Video calls from lay bystanders to dispatch centers - risk assessment of information security
© Bolle et al; licensee BioMed Central Ltd. 2011
Received: 3 February 2011
Accepted: 30 September 2011
Published: 30 September 2011
Video calls from mobile phones can improve communication during medical emergencies. Lay bystanders can be instructed and supervised by health professionals at Emergency Medical Communication Centers. Before implementation of video mobile calls in emergencies, issues of information security should be addressed.
Information security was assessed for risk, based on the information security standard ISO/IEC 27005:2008. A multi-professional team used structured brainstorming to find threats to the information security aspects confidentiality, quality, integrity, and availability.
Twenty security threats of different risk levels were identified and analyzed. Solutions were proposed to reduce the risk level.
Given proper implementation, we found no risks to information security that would advocate against the use of video calls between lay bystanders and Emergency Medical Communication Centers. The identified threats should be used as input to formal requirements when planning and implementing video calls from mobile phones for these call centers.
Cardiac arrest, accidents and traumas are leading causes of death worldwide [1–3]. First rescue activities performed by lay bystanders, such as calling for help, opening of airways, and cardio-pulmonary resuscitation, save lives. Emergency Medical Communication Centers (EMCCs) assist bystanders via telephone, saving time and improving care [4, 5]. EMCC operators (dispatchers) often have to act on limited information, as the description given by bystanders can be lacking or misleading [4, 6, 7].
Videoconference enabled mobile phones can be sophisticated tools for dispatcher assisted resuscitation [7, 8], and videoconferencing can improve the confidence of lay rescuers . Videoconferencing used in communication between bystanders and EMCCs would enable dispatchers to see the patient and the scene of accident, and may better instruct bystanders on correct action [7, 10, 11]. The Federal Communications Commission (FCC) in the USA announced in November 2010 that America's 9-1-1 system should be revolutionized by harnessing the life-saving potential of text, photo, and video in emergencies . Although a majority of the emergency calls come from mobile phones , call centers currently lack the technical capability to use the full potential of these new technologies.
In healthcare, information security and safety are vital parts of the trust between the public and the care providers. In most countries this is regulated through laws and professional standards. Possible undesired effects should be identified before the implementation of video calls in EMCCs. In this study, the security challenges of using mobile telephones for videoconferencing between lay rescuers and EMCCs were analyzed through a qualitative risk assessment of the information security aspects.
Risk assessment group, workflow and time frame
Risk assessment was performed by a group, led by a risk assessment expert (EH). Group participants were chosen from our own institution, based on competencies and background, such that different areas of expertise were covered. One anesthetist nurse, one anesthesiologist, one lawyer, and two computer scientists took part in this group, which started its work in 2006. After one iteration of risk assessment including three group meetings, we found that a better understanding of the intended service was needed, and agreed to postpone further iterations until the completion of a research project [7, 9, 14]. We expanded our group with a dispatcher nurse who had used videoconferencing in scenarios of simulated cardiac arrest, and the risk assessment was completed through another two iterations with email discussions and eight group meetings during 2009 and 2010.
Definitions of consequence, likelihood and risk level
For the hospital or the service: No violation of law; or negligible economic loss which can be restored; or small reduction of reputation in the short run.
For the patient: A minor impact on health; or negligible economic loss which can be restored; or small reduction of reputation in the short run.
For the hospital or the service: Offence, less serious violation of law which results in a warning or a reprimand; or economic loss which can be restored; or reduction of reputation that may influence trust and respect.
For the patient: A minor temporary impact on health; or economic loss which can be restored; or small reduction of reputation caused by revealing of less serious information (e.g. blood pressure level).
For the hospital or the service: Violation of law which results in penalty or fine; or a large economic loss which cannot be restored; or serious loss of reputation that will influence trust and respect for a long time.
For the patient: Death or permanent reduction of health; or a large economic loss which cannot be restored; or serious loss of reputation caused by revealing of sensitive and offending information.
Rare, occurs less than every 100th connection. Detailed knowledge about the system is needed; or special equipment is needed; or it can only be performed deliberately.
May happen, occurs between every 10th and every100th connection. Normal knowledge about the system is sufficient; or normally available equipment can be used; or it can be performed deliberately.
Quite often, occurs between every 3rd and every10th connection. Can be done with minor knowledge about the system; or without any additional equipment being used; or it can be performed by wrong or careless usage.
Very often, occurs more often than every 3rd connection. Can be done without any knowledge about the system; or without any additional equipment being used; or it can be performed by wrong or careless usage.
