Subscribe to RSS
DOI: 10.5999/aps.2021.00262
Safe clinical photography: best practice guidelines for risk management and mitigation
Clinical photography is an essential component of patient care in plastic surgery. The use of unsecured smartphone cameras, digital cameras, social media, instant messaging, and commercially available cloud-based storage devices threatens patients’ data safety. This paper Identifies potential risks of clinical photography and heightens awareness of safe clinical photography. Specifically, we evaluated existing risk-mitigation strategies globally, comparing them to industry standards in similar settings, and formulated a framework for developing a risk-mitigation plan for avoiding data breaches by identifying the safest methods of picture taking, transfer to storage, retrieval, and use, both within and outside the organization. Since threats evolve constantly, the framework must evolve too. Based on a literature search of both PubMed and the web (via Google) with key phrases and child terms (for PubMed), the risks and consequences of data breaches in individual processes in clinical photography are identified. Current clinical-photography practices are described. Lastly, we evaluate current risk mitigation strategies for clinical photography by examining guidelines from professional organizations, governmental agencies, and non-healthcare industries. Combining lessons learned from the steps above into a comprehensive framework that could contribute to national/international guidelines on safe clinical photography, we provide recommendations for best practice guidelines. It is imperative that best practice guidelines for the simple, safe, and secure capture, transfer, storage, and retrieval of clinical photographs be co-developed through cooperative efforts between providers, hospital administrators, clinical informaticians, IT governance structures, and national professional organizations. This would significantly safeguard patient data security and provide the privacy that patients deserve and expect.
Keywords
Data encryption - Electronic health records - Patient safety - Patient protection - PhotographyPublication History
Received: 13 January 2021
Accepted: 09 April 2021
Article published online:
21 March 2022
© 2021. The Korean Society of Plastic and Reconstructive Surgeons. This is an open access article published by Thieme under the terms of the Creative Commons Attribution-NonCommercial License, permitting unrestricted noncommercial use, distribution, and reproduction so long as the original work is given appropriate credit. Contents may not be used for commercial purposes. (https://creativecommons.org/licenses/by-nc/4.0/)
Thieme Medical Publishers, Inc.
333 Seventh Avenue, 18th Floor, New York, NY 10001, USA
-
REFERENCES
- 1 Davis J. Update: the 10 biggest healthcare data breaches of 2020, so far [Internet]. Danvers, MA. 2020 [cited 2020 Dec 25]. Available from: https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2020-so-far
- 2 Spin Inc. What is ransomware? The major cybersecurity threat explained [Internet]. 2019 [cited 2020 Dec 5]. Available from "https://spinbackup.com/blog/what-is-ransomware-the-major-cybersecurity-threat-explained
- 3 Tidy J. Hackers threaten to leak plastic surgery pictures [Internet]. 2020 [cited 2020 Dec 26]. Available from: https://www.bbc.com/news/technology-55439190
- 4 Chan N, Charette J, Dumestre DO. et al. Should ‘smart phones’ be used for patient photography?. Plast Surg (Oakv) 2016; 24: 32-4
- 5 Abbott LM, Magnusson RS, Gibbs E. et al. Smartphone use in dermatology for clinical photography and consultation: current practice and the law. Australas J Dermatol 2018; 59: 101-07
- 6 Rimmer A. Doctors’ use of Facebook, Twitter, and WhatsApp is the focus of 28 GMC investigations. BMJ 2017; 358: j4099
- 7 Houston J, Ashby L, Ogidi J. et al. A novel Caldicott-compliant hospital imaging protocol for open fracture photography. Br J Hosp Med (Lond) 2020; 81: 01-08
