top of page

Risks involved in using personal mobile devices in clinic

Risks involved in using personal mobile devices in clinic

General risks to data protection and patient confidentiality

· Most mobile devices have internet connectivity and use cloud-based backup services.

· Mobile devices are more susceptible to loss or theft, especially if used both at work and at home.

· Mobile devices are not suitable for long-term storage of patient images.

· WhatsApp and certain other instant messaging apps are said to offer secure end-to-end encryption of messages sent and received. Unfortunately, this is not a guaranteed secure method of transferring PID(Patient Identifiable Data).

Standard 1- Gaining the patients informed consent

· Written consent should always be sought before capturing a patient image, stating use in direct care i.e. for diagnosis/scan and the possibility of use in indirect care i.e. teaching.

Rationale- all data held on a patient’s medical record is subject to the Data Protection Act (DPA) (1998).

Standard 2- Safe use of mobile devices to take patient images

· Physical device security- The device must be configured with a strong passcode (6+ characters) that needs to be entered before it will operate

· Device Connectivity- Any network to which you connect your device must support WPA2/PSK authentication and encryption as a minimum. Data transmitted over 3G/4G/UTM mobile networks should be secured via a virtual private network (VPN).

· Bluetooth- Bluetooth should be disabled when not in use.

Standard 3- Safe transfer and storage of images captured with mobile devices

· Without care, the use of mobile devices to take, store and transfer images can lead to breaches of patient confidentiality and of the Data Protection Act (1998) (DPA).

· Issues of device ownership and connectivity are crucial for secure storage and transfer or images. It is important to understand these before using a mobile phone to capture clinical images.

· Data being transferred between healthcare professionals that is identifiable should not be vulnerable to interception or redirection but should be protected in line with the Data Protection Act (1998) (DPA)

· Images captured and stored on a mobile device are potentially insecure if there is inadequate protection or excess connectivity. This has implications for images containing patient-identifiable data (PID).

bottom of page