The paperless radiology department concept has been around for decades, unlike the paperless radiology department reality, which doesn't exist yet. And while cultural reticence, unequal access to technology, and inadequate legal and service infrastructures have all helped postpone the inevitable, new data security laws in the U.S. will soon force the search for practical solutions.
In a presentation at the November RSNA meeting in Chicago, Claudio Saccavini of the University of Padova in Padova, Italy, described the results of a two-year work-in-progress study on the use of digital signatures on radiology reports. Saccavini and his colleagues are operating under a medical report structure that recent changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy rules may cause to be implemented in the U.S.
In order to achieve a digital report archive that conforms to Italian law, the autograph signature at the foot of a paper report must be replaced with a digital signature. Digital signatures are based on asymmetric, or public key, cryptography. In addition to a key pair and some type of electronic communications protocol, the digital signing and verification processes involve the use of both a hash algorithm and a signature algorithm. Hash and signature algorithms are extremely complex mathematical equations.
To digitally sign a document, the hash algorithm is performed on the original electronic message’s binary code, resulting in what is referred to as a message digest -- a 160-bit string of digits that is unique to the original message. The signature algorithm is then performed on this message digest. The resultant string of digits is the digital signature. The signer’s private key is incorporated into the signature algorithm during the signing process, and the public key is incorporated into the signature algorithm during the verification process.
In Italy, regulations define the digital document, the legal aspects of the digital signature, and the technical rules to sign the digital document, such as the asymmetric key couple (the private key and the public key), the document hash, the use of smart cards, and the certification body. Saccavini and his group have modified their report system to allow a digital signature by radiologists that is based on a Rivest-Shamir-Adleman (RSA) encryption algorithm with an asymmetric key couple.
The system workflow allows radiologists to visualize the text of a report, make changes if necessary, and then sign the report by using a smart card encoded with the doctor’s private key. The text and the signature are then encrypted by the public key and digitally stored.
The researchers performed their own tests of system security levels to access control and electronic data transmission. Their investigations showed the smart cards to be an effective defense in maintaining the integrity of the doctor’s private keys. The smart card requires the doctor to authenticate to the card itself, and thus never exposes the doctor’s private key to the network and possible malicious interception. The group did report some frustration in choosing a specific smart card technology due to a lack of standards in this industry.
Saccavini said the use of digital signatures has been a two-step process in his facility. The first step was in a mixed environment of both paper and digital reports. The group found that once radiologists and physicians embraced the use of smart cards, digital signatures and electronic report distribution, the system was both secure and effective.
The second step for the radiology department at the University of Padova is to completely phase out paper reports. Saccavini noted that this process had just begun at the time of his presentation, but that he was encouraged by the initial feedback to the new system. In particular, the department was especially impressed with ease of storage and retrieval of reports on an optical-disk archive.
The two-year study has shown Saccavini and his colleagues that digital signatures are a keystone technology to the integration of PACS in their facility. The group found that the ability to associate images with reports has allowed the group to produce and distribute multimedia reports. Saccavini looks forward to a time "when RIS and PACS will be no more considered as two different and separated systems, but will be a logically and legally integrated one."
By Jonathan S. Batchelor
AuntMinnie.com staff writer
January 10, 2001
Related Reading
Encryption is key to medical data security, September 19, 2000
Creativity, hard work produce PACS-free productivity gains, June 7, 2000
Click here to post your comments about this story in our PACS Digital Community. Please include the headline of the article in your message.
Copyright © 2001 AuntMinnie.com
