HIPAA-compliant PACS solution debuts

Clinical data security has become a vital issue in the wake of the April 2003 HIPAA mandate. This requires healthcare entities to provide privacy and security assurance of data managed by PACS along with other clinical information.

"Currently, however, there is no substantial systematic method developed by healthcare institutions or the imaging industry to comply with HIPAA rules," said Dr. Zheng Zhou of the Image Processing & Informatics Laboratory of the radiology department at the University of Southern California.

Zhou exhibited a solution in the infoRAD arena at the RSNA meeting: a HIPAA-compliant security monitoring system (SMS).

Zhou proposed a dedicated PACS security server that acts as an image authority to check and certify the image origin and integrity upon request by a user. It also acts as a secure DICOM gateway to outside connections and a PACS operation monitor for HIPAA-supporting information.

"As a first step, we have developed a stand-alone tool kit to track every PACS image data transaction," Zhou said.

The compliance tool can be linked to the PACS server and handles security-related data through several actions:
? tracking data accessed by PACS, including date and time the data were accessed, access types, and access status
? recording PACS user log information
? managing image security information such as digital image signature

"All tracked and logged information is stored in the security server database," Zhou said. "SMS becomes a secure gateway for PACS to distribute images and related data to outside applications."

SMS monitors security server data with tailored requirements from both LAN and wireless network clients. It was developed and tested in USC's PACS Simulator.