Risks involved in using personal mobile devices in clinic
General risks to data protection and patient confidentiality
- Most mobile devices have internet connectivity and use cloud-based backup services.
- Mobile devices are more susceptible to loss or theft, especially if used both at work and at home.
- Mobile devices are not suitable for long-term storage of patient images.
- WhatsApp and certain other instant messaging apps are said to offer secure end-to-end encryption of messages sent and received. Unfortunately, this is not a guaranteed secure method of transferring PID (Patient Identifiable Data).
Standard 1. Gaining the patients informed consent
- Written consent should always be sought before capturing a patient image, stating use in direct care i.e. for diagnosis/scan and the possibility of use in indirect care i.e. teaching.
Rationale: all data held on a patient’s medical record is subject to the Data Protection Act (DPA) (1998).
Standard 2. Safe use of mobile devices to take patient images
- Physical device security – The device must be configured with a strong passcode (6+ characters) that needs to be entered before it will operate
- Device Connectivity – Any network to which you connect your device must support WPA2/PSK authentication and encryption as a minimum. Data transmitted over 3G/4G/UTM mobile networks should be secured via a virtual private network (VPN).
- Bluetooth – Bluetooth should be disabled when not in use.
Standard 3. Safe transfer and storage of images captured with mobile devices
- Without care, the use of mobile devices to take, store and transfer images can lead to breaches of patient confidentiality and of the Data Protection Act (1998) (DPA).
- Issues of device ownership and connectivity are crucial for secure storage and transfer or images. It is important to understand these before using a mobile phone to capture clinical images.
- Data being transferred between healthcare professionals that is identifiable should not be vulnerable to interception or redirection but should be protected in line with the Data Protection Act (1998) (DPA)
- Images captured and stored on a mobile device are potentially insecure if there is inadequate protection or excess connectivity. This has implications for images containing patient-identifiable data (PID).