Follow-Up: How Secure Is Cloud-based Image Sharing?

Interest in cloud image sharing has swelled in recent months. The topic has appeared on national conference agendas, and a growing number of vendors now offer clients the ability to transfer images anywhere worldwide. But the rising popularity of sending images via the Internet doesn’t mean everyone in the radiology industry is comfortable with the idea.

In an informal, nonscientific January Diagnostic Imaging poll, 70 percent of respondents reported they are concerned about the security of cloud image sharing. According to many vendors, this type of image sharing prompts two main worries: Will images viewed through the cloud be of high enough quality to render a diagnosis, and will a cloud sharing system protect the large number of patient images effectively?

Many industry leaders and vendors said existing privacy protocols are more than enough to keep patient images safe.

But not every cloud image sharing vendor creates an entirely new privacy and safety protocol. For example, eHealth Global Technologies relies on measures that exist within health information exchanges (HIEs) to keep the images in its eHealth Connect® Diagnostic Image Exchange safe.

“Health information exchanges already have security and consent controls set up,” said Ken Rosenfeld, eHealth Global’s CEO. “Rather than asking clients to spend the time and money to put new protocols in place and reinvent security measures, we work within the framework they already have.”

The system’s biggest security feature, however, is that radiologists aren’t allowed to download images into their PACS. Instead, eHealth Connect maintains client images in its data center and allows registered providers to access high-resolution patient records through their view screens. Doing so prevents images from appearing on unsecure devices, such as smartphones or laptop computers, Rosenfeld said.

Cloud image sharing systems don’t need HIEs to keep images secure, though. A mixture of passwords, personal accounts, and individual identification numbers can also maintain image privacy, said Phil Jackson, chief executive officer of secureRAD, a vendor that offers secureSHARE, a cloud image sharing solution that offers access to both providers and patients.

Through its own PACS, secureCLOUD, the company houses all patient images for its clients. The data is categorized by institution, and it is encrypted behind a firewall, Jackson said. Patients who want access to their images create an online account within the secureSHARE system and select their imaging center. The center is notified of the patient’s request and, after verifying the patient’s identity, they make the scans available with a unique serial number attached to it.

“Even though we have several security protocols in place, there is a certain onus on the imaging centers for verifying identities for access to their system,” Jackson said. “It’s also important that all of these transfers occur behind https protection.”

A separate set of safety protocols exists for providers. Each doctor also has an individual log-in and password. While referring physicians can share images and Web notes with another provider, they can’t share the data beyond that point. The measure ensures physicians operate within acceptable use, he said.

You don’t have to rely solely on vendor-supplied privacy protocols to keep your images safe in the cloud. There are a few steps you can take on your own, said Cristine Kao, global marketing manager for healthcare IT at Carestream. First, establish a virtual private network than encrypts patient images, preventing outside parties from accessing the files. Usernames and passwords that are unique to each client also help maintain a closed system. It’s also important to audit your system frequently so you know how and by whom images are accessed.

Many practices are also trending toward hiring an additional staff member to their information technology department, she said. Adding a chief privacy officer to your IT team will ensure any technology you adopt follows HIPAA regulations.

Most importantly, she said, tailor your security protocols to your specific office needs. Work with your vendor to identify the safety and access measures that best fit your practice. She added, “There’s no one-size-fits-all security and privacy answer.”