Search engines now can index patient identifiers attached to images in presentations previously thought to have been sanitized of all patient information, as originally reported by the American College of Radiology (ACR) on August 20.
The ACR, along with the Radiological Society of North America (RSNA) and Society for Imaging Informatics in Medicine (SIIM), warned medical professionals to ensure all protected health information (PHI) is not present in their slide presentations or is de-identified properly.
Advances in search engine technology
As search engines get smarter, so do their capabilities.
Many search engines (like Google and Bing) use optical character recognition (OCR) to convert images of typed, electronic or handwritten text into machine-coded text. OCR digitizes text for electronic editing, use, search, and storage. This process is also used on words associated with images like x-rays, scans, or screenshots.
These types of images, often used in medical presentations, can expose PHI because search engines index the words on these images, unbeknown to the author.
Indexing images creates an online association of this information with a patient name. When this happens, it makes PHI available in search engine results.
In fact, in 2019, one of the most massive breaches of patient data was due to exposed PHI that was indexed from private, internal company webpages that Inmediata Health Group used for business operations.
Limiting PHI exposure
Healthcare professionals who share medical information via presentations available online need to take great care in how they include patient-specific information.
The ACR, SIIM, and RSNA have created a resource page that highlights best practices and recommends software designed to permanently remove PHI. It also provides additional resources to help create safe presentations.
These organizations recommend using images without PHI or disabling patient information overlays to ensure information is de-identified properly. They suggest using screenshots of the desired image and only incorporating the area of interest by cropping the image.
Professionals should not, however, crop images within the presentation creation tool itself.
When using cropping tools found within PowerPoint or Google Slides, PHI is not removed. Cropping images this way only hides the information from public view, but the PHI is still associated with the image via the code.
Additionally, adding black bars to obscure PHI will not keep it safe from search engine OCR either.
Other resources to keep PHI safe
Creating presentations and sharing de-identified PHI is necessary for the advances in medicine we see today. Because of this, healthcare providers should invest in continuous cybersecurity training for their employees and stay up-to-date on which new technologies could potentially compromise patient data. These additional precautions can help your organization keep PHI safe and stay HIPAA compliant.
Further safety measures should include a HIPAA compliant email solution, like Paubox Email Suite.
Paubox Email Suite seamlessly ensures that 100% of the emails you send are encrypted.
With our product, emails arrive directly to your patients’ inboxes. That means no more passwords or portals are required.