNA 2018
BMJ Innovations 2015;1:174-181.
12. Reasons for this demand
• Provision of optimal care to patients
– easy and fast (efficient) sharing of data
– access to most actual information
• Most hospitals systems do not support
this type of efficient communication
• Hospital infrastructure is not adapted
yet to the paradigm shift of sharing
data, as we are used to in daily life
E R Ranschaert, RSNA 2018
13. Advantages of smartphone communication
• Overcomes inefficient communication
barriers among physicians in and outside
the hospital
• Facilitates collaboration
– Quick decision making
– Referrals of higher quality
• Allows less-experienced team members
to seek help
• Inspires camaraderie
https://www.theguardian.com/healthcare-network/views-from-the-nhs-frontline/2017/jun/05/should-doctors-use-whatsapp-to-bypass-archaic-nhs-tech
E R Ranschaert, RSNA 2018
14. Security risks
1. Transmission is not secure enough.
2. Information might contain highly sensitive and
confidential patient information
– Can be stored on device
– Handsets can be lost / stolen / hacked
– Messages can be viewed by unauthorised users
E R Ranschaert, RSNA 2018
15. More security risks
3. Messaging can create an unnecessary delay
– Information not read by recipient in tsunami of other messages
– Authorisation of recipient not guaranteed
– Does not replace professional conversation
4. It’s inappropriate towards the patient
– No guaranteed protection of information
– Only in real emergency cases benefit might overweigh risk
E R Ranschaert, RSNA 2018
http://blogs.bmj.com/bmj/2017/11/14/sadie-mullin-instant-messaging-in-the-workplace-is-no-substitute-for-a-professional-conversation/
16. Ethical concerns
• Security and Privacy
• Main ethical concern = hacking of mobile devices and
applications used on them
• Basic principle: do not harm patients
• Guidelines need to be refined
E R Ranschaert, RSNA 2018 16
17. Golden Rule
“If you would like to discuss
a patient case via social media,
then the patient should thereby remain anonymous
or the patient must have given
explicit consent.”
Hooghiemstra TF, Nouwt S. Een juridische blik op trends in e-Health. Ned Tijdschr Geneeskd 2014;158:A8423.
18. ACR perspective
• “It’s the responsibility of
the radiologist to securely
and effectively utilize
mobile technology in the
best interests of patient
care.”
E R Ranschaert, RSNA 2018
http://www.acr.org/Advocacy/Informatics/IT-Reference-Guide
19. ESR perspective
• ESR paper on the proper use of mobile devices in
radiology
– Mobile devices are currently not recommended as tools for
primary interpretation of radiologic studies.
– The use of mobile devices for image and data transmission
carries risks, especially regarding confidentiality, which
must be considered.
ESR paper on the proper use of mobile devices in radiology
https://doi.org/10.1007/s13244-017-0589-7
E R Ranschaert, RSNA 2018
21. General Data Protection Regulation
• Came into effect on May 25, 2018.
• 1 single regulation for EU, replaces
patchwork of national laws
• Main purpose: to define and
update the basic rights of data
subjects regarding control of and
access to personal data
• Privacy and security “by design and
by default”
22. GDPR
• Facilitates free flow of patient data (data subjects)
within EU.
• Ensures that personal data can only be gathered
under strict conditions and for legitimate purposes.
• Data controllers have to respect rights of data
subject (e.g. HCP, hospital)
• Cloud provider (data processor) must protect
information it handles and stores on behalf of data
controller (e.g. messaging company)
E R Ranschaert, RSNA 2018
Data subject
Data controller
Data processor
23. • HIPAA only governs protected health information (PHI)
• GDPR concerns EVERY piece of information that can
identify a person, not limited to HC
Governance
• HIPAA does not require consent from patient to release
health data for third parties (e.g. for insurance company)
• GDPR needs explicit consent for any interaction with PHI
other than direct patient care
Consent
HIPAA vs. GDPR
24. GDPR
Key
Elements
Clear Consent
Erasure
(right to be
forgotten)
Rectification
Portability
Notification of
data breach
Demonstration
of Compliance
Data
Protection
Officer (DPO)
Derogations
and exceptions
2
3
4
1
5
6
7
25. GDPR Perspective
• There is no formal
arrangement between
users and messaging
services in respect of
processing and storing
any patient information
• This is a fundamental
requirement under GDPR!
