It's easy to use your phone to capture patient photos, video or audio but if you're not using PicSafe...
There's patient data stored on your phone. What if you lose it?
Photos are often auto-uploaded to cloud accounts (with past breaches).
Patient data often isn't transmitted safely and can be intercepted.
When shared, patient data often isn't stored securely by recipients.
Consent is often not recorded. If there's a dispute later, this can mean trouble!
There's no record of who has accessed the data.
Have questions? Call: +61 3 9005 6339
Once the PicSafe app captures a patient's data, the user has three main ways of sending the data.
The app fetches a key from a "Key Server" (operated by PicSafe or your organisation) and secures all data using AES-256 bit encryption. The encrypted report is attached to an email which the user then sends - the same as a "standard" email. The recipient is instructed to open the email on their phone and tap on the attached encrypted report. If the recipient is signed in to PicSafe, the app will fetch a key to decrypt the report (thereby leaving an audit trail) and display the report. See Email to Recipient integration docs.
The app transmits the report (PDF, JSON meta data and photo, video and audio files) to Dropbox or Box's servers via HTTPS. PicSafe does not encrypt reports using the Key Server when submitting to Dropbox or Box as we assume that Dropbox and Box will store all reports securely. Both Dropbox and Box have HIPAA allow you to remain HIPAA compliant. See Upload to Box documentation and Upload to Dropbox documentation.
The app transmits the report to an endpoint setup by an organisation (to put it in the patient's medical record). Depending on the endpoint, the report can be transmitted via HTTPS (using the same method as when sent to Box or Dropbox) or via HTTP if the report is encrypted on the device first. The report can be encrypted using a static or dynamic key (using a Key Server). For more information, please see here, here, and here.
Most people will not need to know this but, we also use CBC mode, password stretching with PBKDF2, password salting, random IV, and encrypt-then-hash HMAC. What you do need to know is that there are no known cases of this encryption having ever been "cracked".
PicSafe has undertaken independent Vulnerability Assessment and Penetration Testing (VAPT). The tester is qualified as a "Certified Ethical Hacker"; is a “Certified Information Systems Security Professional"; and is certified by the "Council of Registered Ethical Security Testers".
When a doctor sends a confidential "paper" report through the post to another physician, there's an implicit understanding and ethical obligation that the recipient will not in turn act inappropriately with that data (e.g. share it on Facebook). The same applies when using PicSafe. By combining this trust with smart design and the latest technology, we've been able to create a super-easy-to-use app for securely capturing and transmitting patient photos, videos and audio. Ease-of-use is the most important security feature. If it's not easy-to-use, it won't get used. If it's not getting used then either the patient isn't getting the best treatment, or the patient data isn't secure.
Despite HIPAA not applying outside of America, many still view it as the standard in legislation protecting patient privacy. HIPAA stands for the "Health Insurance Portability and Accountability Act of 1996". It's a US federal mandate that requires the protection and confidential handling of "protected health information" (PHI). PicSafe can help your organisation comply with its HIPAA obligations. Please review HIPAA to ensure your practices comply.
There are no official certifications for HIPAA compliance. Nonetheless, PicSafe has been built using technology, structures and processes that will make it easier for organisations to comply. PicSafe never has access to patient data given it never passes through PicSafe's servers. Combining this with the technical safeguards (listed in the section below) means you and your organisation can assure the confidentiality, integrity, and availability of PHI.