Preserving Patient Privacy in a Digital Era

“Change includes opportunities for advancement, learning and, sometimes, new risks,” says Sunil Singhal, principal consultant at Synergess and an experienced digital pathology transformation specialist. Few changes are as significant for the clinical lab as a move from analog to digital service provision, especially with the advent of artificial intelligence (AI)-based technologies. But when it comes to data privacy and security, what risks does the change bring—and how can labs best protect themselves and their patients?

Standardizing for security

“In an increasingly digital world, critical aspects of protecting patient privacy are more prevalent than ever,” says Singhal. “Standards, policies, procedures and well-trained people are all required to prevent patient privacy breaches in digital and computational pathology.”

He emphasizes that organizations should have their security requirements and personnel training in place before beginning to capture and store digital images. “This is not a scenario in which a group should start digitizing and then think of patient privacy concerns; rather, they should build as safe an environment as possible from the outset.”

To create as foolproof a system as possible, Singhal recommends early and frequent collaboration between labs and technology professionals. Not only are IT departments familiar with privacy and security issues, but they may also have access to funding or other resources labs may not be able to obtain on their own. This also allows them to raise any potential concerns before they are realized—for instance, when choosing software or devices or when implementing new AI solutions.

There is ample literature on patient privacy and data safety for digital pathology.¹ AI-based tools are at a much earlier stage of development; best practices are emerging among users,² but the regulatory environment still lags behind the technology in most instances.³ For situations in which legal and compliance frameworks are lacking, Singhal recommends learning from other fields such as radiology or emergency mental health services in which patient privacy is equally important—but, at the same time, working toward standardized approaches to privacy concerns such as deidentification or message exchange security.

Who is responsible?

Singhal’s answer is simple: “Everyone with access to protected health information (PHI) is responsible for maintaining its safety and privacy. This includes scheduling, patient interactions, specimen handling, grossing, histology, digitization, pathology review, report generation, report sharing, collaborations, research or education review, vendor support, data sharing, and much more.”

Although the same people trained to protect PHI in a fully glass-oriented laboratory today will be required to protect it post-digitization, the list of those involved in data safety must expand to include vendors providing digital and computational tools, IT professionals supporting those tools, locations housing patient information, and anyone involved in specific functions such as data transfer for remote consultations.

Nonetheless, Singhal sees security advantages to a digitized lab ecosystem. “I once chased down a pathologist who was driving out of the hospital parking lot with glass slides on the roof of their car!” he says. “This is preventable in a digital era. Audit trails, instant monitoring and oversight, and even tools to protect particularly sensitive information that couldn’t exist in an analog world can provide assistance to physicians, operational leaders, and others. In fact, companies have built specific protections to isolate and secure data from extremely sensitive patients—for instance, victims of abuse—that were not possible in an analog workflow.”

Evolving risk, evolving response

“I believe that, once a slide is digital, it must be rigorously protected,” says Singhal. “This extends to any additional aspect of digital pathology, including AI-based tools, whole slide image (WSI) sharing, research, teaching, and more.” Although slides and images are often discussed colloquially, it’s important to recognize that the need for security extends to reports, annotations, and even the files’ associated metadata. New tools may create additional data that requires protection, a concern Singhal takes seriously. “The boards responsible for the use of PHI must critically evaluate any increase in the risk to data safety,” he says. “In the US, for example, institutional review boards and data security committees must be involved if a proposal includes the possibility of sharing patient data intentionally or unintentionally.”

For individual laboratorians dealing with digital privacy issues, training is paramount. This includes not only general patient privacy and data safety requirements, but also awareness of security risks such as phishing and social engineering and understanding of physical security measures such as restricted access to devices. Many of these needs are taken into consideration when training lab staff on other PHI-inclusive digital systems such as laboratory information management software (LIMS), but aren’t always emphasized when onboarding new digital pathology and AI solutions.

For managers and administrators, Singhal’s focus is on leadership and investment. “This is a serious topic and leaders who take a serious stance on cybersecurity will be best equipped to protect their patients and staff,” he says. “Data security takes time, money, and resources. These investments are a critical part of doing business in a digital age. This is not new, but must be maintained and constantly improved upon.”

The future is here

“We are currently living in the lab of the future,” Singhal says. “Although each lab is at a different level of readiness specific to WSIs, almost all modern labs now have a digital presence. We must continue to devote the same level of rigor and discipline to lab information protections as we do to the other digital aspects of patient records. We must take precautions both onsite and in the cloud. We must take the security of patient data as seriously as we take the security of our passwords, bank accounts, and other sensitive personal information.”

As vital as these privacy protections are, they must be carefully constructed to ensure that they don’t stifle innovation that could improve patients’ overall healthcare outcomes or experiences. AI can support labs in automating workflows, prioritizing tasks, detecting potential errors, reducing turnaround times, and even obtaining and and interpreting results.⁴ With demand for clinical lab services on the rise and further increases forecast, these functions may be essential to the continued provision of high-quality care⁵—so novel solutions and patient privacy must go hand in hand.

“We need to remain vigilant to protect patient data, but we should also continue to be innovative toward advancing that protection in ways we couldn’t prior to today’s digital world,” says Singhal. “It seems that, when it comes to patient privacy and security, we are just getting started.”

References:

1. 1. Cucoranu IC et al. Privacy and security of patient data in the pathology laboratory. J Pathol Inform. 2013;4:4. doi:10.4103/2153-3539.108542.

1. 1. Yadav N et al. Data privacy in healthcare: in the era of artificial intelligence. Indian Dermatol Online J. 2023;14(6):788–792. doi:10.4103/idoj.idoj_543_23.

1. 1. Murdoch B. Privacy and artificial intelligence: challenges for protecting health information in a new era. BMC Med Ethics. 2021;22(1):122. doi:10.1186/s12910-021-00687-3.

1. 1. Haymond S, McCudden C. Rise of the machines: artificial intelligence and the clinical laboratory. J Appl Lab Med. 2021;6(6):1640–1654. doi:10.1093/jalm/jfab075.

1. 1. Al Naam YA et al. The impact of total automaton on the clinical laboratory workforce: a case study. J Healthc Leadersh. 2022;14:55–62. doi:10.2147/JHL.S362614.