Browse > Article
http://dx.doi.org/10.5999/aps.2021.00262

Safe clinical photography: best practice guidelines for risk management and mitigation  

Chandawarkar, Rajiv (Department of Plastic Surgery, Ohio State University Wexner Medical Center)
Nadkarni, Prakash (College of Nursing, University of Iowa)
Publication Information
Archives of Plastic Surgery / v.48, no.3, 2021 , pp. 295-304 More about this Journal
Abstract
Clinical photography is an essential component of patient care in plastic surgery. The use of unsecured smartphone cameras, digital cameras, social media, instant messaging, and commercially available cloud-based storage devices threatens patients' data safety. This paper Identifies potential risks of clinical photography and heightens awareness of safe clinical photography. Specifically, we evaluated existing risk-mitigation strategies globally, comparing them to industry standards in similar settings, and formulated a framework for developing a risk-mitigation plan for avoiding data breaches by identifying the safest methods of picture taking, transfer to storage, retrieval, and use, both within and outside the organization. Since threats evolve constantly, the framework must evolve too. Based on a literature search of both PubMed and the web (via Google) with key phrases and child terms (for PubMed), the risks and consequences of data breaches in individual processes in clinical photography are identified. Current clinical-photography practices are described. Lastly, we evaluate current risk mitigation strategies for clinical photography by examining guidelines from professional organizations, governmental agencies, and non-healthcare industries. Combining lessons learned from the steps above into a comprehensive framework that could contribute to national/international guidelines on safe clinical photography, we provide recommendations for best practice guidelines. It is imperative that best practice guidelines for the simple, safe, and secure capture, transfer, storage, and retrieval of clinical photographs be co-developed through cooperative efforts between providers, hospital administrators, clinical informaticians, IT governance structures, and national professional organizations. This would significantly safeguard patient data security and provide the privacy that patients deserve and expect.
Keywords
Data encryption; Electronic health records; Patient safety; Patient protection; Photography;
Citations & Related Records
연도 인용수 순위
  • Reference
1 US Department of Health and Human Services. Health information of deceased individuals [Internet]. Washington, D.C.: US Department of Health and Human Services; c2020 [cited 2020 Dec 9]. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/healthinformation-of-deceased-individuals/index.html.
2 Badger B, Grance T, Patt-Corner R, et al. NIST SP 800-146, Cloud Computing Synopsis and Recommendations. Gaithersburg: US National Institute for Standards in Technology; 2012.
3 Spirion Corporation. New U.S. State Data Protection Laws Enforceable in 2020 [Internet]. St. Petersburg, FL: Spirion Corporation; c2020 [cited 2020 Dec 10]. Available from: https://info.spirion.com/DS2020-Q2-2020EnforcedStateLaws_LPRegistration.html.
4 Crook MA. The Caldicott report and patient confidentiality. J Clin Pathol 2003;56:426-8.   DOI
5 Caldicott DF. Information: to share or not to share. The Information Governance Review [Internet]. London: Department of Health; c2013 [cited 2020 Nov 21]. Available from: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/251750/9731-2901141-TSO-Caldicott-Government_Response_ACCESSIBLE.PDF.
6 Osborne C. LokiBot malware now hides its source code in image files [Internet]. ZDNet; c2020 [cited 2020 Dec 25]. Available from: https://www.zdnet.com/article/lokibot-information-stealer-now-hides-malware-in-image-files/.
7 UK National Health Service (NHS). Information governance considerations for staff on the use of instant messaging software in acute clinical settings [Internet]. London: NHS; c2018 [cited 2020 Nov 21]. Available from: https://digital.nhs.uk/binaries/content/assets/website-assets/dataand-information/ig-resources/information-governanceconsiderations-for-individuals-on-the-use-of-instant-messaging-software-in-acute-clinical-settings.pdf.
8 Rimmer A. Hidden risks your smartphone poses to your career. BMJ 2017;359:j4896.   DOI
9 John B. Are you ready for general data protection regulation? BMJ 2018;360:k941.   DOI
10 British Orthopaedic Association. Open fractures [Internet]. London: British Orthopaedic Association; c2017 [cited 2020 Nov 21]. Available from: https://www.boa.ac.uk/uploads/assets/3b91ad0a-9081-4253-92f7d90e8df0fb2c/29bf80f1-1cb6-46b7-afc761119341447f/open%20fractures.pdf.