- 8 Mobasheri MH, King D, Johnston M. et. al The ownership and clinical use of smartphones by doctors and nurses in the UK: a multicentre survey study. BMJ Innov 2015; 01: 174-81
- 8 Ricoh Corporation. Ricoh G800 features: security [Internet]. Tokyo. 2020 [cited 2020 Dec 26]. Available from: https://industry.ricoh.com/en/dc/g/g800/features6.html
- 10 Rimmer A. Hidden risks your smartphone poses to your career. BMJ 2017; 359: j4896
- 11 Morris C, Scott RE, Mars M. Security and other ethical concerns of instant messaging in healthcare. Stud Health Technol Inform 2018; 254: 77-85
- 12 Osborne C. LokiBot malware now hides its source code in image files [Internet]. ZDNet. 2020 [cited 2020 Dec 25]. Available from: https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/
- 13 Ramaswami SS. Picture perfect: how JPG EXIF data hides malware [Internet]. San Francisco, CA. 2020 [cited 2020 Dec 25]. Available from: https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware
- 14 Shah S. Exploit delivery via steganography and polyglots [Internet]. Stegosploit. 2015 [cited 2020 Dec 25]. Available from: https://stegosploit.info/">
- 15 Djian J, Lellouch AG, Botter C. et. al Clinical photography by smartphone in plastic surgery and protection of personal data: development of a secured platform and application on 979 patients. Ann Chir Plast Esthet 2019; 64: 33-43
- 16 Lam JS, Simpson BK, Lau FH. Health insurance portability and accountability act noncompliance in patient photograph management in plastic surgery. Ann Plast Surg 2019; 82: 486-92
- 17 US Department of Health and Human Services. Health information of deceased individuals [Internet]. Washington, D.C.: 2020 [cited 2020 Dec 9]. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/health-information-of-deceased-individuals/index.html
- 18 US Department of Health and Human Services. HIPAA for professionals [Internet]. Washington, D.C.: 2020 [cited 2020 Dec 9]. Available from: https://www.hhs.gov/hipaa/for-professionals/
- 19 US Department of Health and Human Services. HIPAA: guidance material for consumers [Internet]. Washington, D.C.: 2020 [cited 2020 Dec 9]. Available from: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/
- 20 Badger B, Grance T, Patt-Corner R. et. al NIST SP 800-146, Cloud Computing Synopsis and Recommendations. Gaithersburg: US National Institute for Standards in Technology; 2012
- 21 Spirion Corporation. New U.S. State Data Protection Laws Enforceable in 2020 [Internet]. St. Petersburg, FL: Spirion Corporation; 2020 [cited 2020 Dec 10]. Available from: https://info.spirion.com/DS2020-Q2-2020EnforcedStateLaws_LPRegistration.html
- 22 Crook MA. The Caldicott report and patient confidentiality. J Clin Pathol 2003; 56: 426-08
- 23 Caldicott DF. Information: to share or not to share. The Information Governance Review [Internet]. 2013 [cited 2020 Nov 21]. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/251750/9731-2901141-TSO-Caldicott-Government_Response_ACCESSIBLE.PDF
- 24 UK National Health Service (NHS). Information governance considerations for staff on the use of instant messaging software in acute clinical settings [Internet]. Londo: NHS; 2018 [cited 2020 Nov 21]. Available from: https://digital.nhs.uk/binaries/content/assets/website-assets/data-and-information/ig-resources/information-governance-considerations-for-individuals-on-the-use-of-instant-messaging-software-in-acute-clinical-settings.pdf
- 25 John B. Are you ready for general data protection regulation?. BMJ 2018; 360: k941
- 26 British Orthopaedic Association. Open fractures [Internet]. London: British Orthopaedic Association; 2017 [cited 2020 Nov 21]. Available from: https://www.boa.ac.uk/uploads/assets/3b91ad0a-9081-4253-92f7d90e8df0fb2c/29bf80f1-1cb6-46b7-afc761119341447f/open%20fractures.pdf
- 27 National Institute for Health and Care Excellence (NICE). Fractures (complex): assessment and management. NICE guideline NG 37 [Internet]. London: NICE; 2017 [cited 2020 Nov 21]. Available from: https://www.nice.org.uk/guidance/ng37
