July 2012

Securing Films and Files — Privacy Protection and X-Rays
By Beth W. Orenstein
Radiology Today
Vol. 13 No. 7 P. 20

Thieves disguised as employees of a recycling company recently walked into hospitals in Canada and walked out with barrels of old X-ray films. Similar thefts have been reported in Pennsylvania, Maryland, Delaware, and Massachusetts.

The enterprising thieves were likely after the silver in the old films. Like gold and copper, silver’s value has been increasing. The latest figures put it at about $28 per troy ounce (about 31 g)—up from $17 in 2010. Given the sour economy, many people are looking anywhere they can to make some money.

True, there isn’t much silver in X-rays. Even at the higher prices, 100 pounds of films would yield only about $35. It could be less if the films are newer. “As film technologies improved, manufacturers could put less and less silver in the film,” says Sharon Finney, corporate data security officer for Adventist Health System in Altamonte Springs, Florida.

While stealing X-ray film for silver is interesting, thieves have fewer sites to target as radiography becomes a digital domain. Theft of old X-ray films is only one example of radiology departments’ modern-day security concerns, whether in a hospital or a stand-alone facility.

Whether it’s written on an X-ray or its cover or included in an EHR, radiology departments must protect patient information, says Mac McMillan, chairman and CEO of CynergisTek, a healthcare security consulting firm. The pressure on imaging facilities and departments to protect patient information has been on the rise ever since HIPAA was enacted in 1996.

Add the rise of privacy regulations to rapidly changing technology and imaging departments have a lot on their plates, McMillan says. They must be concerned with both the use and destruction of images.

“We’re hearing about numerous breaches that occur while the material is on its way to the destruction facility … and so facilities are becoming more concerned about where they’re keeping their data and who is destroying it for them,” he says. “They have to make sure they have processes in place that will safeguard the material that has protected healthcare information on it throughout its life so that they don’t become the next name on the ‘Wall of Shame.’”

McMillan suspects the number of thefts of old X-ray films could be on the rise because the value of silver is so high. “I’m guessing we’re seeing more incidents because of the value of silver. I’m not sure we’re seeing a lot more, but it’s just made it that much more lucrative to folks,” he says. “And as long as there’s something of value that someone can get their hands on, someone will try to figure out a way to do it.” Fortunately for imaging facilities and covered entities, extracting silver from X-ray films isn’t easy, McMillan says. The films must be heated to extremely high temperatures, and the yield won’t be particularly high.

When facilities have X-rays they no longer need to keep, they can hire firms that will bring dumpsters to the site. Some will shred the films on site. Others will transport the films in locked bins to destruction sites so the security is high, McMillan says.

If someone wants to recover the silver from the films once they are shredded appropriately and patient information can no longer be identified, it shouldn’t be a privacy issue or other problem. “Once a shredder makes confetti out of it and that confetti can’t be put back together, it’s no longer a patient privacy concern nor is it a compliance or breach concern. It’s garbage,” McMillan says. “Then if someone wants to take it and recover the silver, no one cares.”

CynergisTek encourages hospitals to be sure they’re dealing with reputable firms and have processes in place so that their data are protected wherever they’re stored and whenever they’re transported for destruction. “We look at how their information is protected at each phase of its life,” McMillan says. “We help them make sure they have good chain of custody around those images and have good practices around the destruction itself.”

Digital Data
Radiology departments and other covered entities also must take steps to secure their digital data, McMillan says. His key advice is to avoid making hard copies if they aren’t necessary. “If you don’t print the images when you don’t need to, it eliminates a certain percentage of your risk,” he says. “The less you produce, the less you have to worry about protecting.”

Finney says Adventist Health System, like many hospitals and health systems, uses a data security strategy for its digital images: segmenting its radiology data and allowing only authorized personnel access to them. “We segment off most of our radiology systems,” she says. “They have their own segment of the network to which we can apply rigid security techniques that are unique to that segment.”

Segmenting radiology data not only reduces the risk of security breaches but also helps reduce the likelihood of critical patient information being attacked by viruses and/or spyware, Finney says. “We have 30,000 workstations on our network. Not all 30,000 need to be able to talk directly with that radiology system. This way I can control what can be communicated with that system and narrow the possibility of it being vulnerable.”

Finney also says that when radiologists can access images on their mobile devices, such as smartphones or iPads, a system should be set up so images aren’t left on the devices. “For the most part, the way most vendors design their mobile apps, they’re real-time stations and they’re encrypted. When the radiologists call up those images on their mobile devices, they can view the images, but images are not resident on the device. That means when they close the application, all that data is gone. That’s key for us.”

Finney says Adventist Health System works closely with its vendors to be sure the images are viewable only for a reasonable amount of time. The radiologists have to log in and enter a password to be able to view the images, but the images won’t stay open forever. “If [a radiologist] lays his iPad that he’s been using to view images on the kitchen table and walks away, it will close within a short time,” she says.

When a computer or other device is taken out of service in the system, its hard drives are wiped clean. “We require that before that drive leaves our system, it be run through a wiping process. It overwrites the drive seven times, which means it would be impossible for someone to be able to retrieve information—personal patient information or otherwise—off it.”

Occasionally, a mechanical failure prevents the drive from being wiped clean. “In that case, we have several different services that would pulverize the drive,” Finney says. “We maintain a chain of custody of all our devices and track serial numbers. The vendor has to give us a certificate of destruction.”

McMillan believes radiology departments and imaging facilities have become better at protecting data since HIPAA came into play. Industry studies show that about 60% of imaging facilities have adopted security detection programs. However, he says, many are still far too reactive and not proactive enough. “They have to be actively monitoring what everyone is doing, and less than 20% monitor their systems in an automated fashion,” he says.

Finney says the data security issues that imaging departments face change frequently. “There are always new and emerging threats,” she says. “For example, we’re starting to see the emergence of viruses targeted at the hardware level. Some have the capability of attacking the actual biomedical device itself, not just the control system.”

What imaging departments must do, she says, “is look at emerging potential threats to their security and change what they need to make to try and ensure those types of threats can’t be. It’s a constant game of cat and mouse.”

— Beth W. Orenstein of Northampton, Pennsylvania, is a freelance medical writer and regular contributor to Radiology Today.