The HIPAA regulations establish national standards on all healthcare systems, including digital medical imaging transactions. They outline a comprehensive risk analysis assisting in investigations of possible security breaches 1 . Such regulations are particularly important to medical imaging because picture archiving and communication systems (PACS), which handle the storage and distribution of medical images, provide easier access to a vast number of confidential records.
The global healthcare system
As PACS become more sophisticated, safeguarding this data has become even more challenging. Access and diagnosis methods require a strong security measures to safeguard patient privacy. We should therefore bring all of the separate medical entities into one global healthcare system to enable the proper flow of information while maintaining strict security policies to prevent unauthorised access 2 . These entities can range from a single medical device (such as a CT scanner) to an entire medical establishment (eg, a hospital).
Among these entities, PACS (which represent a network of image acquisition devices, display devices, storage devices, and imaging servers), plays a vital role in efforts to improve patient healthcare by providing radiologists and physicians with timely access to radiology exams and results.
"A security threat to PACS may introduce many unforeseen security risks to the remaining network components"
A security threat to PACS may introduce many unforeseen security risks to the remaining network components. In particular, the confidentiality of patient data could be jeopardised. Images sent to doctors' homes after hours must be sent over encrypted communication links. HIPAA specifies encryption requirements in the technical safeguards rules.
The regulations also address the integrity of the data through a requirement for audit trails (also part of the technical safeguards), so that changes can be tracked. Typically, audit trails track any modification of the radiology workstations and archive. Availability is also addressed through a requirement for emergency access procedures. This can be as simple as an internal emergency access number for physicians, enabling them to gain access to any clinical information on the institution's workstations 3 .