- 28 Heyns M, Steve A, Dumestre DO. et. al Canadian guidelines on smartphone clinical photography. Can J Physician Leadership 2018; 04: 58-163
- 29 Canadian Medical Association. Best practices for smartphone and smart-device clinical photo taking and sharing (CMA policy summary) [Internet]. Ottawa, ON: Canadian Medical Association; 2018 [cited 2020 Nov 21]. Available from: https://policybase.cma.ca/documents/policypdf/PD18-04.pdf
- 30 Commonwealth of Australia. Federal Register of Legislation: Privacy Act 1988, Schedule 1, Part 4, Principle 11 [Internet]. Canberra: Australian Government; 1988 [cited 2020 Nov 22]. Available from: https://www.legislation.gov.au/Details/C2017C00283
- 31 Commonwealth of Australia. Privacy impact assessment register [Internet]. Canberra: Australian Government; 2020 [cited 2020 Nov 22]. Available from: https://www.health.gov.au/using-our-websites/privacy/privacy-impact-assessment-register#why-we-have-the-register
- 32 Commonwealth of Australia. Privacy (Australian Government Agencies – Governance) APP Code 2017 [Internet]. Canberra: Australian Government; 2020 [cited 2020 Nov 22]. Available from: https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes-register/australian-government-agencies-privacy-code/
- 33 GDPR.eu. Recital 53: Processing of sensitive data in health and social sector [Internet]. GDPR.eu; 2020 [cited 2020 Nov 21]. Available from: https://gdpr.eu/recital-53-processing-of-sensitive-data-in-health-and-social-sector/
- 34 GDPR.eu. The UK Information Commissioner’s Office issued a massive judgment against a company for illegal data sharing. Here’s how to avoid the same fate [Internet]. GDPR.eu; 2020 [cited 2020 Nov 21]. Available from: https://gdpr.eu/data-sharing-bounty-fine/
- 35 CoreView Inc. Major GDPR Fine Tracker: an ongoing, always-up-to-date list of enforcement actions [Internet]. Alpharetta, GA: CoreView Inc; 2020 [cited 2020 Nov 21]. Available from: https://www.coreview.com/blog/alpin-gdpr-fines-list/>
- 36 Du W. Computer & internet security: a hands-on approach. Wenliang Du; 2019
- 37 Scarfone K, Benigni D, Grance T. Cyber security standards [Internet]. Gaithersburg, MD. 2012 [cited 2020 Nov 21]. Available from: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=152153>
- 38 European Network and Information Security Agency (ENISA). ICT Security Standards Roadmap [Internet]. Geneva: International Telecommunication Union; 2020 [cited 2020 Nov 22]. Available from: https://www.itu.int/en/ITU-T/studygroups/com17/ict/Pages/default.aspx>
- 39 International Standards Organization. ISO/IEC JTC1/SC 27 (2008). Standing Document 6 (SD6): Glossary of IT Security Terminology, 2008-03-19 [Internet]. 2008 [cited 2020 Nov 22]. Available from: https://www.jtc1sc27.din.de/sce/SD6
- 40 Allen KG, Eleftheriou P, Ferguson J. A thousand words in the palm of your hand: management of clinical photography on personal mobile devices. Med J Aust 2016; 205: 499-500
- 41 Patel NG, Rozen WM, Marsh D. et al. Modern use of smartphone applications in the perioperative management in microsurgical breast reconstruction. Gland Surg 2016; 05: 150-07
- 42 Gardiner S, Hartzell TL. Telemedicine and plastic surgery: a review of its applications, limitations and legal pitfalls. J Plast Reconstr Aesthet Surg 2012; 65: e47-53
- 43 Hunter T, Hardwicke J, Rayatt S. The smart phone: an indispensable tool for the plastic surgeon?. J Plast Reconstr Aesthet Surg 2010; 63: e426-07
- 44 Knight J. The 4 best phones for privacy & security in 2020 [Internet]. Gadget Hacks. 2020 [cited 2020 Dec 15]. Available from: https://smartphones.gadgethacks.com/how-to/4-best-phones-for-privacy-security-2020-0176106/
- 45 Lee WJ, Hwang K, Lee SI. et al. Proposal of photographic standards in plastic surgery. J Korean Soc Plast Reconstr Surg 2002; 29: 45-54
- 46 Committee to Protect Journalists (CJP). What we do [Internet]. York, NY: CJP; 2020 [cited 2020 Nov 21]. Available from: https://cpj.org/about