PACS installation raises security issues for Australian health system

Patient privacy and medical information security concerns are not confined to North America. Security concerns play a role in PACS installations elsewhere in the world.

Last year, the Central Sydney Area Health Service (CSAHS) in Australia began the implementation of an enterprise PACS. The Sydney hospital system wanted a PACS for same reasons as digital customers everywhere: to provide an efficient method of distributing medical images to end users where and when they were needed.

CSAHS also was aware that security measures surrounding medical information are key to successful migration to digital imaging. Digital data require a high level of protection from a broad range of threats to ensure that data integrity and patient privacy and confidentiality are monitored, while not compromising efficient end user access.

"Effective management of any electronic personal health information is vital if the provision of service to the organization's clients is to be sustained at a consistently high level," said Kay Cook of the Information Systems Division at CSAHS.

To ensure security, CSAHS mandated end user training to provide users with an understanding of the PACS.

"Upon completion of the training session, the user must sign a security policy document before receiving a user name and password," she said.

The system is also configured to require users to change passwords every 90 days, and repeat passwords are not allowed. In addition, the system is audited regularly, she said.

Features of the CSAHS PACS security system include:

?Audit logs list each log-in, all queries, all patient data user accesses, and date, time, and images viewed.
?Audit trails follow individual patients (any VIPs, for instance) and anyone who has accessed their images.
?The PACS administrator randomly audits users and forwards them a copy of the audit.
?The system times out a session if idle 10 minutes.

"Although these security measures are not selling points, the benefit to the user from PACS has enabled the measures to be introduced without rancor," Cook said.

This is because clinicians have realized the benefits of individual user names and passwords, she said. Individual user names enable clinicians to set up shortcuts designed for their individual needs.

"For instance, selecting a particular icon may provide all current ICU patients," Cook said.

Also, individual log-in enables use of the conferencing tool, which gives clinicians the ability to view an exam while participating in online, real-time consultation with physicians located elsewhere in the enterprise.