Risks involved in using personal mobile devices in clinic
General risks to data protection and patient confidentiality
· Most mobile devices have internet connectivity and use cloud-based backup services.
· Mobile devices are more susceptible to loss or theft, especially if used both at work and at home.
· Mobile devices are not suitable for long-term storage of patient images.
· WhatsApp and certain other instant messaging apps are said to offer secure end-to-end encryption of messages sent and received. Unfortunately, this is not a guaranteed secure method of transferring PID(Patient Identifiable Data).
Standard 1- Gaining the patients informed consent
· Written consent should always be sought before capturing a patient image, stating use in direct care i.e. for diagnosis/scan and the possibility of use in indirect care i.e. teaching.
Rationale- all data held on a patient’s medical record is subject to the Data Protection Act (DPA) (1998).
Standard 2- Safe use of mobile devices to take patient images
· Physical device security- The device must be configured with a strong passcode (6+ characters) that needs to be entered before it will operate
· Device Connectivity- Any network to which you connect your device must support WPA2/PSK authentication and encryption as a minimum. Data transmitted over 3G/4G/UTM mobile networks should be secured via a virtual private network (VPN).
· Bluetooth- Bluetooth should be disabled when not in use.
Standard 3- Safe transfer and storage of images captured with mobile devices
· Without care, the use of mobile devices to take, store and transfer images can lead to breaches of patient confidentiality and of the Data Protection Act (1998) (DPA).
· Issues of device ownership and connectivity are crucial for secure storage and transfer or images. It is important to understand these before using a mobile phone to capture clinical images.
· Data being transferred between healthcare professionals that is identifiable should not be vulnerable to interception or redirection but should be protected in line with the Data Protection Act (1998) (DPA)
· Images captured and stored on a mobile device are potentially insecure if there is inadequate protection or excess connectivity. This has implications for images containing patient-identifiable data (PID).