DOCTORS using clinical software on their smart phones or tablet computers may be inadvertently putting patient confidentiality at risk, according to a privacy expert.
Dr Juanita Fernando (PhD), part of the mobile health research group at Monash University, told MJA InSight she had been contacted by several patients who had suffered “direct dire consequences” as a result of privacy breaches after doctors used clinical apps on their mobile devices.
She cited the case of a doctor who had updated and uploaded a patient record at home using a clinical app. This was then cached by a metasearch engine, effectively publishing the data in the public domain.
Dr Fernando said these patients had the right to litigate but so far she was not aware of any Australian cases.
She said clinicians’ intellectual property could also be at risk.
Writing in the latest MJA, Dr Fernando said there was a “legal vacuum” in guidelines governing smartphone and tablet use. (1)
“We can either regulate clinical software now or wait and let the courts decide, when legal cases occur”, she wrote.
Dr Fernando told MJA InSight that mobile clinical software could be “incredibly valuable” but there was a need for greater regulation, as well as increased awareness of potential pitfalls.
“There needs to be more advice to clinicians, for example, about what information is being sent on to third parties”, she said.
She said “root-kits” — software applications that are hidden by manufacturers to monitor program performance — posed a number of risks as they could transmit unsecured text and log keystrokes.
Dr Fernando said the solutions were often simple, such as using encryption of data on mobile devices.
Dr Mukesh Haikerwal, national clinical lead of the National E-Health Transition Authority, agreed that there were potential risks of using mobile clinical software.
He suggested that clinical apps be reviewed before use, perhaps using a similar method as that used by the Therapeutic Goods Administration to license therapeutic drugs or devices.
Dr Haikerwal coauthored an editorial in the same issue of the MJA highlighting that Australia has no governance system to ensure e-health safety in general. (2)
“There is currently a gap, stretching from local to national, in safety governance for clinical information systems”, the editorial said.
It emphasised the importance of ensuring systemic safety — even if individual components were safe — but no organisation had either the mandate or the expertise to regulate this.
The concerns were particularly pressing given that the personally controlled e-health records rollout will begin from 1 July.
The editorial said potential harms included drug allergies being incorrectly uploaded from local clinical systems, or medication names and doses being incorrectly imported.
“Given the systemic nature of national e-health, harm events will not be confined to individuals and may affect large groups of patients … At some point, however, patient harm will occur.”
The responsibility for e-health clinical safety may need to fall under the remit of Australia’s Chief Medical Officer, or a specifically designated body, the editorial said.
Dr Haikerwal told MJA InSight that coordinating e-health safety through COAG (Council of Australian Governments) may be the preferable approach to achieve nationally consistent standards.
Dr Sara Bird, manager of medicolegal and advisory services at MDA National, said she had received a number of enquiries from members regarding the privacy, confidentiality and security of e-health data.
Dr Bird often directed concerned doctors to RACGP guidelines on computer security and information security standards. MDA National had established an internal working party on e-health because e-health enquiries from members were increasing.
“It’s reasonable for doctors to be cautious and careful about what they’re doing because the risks are significant if things do go wrong”, Dr Bird said.
However, she said she had not received any enquiries from doctors concerned about their use of mobile apps.
– Sophie McNamara
Posted 16 April 2012