Digital data management systems are gradually replacing traditional means of moving and viewing medical images and reports. Numerous projects have demonstrated that information technology can transfer various types of patient information to and from hospital departments, neighboring institutions, and offsite personnel. The feasibility of such systems is now generally accepted, and attention is turning to the integrity of e-healthcare. Is the confidence of software providers, system users, and patients in electronically transmitted information justified?

A team from Georgetown University Medical Center in Washington, DC, had this question in mind when they set up a teleradiology facility. The group had been asked to develop a system for radiology residents to send images to their senior colleagues offsite when they needed a second opinion after hours or on weekend. The group also hoped that the system would be used in-house, enabling clinicians and radiologists to access images from different workstations within the hospital.

The group performed a thorough risk assessment as an integral part of the project planning. They formed a nine-person working group, including an information assurance specialist, radiologists, engineers, an administrator, and technologists (radiographers), who identified the proposed system's critical assets, possible threats to those assets, potential areas of vulnerability, and the consequences of any security breaches. The working party then proposed a series of countermeasures to reduce the identified risks.

"Instead of focusing entirely on the technical management of data security, information assurance refers to a broad range of organizational practices and conditions that help sustain data security," said Dr. Jeff Collmann, an associate professor of radiology at Georgetown.

A pilot phase ran concurrently with the risk assessment planning, during which a five-member user group submitted comments to a specially designed Web site. This feedback helped engineers eliminate system bugs, improve the user interface, and determine minimum hardware and software requirements, bandwidth, and system functionality.

The comprehensive planning phase was critical to the implementation of a secure and effective clinical teleradiology service, said Adil Alaoui, chief engineer at the Imaging Science and Information Systems Center at Georgetown. Group discussion confirmed the need for a number of countermeasures to tackle a range of potential security breaches, rather than a "one-size-fits-all" approach.

The internal hospital network was secured by a firewall and virtual private network server, with all VPN connections protected by a public-key infrastructure. Radiologists were provided with a universal serial bus authentication token and password to access the hospital network from outside. User feedback also convinced hospital officials to purchase laptops for radiologists' home use, on which engineers installed only essential software for the teleradiology application and virus protection. Digital subscriber lines to enable fast Internet access and rapid communication were also provided.

Enrollment in the teleradiology program was restricted to a select group of doctors with existing rights of access to information about patients admitted to the Georgetown hospital. Prospective participants received full training on the computer system, attended a patient data security and confidentiality session, and signed a "teleradiology protection statement" covering all aspects of data assurance.

"We have data confidentiality, integrity, and availability. All three assets are critical. Data assurance invites us to think about the information, the technology, and the people," Collmann said.

PREEMPTIVE PLANNING

Quality of service occupied a similarly high place on the agenda of doctors planning a telemedicine service in the Tyrol region of Austria. Radiology resources in the mountain region are divided among various institutions, and not all hospitals can offer a specialist level of care. When Tyrolean government officials decided to initiate a pilot teleradiology program to make better use of radiological expertise, project planners evaluated each aspect of the proposed trial in accordance with a recognized quality assurance standard.

Requirements specified in ISO 9001:2000 were helpful in ensuring a minimum quality assurance for patients, said Dr. Peter Soegner, a radiologist at University Hospital Innsbruck. Planners assigned management responsibilities for every part of the proposed service, which was designed to provide rapid, remote consultation by Innsbruck radiologists on emergency CT scans. Doctors at nearby Reutte Hospital were instructed to telephone radiologists at Innsbruck to clarify details of CT procedures for acutely injured or seriously ill patients. The examination would be performed at Reutte, but the reporting radiologist in Innsbruck would choose the protocols. Medical notes and images would be transferred electronically to Innsbruck for prompt reporting.

QA evaluation continued after the program began, Soegner said. Four specific points in the process were recorded: total number of examinations, time of day the examination was performed, time from initial request to report delivery, and nature of procedure. A total of 560 patients' CT images were transmitted from Reutte to Innsbruck between January 2001 and December 2002. Of these, 524 cases were exchanged with no problems; minor problems were identified in 24 cases; and major problems occurred in 12.

"The time between receiving the initial request and delivery of the final report was less than one hour in 83% of cases. So we reached our aim in a very high percentage of cases, but there is room to make it better in the future," Soegner said. "Everyone can say 'We have the best quality,' but we want to improve it."