11 Heyns M, Steve A, Dumestre DO, et al. Canadian guidelines on smartphone clinical photography. Can J Physician Leadership 2018;4:58-163.
12 National Institute for Health and Care Excellence (NICE). Fractures (complex): assessment and management. NICE guideline NG 37 [Internet]. London: NICE; c2017 [cited 2020 Nov 21]. Available from: https://www.nice.org.uk/guidance/ng37.
13 Commonwealth of Australia. Privacy (Australian Government Agencies - Governance) APP Code 2017 [Internet]. Canberra: Australian Government; c2020 [cited 2020 Nov 22]. Available from: https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes-register/australian-government-agencies-privacy-code/.
14 GDPR.eu. The UK Information Commissioner's Office issued a massive judgment against a company for illegal data sharing. Here's how to avoid the same fate [Internet]. GDPR. eu; c2020 [cited 2020 Nov 21]. Available from: https://gdpr.eu/data-sharing-bounty-fine/.
15 Canadian Medical Association. Best practices for smartphone and smart-device clinical photo taking and sharing (CMA policy summary) [Internet]. Ottawa, ON: Canadian Medical Association; c2018 [cited 2020 Nov 21]. Available from: https://policybase.cma.ca/documents/policypdf/PD18-04.pdf.
16 Commonwealth of Australia. Federal Register of Legislation: Privacy Act 1988, Schedule 1, Part 4, Principle 11 [Internet]. Canberra: Australian Government; c1988 [cited 2020 Nov 22]. Available from: https://www.legislation.gov.au/Details/C2017C00283.
17 Commonwealth of Australia. Privacy impact assessment register [Internet]. Canberra: Australian Government; c2020 [cited 2020 Nov 22]. Available from: https://www.health.gov.au/using-our-websites/privacy/privacy-impact-assessment-register#why-we-have-the-register.
18 European Network and Information Security Agency (ENISA). ICT Security Standards Roadmap [Internet]. Geneva: International Telecommunication Union; c2020 [cited 2020 Nov 22]. Available from: https://www.itu.int/en/ITU-T/studygroups/com17/ict/Pages/default.aspx.
19 CoreView Inc. Major GDPR Fine Tracker: an ongoing, always-up-to-date list of enforcement actions [Internet]. Alpharetta, GA: CoreView Inc; c2020 [cited 2020 Nov 21]. Available from: https://www.coreview.com/blog/alpingdpr-fines-list/.
20 Scarfone K, Benigni D, Grance T. Cyber security standards [Internet]. Gaithersburg, MD: US National Institute for Standards in Technology; c2012 [cited 2020 Nov 21]. Available from: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=152153.
21 International Standards Organization. ISO/IEC JTC1/SC 27 (2008). Standing Document 6 (SD6): Glossary of IT Security Terminology, 2008-03-19 [Internet]. c2008 [cited 2020 Nov 22]. Available from: http://www.jtc1sc27.din.de/sce/SD6.
22 Allen KG, Eleftheriou P, Ferguson J. A thousand words in the palm of your hand: management of clinical photography on personal mobile devices. Med J Aust 2016;205:499-500.   DOI
23 Patel NG, Rozen WM, Marsh D, et al. Modern use of smartphone applications in the perioperative management in microsurgical breast reconstruction. Gland Surg 2016;5:150-7.
24 Hunter T, Hardwicke J, Rayatt S. The smart phone: an indispensable tool for the plastic surgeon? J Plast Reconstr Aesthet Surg 2010;63:e426-7.   DOI
25 Knight J. The 4 best phones for privacy & security in 2020 [Internet]. Gadget Hacks; c2020 [cited 2020 Dec 15]. Available from: https://smartphones.gadgethacks.com/how-to/4-best-phones-for-privacy-security-2020-0176106/.
26 Lee WJ, Hwang K, Lee SI, et al. Proposal of photographic standards in plastic surgery. J Korean Soc Plast Reconstr Surg 2002;29:45-54.