Acceptable risk. The service can be used with the identified threats, but the threats must be observed to discover changes that could raise the risk level.
Can for this service be an acceptable risk, but for each threat the development of the risk should be monitored to consider whether necessary measures have to be implemented.
Not acceptable risk. Cannot start using the service before risk reducing treatment has been implemented.
Threats to information security with consequences for the organization or patients were identified. We considered threats related to legislation and regulations, economic consequences, reputation, life, and health.
Identification of threats was performed as a structured brainstorming in the risk assessment group. All ideas for possible risks were noted and no risks were censored or rejected at this point. During risk assessment we focused on confidentiality (c), quality (q), integrity (i), and availability (a) of information, terms defined by Norwegian legislation as the aspects of information security [15, 16]. Every threat was described and given a unique identifier where the first character was used to indicate the type of security aspect (c, q, i, a).
Each threat was analysed by the team for the consequence and the likelihood that it would occur, according to definitions (Table 1). Risk assessment was done for the new service relative to the existing service with audio only communication. This means that risks in the existing service were excluded, unless the new service would change the risk level.
The identified threats were placed in a two dimensional matrix according to their consequence and likelihood. Each threat was evaluated, and possible actions to reduce the risks were suggested. The process was continued until we reached group consensus.
Description of threats
Threats to quality
Sound quality with mobile phone videoconferencing is usually worse than regular calls between mobile phones. Reasons include poor bandwidth and mobile phones usually in loudspeaker mode during video calls, often with disturbing background noise. This may result in misunderstandings, lost information and delays.
Poor image quality is a common problem with video calls from mobile phones. Although likely to improve with improved technology, camera shake, poor light and weather conditions will influence on the image quality. Some image quality problems are due to current methods for video compression.
The caller may believe that the image is a sufficient description, therefore not describing the situation appropriately, which leads to misinterpretations.
The dispatcher may believe the image describes the situation sufficiently, and therefore do not ask for important information, which leads to misinterpretations.
When there are several patients in the same accident or emergency, it is possible to mix-up images from one patient to what is said about another patient. The image may clarify or complicate matters when much information needs to be sorted out.
Threats to availability
It usually takes more time to establish a phone call with video. Today this is usually a matter of a few seconds, time which may be saved in successful guidance trough video communication. The caller may however be negatively affected by delays during initiation of contact with the EMCC, which in turn may affect how the case is handled.
The capacity of mobile phone networks is often reached during larger accidents. Videoconferencing demands more bandwidth than audio communication, which may be a problem when many people are calling at the same time. In some mobile networks video calls use a reserved bandwidth, not interfering with the bandwidth used for audio calls. Depending on traffic and network configuration, it can be easier or more difficult to make a call go through when using video calls.
a3, a4, a5
EMCCs commonly have audio logs of all communication with the public for playback. If the connection with the caller is lost and cannot be reestablished, audio playback may provide essential information to solve the emergency. Audio logs can also be useful for debriefing, or when questions later arise if the EMCC should have handled a case differently. If, for some reason, the log is not available, it may negatively affect patients in cases where connection is lost (threat a3). It may negatively influence the organization if logs are not available for documentation (threat a4) or debriefing (threat a5). There are several causes for these threats to occur, either that video is not recorded by default implementation, that playback of videorecordings is difficult, or that such recordings are corrupted or destroyed.
Mobiles used for videoconferencing is kept out from the body and has greater exposure to weather conditions such as rain and cold temperatures. This may cause equipment failure and loss of connection.
Technical difficulties because of less stable connection during mobile videoconferencing can delay or disrupt the exchange of information.
Videoconferencing drain more battery on mobile phones than does audio communication. Use of video may therefore cause more lost connections. With empty batteries, communication can not be reestablished.
In some situations the dispatcher may want to forward the call to another dispatcher either within the same EMCC or in a different EMCC. If this is not possible during video calls, the dispatcher may shut down the call and establish an audio call instead. This comes with a risk of wasting time.
Threats to confidentiality
Telephone communication can be wiretapped. While it takes more advanced technology and skills to wiretap a live videoconference over a mobile network, the public interest in images from emergencies suggest increased willingness to invest in such technology.
Stored images are likely to be of greater interest and may contain more sensitive patient information than audio logs. Stored video and images may therefore increase attempts of unauthorized access.
If visitors are allowed into the EMCC, or the images on computer screens can be observed by people outside the EMCC, this may reveal patient sensitive information. This threat is dependent on local conditions such as placement of computer screens and access restrictions to the EMCC.
Threats to integrity
No threats to data integrity were identified.