ISO 9001:2000 certification is a good guarantee of all-round quality and is particularly important when promoting teleradiology as a professional service, he said.

"The ISO 9001:2000 model is an effective tool for continuous QA of the workflow process. Certified quality requires more than looking for a technical solution," Soegner said.

INTERNAL SAFEGUARDS

Dr. David Gobuty, director of systems security and chief security officer at Kodak, shares the view that e-health is more than a series of technical solutions. In a CARS 2003 session focusing on QA and system standards, Gobuty reported that an international committee of industry representatives is taking a more holistic approach to security and privacy enforcement in the increasingly digital world of medical imaging.

The organizations that have joined to tackle this topic, representing U.S., European, and Japanese interests, respectively, are the National Electrical Manufacturers' Association (NEMA), the European Coordination Committee of the Radiological and Electromedical Industry (COCIR), and the Japanese Industries Association of Radiological Systems (JIRA)

The joint NEMA/COCIR/JIRA security and privacy committee (SPC) is charged with examining all systems, devices, components, and accessories related to medical imaging informatics that access, contain, and/or process patient information. Committee members must devise ways of ensuring that these devices maintain certain basic security rules (see table). This may require a technical solution, an alteration to a workflow procedure, or a combination of the two, said Gobuty, vice chair of the SPC.

"We look at a one-way street going toward patient privacy that might have two lanes in it," he said. "We know that procedures can be less complex and maybe more cost-effective, but technology can also offer an effective solution and may have cost benefits as well. So it's a balancing act whether or not you should automate or use procedures."

The SPC is currently examining remote maintenance and servicing of hospital IT systems, whereby vendors log on to hospital networks externally to solve reported problems or conduct regular checkups. Such agreements can be beneficial to both parties, said Dr. Wolfgang Leetz, SPC chair and a representative of Siemens Medical Solutions. Service engineers can deal with technical glitches from their own desks or ask advice from specialist colleagues working in the same building.

"Previously, you called a company on their hotline, they dispatched a technician who came to your hospital, repaired the system, and then went back to company headquarters," Leetz said. "This way there is a quicker response, and system uptime is higher because there is no travel involved."

But remote logins from numerous service personnel, perhaps working for different vendors, raise the likelihood of unauthorized access to confidential information and hacker attacks. The SPC has developed a solution intended to tighten security at little cost to institutions: using the Internet to conduct these service transactions. This process, described in a white paper prepared by the SPC, recommends that hospitals use an IP Security (IPSec) protocol when exchanging data with remote service centers rather than multiple modems. This protocol relies on use of cryptographic certificates to ensure private communication.

The committee's recommendation has been tagged "Solution A," in recognition that the one-size-fits-all approach is not necessarily best for security issues. Development of an alternative solution is under way, and a second white paper is due for release at the end of the year.

MEETING STANDARDS

Despite the comprehensive efforts of the SPC and groups like it, responsibility for e-health privacy and security ultimately lies with healthcare providers. Guidelines, recommendations, rules, and standards are meaningless if they are not or cannot be implemented.

Michael Kroll, a researcher in the department of medical computer science at the University of Applied Sciences in Dortmund, Germany, is part of a team that has engineered a local solution allowing CT and MR scanners to support an extension to the DICOM security standard. The new extension provides for digital signatures to be added to all DICOM objects, including images, waveforms, and structured reports. But despite efforts by vendors, existing modalities remain unable to sign images onsite, Kroll said.

He described a home-grown solution that supports the extended security standard and could be supplied for under $1000. A "black box" DICOM signer would be installed between the modality and a DICOM server or workstation. Hardware for this signer would need to have at least two local area network ports, the first to receive images and to sign them with a previously stored private key, and the second to send the signed images safely to their destination.

Researchers opted for an embedded computer system with sufficient power to perform the cryptographic algorithms specified by the DICOM standard. They selected Java-based software to implement the solution, due to its widespread compatibility with operating systems and hardware platforms. The finished device measured just 200 x 150 mm and would fit easily in any CT or MRI unit, Kroll said.

"Until new modalities supporting the new standard for signing DICOM objects like images become available, a solution is needed to support digital signatures for modalities that are currently in use," he said.