E R Ranschaert, RSNA 2018
26. Is WhatsApp GDPR compliant?
E R Ranschaert, RSNA 2018
GDPR requirement WhatsApp
Protection of patient data, even outside EU WhatsApp refuses to comply, wants to stay
under US laws
âś—
Access controls No usernames nor passwords âś—
Audit controls No data backup nor retainment âś—
Permanent erasure Everything stays on WhatsApp servers, out
of control for client
âś—
Formal arrangement No formal arrangement between users
and WhatsApp
âś—
The service cannot be used to send ePHI
without risking violating GDPR Rules
27. Is WhatsApp HIPAA compliant?
HIPAA requirement WhatsApp
Encryption or equivalent measure End-to-end encryption âś”
Access controls No usernames nor passwords âś—
Audit controls No data backup nor retainment âś—
Permanent erasure Not possible to delete user account âś—
Formal arrangement Not necessary, is mere conduit for
information, « encrypted tunnel »
âś”
E R Ranschaert, RSNA 2018
The service cannot be used to send ePHI
without risking violating HIPAA Rules
28. Current situation
• There is an unfulfilled communication need of physicians.
• Hospitals and health systems are lagging behind in uptaking new
communication technologies.
• The advice is clear: do not use WhatsApp to transfer patient
information. Non-compliant with HIPAA nor GDPR.
• Restricting the use of messaging apps is fine but there must be a
viable and low-cost alternative.
• Solution?
E R Ranschaert, RSNA 2018
29. Need for secure apps
• A system that replicates the functionality of
WhatsApp while complying with existing regulations.
• Adaptable smartphone technology that can support
the evolving requirements of clinical practice.
E R Ranschaert, RSNA 2018
31. Features
• Sharing of pictures, documents, voice recordings,
video’s
• Possible to create PDF documents
• Web-based version
• Integration with PACS, EPD -> image series
• Video-calls
• Creation and sharing of medical cases, separate
from chats
https://www.youtube.com/watch?v=PK9ypnGKx40
E R Ranschaert, RSNA 2018
32. Who is using it?
• Launched in 2016
• 100.000 users, largest in Europe
• +7,5 mio messages/mth
• 6000+ clinical chat groups
• Netherlands: +60% of specialists and GPs
• Used by all layers of HC providers
• Main purpose:
– Collaboration
– Image sharing (surgeons, dermatologists, radiologists)
– Fast decisions (advise)
E R Ranschaert, RSNA 2018
33. Safe and Secure messaging
• End-to-end encryption
• Authorised access/ vetting of users
• PIN-code/Facial recognition
• Messages automatically deleted after 30 days
• Media in “encrypted vault” separate from
other media on smartphone
• Yearly auditing
• Reports available on request
E R Ranschaert, RSNA 2018
Siilo
34. WhatsApp vs. Siilo
E R Ranschaert, RSNA 2018
Legal requirements Siilo WhatsApp
Encryption âś” âś”
Transparency: what happens with data? âś” âś—
Access controls âś” âś—
External audit controls âś” âś—
Permanent erasure âś” âś—
Formal arrangement for processing and
storing of PHI (processor agreement)
âś” âś—
GDPR/HIPAA compliant âś” âś—
35. Radiologists’ experience
• University MC of Utrecht
• Fast and efficient
communication with residents
and referring physicians
• On-call chats, calls and advice,
• Integration with PACS possible
for streaming image series
E R Ranschaert, RSNA 2018
https://www.youtube.com/watch?v=LzNPVmelFpc&feature=youtu.be
36. Conclusions
• It’s the responsibility of the physician (radiologist) to securely
and effectively utilize mobile technology in the best interests of
patient care.
• The existing regulations and legislation should be respected.
• Guidelines and additional training are needed to support the use
of mobile devices and to protect the patient’s privacy & security.
• Sharing medical information with dedicated apps can improve
communication & teamwork, and thus quality of care.
E R Ranschaert, RSNA 2018
A graph showing the percentage of surveyed staff using various features of their smartphones to help them to perform their clinical duties. The difference between doctor and nurse groups is significant for all features used (p=0.0001).
(A) A graph showing the percentages of surveyed doctors and nurses sending patient-related clinical information over their smartphones using various messaging modalities. Significantly, more doctors sent patient-related clinical information over all three messaging modalities (p=0.0001); (B) A graph showing the frequency with which surveyed doctors and nurses sent patient-related clinical information over their smartphones using various messaging modalities. Compared with nurses, a greater percentage of doctors sent patient-related clinical information on a daily basis using all three modalities, but significance was only reached with short-message-script (SMS; p=0.014).