Read the Fine Print

Recently I was talking to a friend who, knowing that my company is in the clinical photography business shared with me that she was interested in getting breast implants and, in the course of researching potential plastic surgeons was asked to upload photographs of herself to his website for evaluation. She asked me if I thought this was a good idea. I responded by asking her to pull up the website where she would be uploading the photos.

To my complete astonishment, the website – for a pretty well know surgeon – was using nothing more than a basic WordPress file upload manager to provide patients with the ability to upload their sensitive, protected health information. Even more appalling, directly underneath the File Upload button was the following disclaimer:

“Communications through our website or via email are not encrypted and are not necessarily secure. Use of the internet or email is for your convenience only, and by using them, you assume the risk of unauthorized use. Emailing and messaging do not create a physician/patient relationship and cannot replace in person communication/examination.”

I have written here before about the importance of data security from the doctor’s point of view. And this is no exception.

Doctors, just like any other business, should be deeply concerned about and responsible for the security of the data they collect and hold. However, I want to also remind patients that they need to be thoughtful, and very careful about the information that they share – and how they share it – with doctors or anyone else, particularly online.

Remember, just because a medical practice has policies in place to comply with HIPAA regulations does no mean that their email, texts, or website – which is almost always hosted by a third party – are HIPAA compliant or secure. It is easy to forget that the path from your phone or computer to the phone, computer or website of a doctor is rarely completely secure, and is sometimes downright “out in the open” for people who want to collect that information. All you need to do is search “man in the middle attack” to get a sense of the seriousness of the problem.

And so, a message to patients and doctors and anyone else in the business of collecting, transmitting, or holding protected health information (including you, webmasters!), you don’t have to be completely up to date on all of the dirty tricks that hackers use to get your valuable data, you just need to reduce as much as possible the attack surface. Use strong passwords. Make sure that you keep your operating systems and applications up to date. Uses firewalls for your websites. Only use software from sources that you know to be trusted and make sure that all hosted data is encrypted.

About The Author
: Freddy is the CEO of Epitomyze Inc., a team of healthcare and medical imaging experts devoted to revolutionizing the role of clinical photography in medicine. Our premier service is Epitomyze Cloud™, a state-of-the-art cloud-based, digital-asset storage and management solution for image data. The service can be accessed through secure credentials from any device, and can be paired with our sophisticated Epitomyze Capture™ app. Email us at or call us at (800) 774-7630

Freddy is passionate about the subject of digital imaging in medicine and the role that clinical photography can play in improving the quality of care for patients. Follow him on Twitter: @epitomyze.

Leave a Comment