Risks involved in using personal mobile devices in clinic

General risks to data protection and patient confidentiality

• Most mobile devices have internet connectivity and use cloud-based backup services.
• Mobile devices are more susceptible to loss or theft, especially if used both at work and at home.
• Mobile devices are not suitable for long-term storage of patient images.
• WhatsApp and certain other instant messaging apps are said to offer secure end-to-end encryption of messages sent and received. Unfortunately, this is not a guaranteed secure method of transferring PID (Patient Identifiable Data).

Standard 1. Gaining the patients informed consent

• Written consent should always be sought before capturing a patient image, stating use in direct care i.e. for diagnosis/scan and the possibility of use in indirect care i.e. teaching.

Rationale: all data held on a patient’s medical record is subject to the Data Protection Act (DPA) (1998).

Standard 2. Safe use of mobile devices to take patient images

• Physical device security – The device must be configured with a strong passcode (6+ characters) that needs to be entered before it will operate
• Device Connectivity – Any network to which you connect your device must support WPA2/PSK authentication and encryption as a minimum. Data transmitted over 3G/4G/UTM mobile networks should be secured via a virtual private network (VPN).
• Bluetooth – Bluetooth should be disabled when not in use.

Standard 3. Safe transfer and storage of images captured with mobile devices

• Without care, the use of mobile devices to take, store and transfer images can lead to breaches of patient confidentiality and of the Data Protection Act (1998) (DPA).
• Issues of device ownership and connectivity are crucial for secure storage and transfer or images. It is important to understand these before using a mobile phone to capture clinical images.
• Data being transferred between healthcare professionals that is identifiable should not be vulnerable to interception or redirection but should be protected in line with the Data Protection Act (1998) (DPA)
• Images captured and stored on a mobile device are potentially insecure if there is inadequate protection or excess connectivity. This has implications for images containing patient-identifiable data (PID).