27 Committee to Protect Journalists (CJP). What we do [Internet]. New York, NY: CJP; c2020 [cited 2020 Nov 21]. Available from: https://cpj.org/about.
28 Du W. Computer & internet security: a hands-on approach. 2nd ed. Wenliang Du; 2019.
29 Davis J. Update: the 10 biggest healthcare data breaches of 2020, so far [Internet]. Danvers, MA: Healthcare IT Security; c2020 [cited 2020 Dec 25]. Available from: https://healthitsecurity.com/news/the-10-biggest-healthcare-databreaches-of-2020-so-far.
30 Abbott LM, Magnusson RS, Gibbs E, et al. Smartphone use in dermatology for clinical photography and consultation: current practice and the law. Australas J Dermatol 2018;59:101-7.   DOI
31 Ricoh Corporation. Ricoh G800 features: security [Internet]. Tokyo: Ricoh Corporation; c2020 [cited 2020 Dec 26]. Available from: https://industry.ricoh.com/en/dc/g/g800/features6.html.
32 Rimmer A. Doctors' use of Facebook, Twitter, and WhatsApp is the focus of 28 GMC investigations. BMJ 2017;358:j4099.   DOI
33 Houston J, Ashby L, Ogidi J, et al. A novel Caldicott-compliant hospital imaging protocol for open fracture photography. Br J Hosp Med (Lond) 2020;81:1-8.   DOI
34 Mobasheri MH, King D, Johnston M, et al. The ownership and clinical use of smartphones by doctors and nurses in the UK: a multicentre survey study. BMJ Innov 2015;1:174-81.   DOI
35 Morris C, Scott RE, Mars M. Security and other ethical concerns of instant messaging in healthcare. Stud Health Technol Inform 2018;254:77-85.
36 Ramaswami SS. Picture perfect: how JPG EXIF data hides malware [Internet]. San Francisco, CA: Cisco Umbrella; c2020 [cited 2020 Dec 25]. Available from: https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-datahides-malware.
37 Spin Inc. What is ransomware? The major cybersecurity threat explained [Internet]. Palo Alto, CA: Spin Inc.; c2019 [cited 2020 Dec 5]. Available from: https://spinbackup.com/blog/what-is-ransomware-the-major-cybersecuritythreat-explained/.
38 Tidy J. Hackers threaten to leak plastic surgery pictures [Internet]. London: BBC News; c2020 [cited 2020 Dec 26]. Available from: https://www.bbc.com/news/technology55439190.
39 Chan N, Charette J, Dumestre DO, et al. Should 'smart phones' be used for patient photography? Plast Surg (Oakv) 2016;24:32-4.   DOI
40 Shah S. Exploit delivery via steganography and polyglots [Internet]. Stegosploit; c2015 [cited 2020 Dec 25]. Available from: https://stegosploit.info/.
41 US Department of Health and Human Services. HIPAA: guidance material for consumers [Internet]. Washington, D.C.: US Department of Health and Human Services; c2020 [cited 2020 Dec 9]. Available from: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/.
42 GDPR.eu. Recital 53: Processing of sensitive data in health and social sector [Internet]. GDPR.eu; c2020 [cited 2020 Nov 21]. Available from: https://gdpr.eu/recital-53-processing-of-sensitive-data-in-health-and-social-sector/.
43 Gardiner S, Hartzell TL. Telemedicine and plastic surgery: a review of its applications, limitations and legal pitfalls. J Plast Reconstr Aesthet Surg 2012;65:e47-53.   DOI
44 US Department of Health and Human Services. HIPAA for professionals [Internet]. Washington, D.C.: US Department of Health and Human Services; c2020 [cited 2020 Dec 9]. Available from: https://www.hhs.gov/hipaa/for-professionals/.
45 Lam JS, Simpson BK, Lau FH. Health insurance portability and accountability act noncompliance in patient photograph management in plastic surgery. Ann Plast Surg 2019;82:486-92.   DOI
46 Djian J, Lellouch AG, Botter C, et al. Clinical photography by smartphone in plastic surgery and protection of personal data: development of a secured platform and application on 979 patients. Ann Chir Plast Esthet 2019;64:33-43.   DOI