Medical kiosks raise security flags
As the Cleveland Clinic adds its prestigious name to the hospital groups that have embraced next-generation medical kiosks – groups that include Metro Health, Miami Children's Hospital, Kaiser Permanente, Central Ohio Primary Care and Nationwide Children's Hospital – healthcare IT executives are wrestling with the powerful pros and cons of such a move.
[See also: Ohio hospital launches kiosk pilot.]
These kiosks have compartments that software can open to release various medical instruments (blood pressure cuff, thermometer, stethoscope, scale, pulse oximeter, otoscope, dermascope, etc.), which a nurse can help the patient use. The kiosk transmits the data to a cloud controlled by a kiosk vendor (in the case of the Cleveland Clinic, it's a vendor called HealthSpot) and then establishes a live video stream with a physician for a consultation. The kiosks can also accept payment card transactions.
The advantages of such systems are extensive, allowing far more patients to be seen. The kiosks can be placed in malls, houses of worship, schools, community centers and other locations that can be far more convenient for patients, especially in rural areas. The video streaming also offers the potential for efficiency improvements, where a doctor can hop onto the network whenever he/she has a free 10-15 minutes and see a patient.
"A doctor can jump on the laptop and get on the network if needed," said Christopher Soska, the Cleveland Clinic's chief of operations for community hospitals and family health centers. "The convenience for the patients is the biggest factor. Remember that the true value of these units is not within a medical office building. It's being out in the market in retail, in community centers, in churches. These patients may not have the means to get to our care providers."
[See also: Telehealth gives Miami docs global reach.]
That convenience, though, comes with inevitable IT security and privacy risks. How well are those highly-sensitive video streams protected? What about that payment card information? Is that highly profitable data going to attract cyber thieves? All of that data being gathered is being sent to the vendor's cloud. How secure is that cloud? Will cloud neighbors present a threat?
What are the privacy and marketing issues?
HealthSpot CEO Steve Cashman, for example, said his company has yet to decide how they will use – and potentially make money from – that information. That means that the hundreds of patients who have already given information to these kiosks did so with no guarantees how the data would ultimately be used. Patients are presented with a terms and conditions page, but HealthSpot refused to share its wording, saying the phrasing was proprietary. Yet the terms and conditions page is open to anyone who goes to a mall and walks into one of the kiosks.
How could that ultra-sensitive medical data be used?
"We understand the long-term value of that data," Cashman said. "If we're successful in building this out, we in theory could have the largest amount of data in the entire healthcare (community). We ultimately have to decide who that data is valuable to."
Among the privacy issues is how patients regard the kiosks. When patients see the Cleveland Clinic name, for example, they might apply the trust they have for Cleveland Clinic brand to the kiosk. And if anything were to happen to the data – regardless of whether it's the fault of Cleveland Clinic – the patient is likely to blame the trusted brand that made them comfortable using the kiosk initially.
Cleveland's Soska avoided discussing data use limitations and security issues, saying some of those details might have been covered in the group's contract with the vendor. It raises the question of how much patients themselves know the limits – and the exposures – before they use the kiosks.
Kathy Jobes is the chief information security officer at the 125-year-old 12-hospital $5.6 billion Sentara Healthcare enterprise. Jobes said that her organization is not, at the moment, exploring such advanced healthcare kiosks, but she'd have plenty of security concerns if it were.
These kiosks "are very exciting and they look very sexy, but it all comes with a price," Jobes said. "If it's not carefully thought through, there could be a negative ending for the organization. I can definitely see where it's very exciting, but I would have a lot of questions."
For example, she said, the streaming video part could be problematic, from a security perspective. "Streaming video is (security) difficult. It presents a lot of challenges," Jobes said. "It's not just the encryption issues, but the authentication is challenging at best for streaming video."
The authentication risk, Jobes said, is to prevent an identity thief from impersonating a prior user of the kiosk. With different medical personnel looking at the video, there is likely to be no one who would recognize that patient by sight. Not only could such a thief potentially learn intimate medical details about the patient – as the physician reveals details accessed in the patient's file – but it could also be used to steal prescriptions.
Another concern that Jobes had about such data-hungry kiosks is how the data would be destroyed when the relationship ended. Would an agreement allow for some data-retention in case patients access the kiosk through a different hospital group? Is the vendor allowed to use data in aggregate and to be able to sell it? Are there restrictions on whether the data can be placed on mobile devices or thumb drives, if an executive wanted to work on material at home or while on the road? Also, with relentless backups or backups in multiple locations, is it even possible to guarantee that every last bit of data will be destroyed, even if a contract requires that? If it's in the cloud, for example, who knows how many automated backups of that server are being executed?
"I absolutely would require upfront the foundational agreement that very explicitly set forth the scope of how the data could be used and how the data would be destroyed," Jobes said.
The cost of the HealthSpot kiosks to the hospital is about a $15,000 implementation fee, a multiyear support/maintenance agreement for about $1,000/month and a portion of the appointment fee (often around $12 goes to the vendor), Cashman said. "If somebody is not insured and they just want to pay, we do offer a $59 cash pay option," he said, adding that they are preparing to accept PayPal soon.
Cleveland's Soska said these kind of next-generation kiosks have strong potential to get more patients seen more quickly and more efficiently. But it's not for all ailments. "This is not for emergent care. Chest pains still need to go to the emergency room," Soska said.