The rise of mobile devices as a means for patients to share personal health information with their providers has generated an explosion in the amount of digital media — specifically images and video — that are being sent and managed via…(ahem)…let’s just say slightly less than HIPAA compliant means. If you are a health care provider or health care administrator that has received an unencrypted email or text from a patient with photos or videos attached, you know what I am talking about, and you are not alone.
The financial and reputational liabilities associated with this widespread, risky behavior are significant, and increasingly well-known. And they are still sadly ignored by medical professionals, particularly those in the aesthetics community who are among the highest value targets for would be attackers seeking to exploit the value of visible media in medicine. If the idea of having your patient photos hacked and posted online for the world to see doesn’t worry you, it should. Yet although the use of images as an attack vector by malicious actors is hardly new, the ease with which patients can take and send images and video of themselves (or others!) to a medical provider, and the growing number of files being sent make this issue more relevant now than ever before.
JPEG images are the most common digital image format in use today. But did you know that the suspicious “.exe” and “.dmg” files often attached to emails are not the only types of email attacks you are vulnerable to? Did you know, for example, that JPEGs, whether sent by email, text or uploaded to your website, can also contain malicious software code that, when downloaded and saved to your computer, can infect it and your network? This is important to remember when you next open an email, text or uploaded image sent from someone you think is an existing patient or a potential patient sending photos for the purposes of a virtual consultation.
For a slightly older, but still very accurate and relevant explanation of the techniques used to pack images with unpleasant surprises, read Lincoln Spector’s article for PC World found at https://bit.ly/2zRVTxR.
So, what can you do to protect yourself?
Keep your antivirus software and all other applications that you use up-to-date to monitor files on your network.
Make sure that you are able to see the file extensions of the images you want to view before you open them. In particular, you can right click (not double click!) on suspicion images and select Properties (Windows) or Get Info (Mac) to look for any use of double extensions, such as “posterior.jpg.exe” on the File Type (Windows) or File “Kind” (Mac).
You can read more about how to look for malicious applications disguised as images (and other document types) at https://apple.co/2OMB5NV, as well as in the PC World article mentioned above.
And — if you are truly serious about protecting your patients’ visual media files — unless you are using an email or web hosting service that ensures that all patient images and video sent to you are encrypted at rest and in transit, consider partnering with a company that can provide that capability for you.
About the Author
Freddy is the CEO of Epitomyze Inc., a team of healthcare and medical imaging experts devoted to revolutionizing the role of clinical photography in medicine. Epitomyze’s premier service is Epitomyze Cloud™, a state-of-the-art, and secure, cloud-based digital-asset storage and management solution for images and data. The service can be accessed through secure credentials from any device, and can be paired with its sophisticated Epitomyze Capture™ app.
Freddy is passionate about the subject of digital imaging in medicine and the role that clinical photography can play in improving the quality of care for patients. Follow him on Twitter: @epitomyze.