With two-way videoconferencing the caller may identify the dispatcher. Dispatchers have been concerned that the loss of identity protection makes them more vulnerable to insults .
The EMCC is a demanding work environment, and the introduction of videoconferencing may distract or increase demands on dispatchers. In the worst case, this may cause inefficiency or delays.
The caller may focus on filming rather than helping the patient. The dispatcher may ask for images, and disturb or interrupt the treatment the caller otherwise would have initiated. Similar concerns were also raised when resuscitation instructions first was provided by telephone .
Different options for risk treatment were suggested. Several threats can be handled by proper implementation: the lack of availability of video logs (a3, a4, a5), the inability to forward video calls (a9), and unauthorized access to patient information (c2, c3). The loss of dispatchers' identity protection (m1) can be avoided with one-way videoconferencing, or by transmitting computer generated images of a dispatcher (an avatar) .
Some threats will be influenced by the intellectual capacity of dispatchers. Training of dispatchers may reduce the risk level of those threats, such as poor image quality (q2), misunderstandings due to interpretation of images or several patients in the same emergency (q3, q4, q5), and the images receiving too much attention from dispatchers or bystanders (m2, m3). For some dispatchers and in some situations the image may be helpful, while at times images can be an extra burden. EMCCs commonly use criteria based protocols for advice during emergencies [19–21]. Such protocols should be adapted for video based dispatch [7, 14], which may contribute to reduction of the risk level for these threats.
The risk level of the remaining threats will be largely influenced by factors external to EMCCs, such as the sound quality (q1), time delays when establishing videoconferencing (a1), the capacity and security of the telecommunication networks (a2, a7, c1), weather conditions (a6), and the quality and capacity of callers' mobile phones (a7, a8). The risk level of these threats are likely to decrease with time, as technology and solutions mature. If users experience problems with sound quality or other technical problems during a video call, a switch to audio call may solve the problem, but with a loss of time.
This risk assessment identified twenty threats to information security for the use of mobile video calls between EMCCs and the public. None of these have a severe risk level (i.e., a combination of high consequence and likelihood). We have suggested ways to decrease or eliminate the risks, by proper implementation, organization, and staff training. Potential delays and poor sound quality were the greatest technical risks of mobile video calls. These threats are likely to decrease as technology improves.
Based on this risk assessment, we believe it is possible to implement videoconferencing from the public as a service in EMCCs with acceptable risks. However, some critical success factors of information systems in the organization will only be discovered during the implementation process . A change in work environment may impose unacceptable loads on human cognitive abilities and potentially lead to errors, especially in a transition phase when new routines are being adopted . When introducing a new service in the high stress environment of EMCCs, the process should therefore be closely monitored for unwanted incidents, even if unacceptable risks have not been identified at earlier stages. Risk assessment should be repeated at regular intervals to ensure that changes in environment, organization, or system do not introduce new unacceptable threats and that known threats do not increase in likelihood or consequence resulting in unacceptable risk levels for the system.
Risk assessment is a method for identification and evaluation of possible factors that may affect different aspects of change processes and their outcome, such as impact on services, organization, customers and users. Even the most thorough risk assessment process can miss out on some unforeseen consequences. ISO/IEC 27005:2008 outlines procedures for risk assessment, but several of the steps can be addressed by using different approaches. We used qualitative assessments by a multi-professional team. The composition of the team is important to cover different threats, but is no guarantee that all possible threats are found. Qualitative studies rarely give hard facts, but they can provide information and insight, and guide further research [24, 25]. Our approach was prospective and addressed a future system at a high level, and has similarities with the Structured What-If Technique (SWIFT), which is a systematic team-oriented technique for hazard identification suitable for considering systems where human and organizational factors predominate [26, 27]. Other methods for risk identification such as Hazard and Operability study (HAZOP), Failure Modes and Effects Analysis (FMEA), and Fault Tree Analysis (FTA) focus on process flow or hardware, and may be better suited for assessment of equipment details . When risk assessments are carried out before new systems are implemented, sometimes even before they are constructed, it is not possible to do accurate measurements. Risk assessment as a scientific method therefore needs to be carried out in a systematic and critical fashion so that each issue can be discussed and debated openly. There is always a risk of bias in such discussions, resulting in overly positive or overly negative analysis. Our risk assessment was based on previous research in the field [7, 9, 14, 28], and a part of systematic development of knowledge.
The result of risk assessments provides information for risk treatment (Figure 1), which involves decisions on how to reduce risk in an organization. The threats identified in this risk assessment should be used as input to formal requirements when planning and implementing video calls for EMCCs. The benefit of doing risk assessment before system implementation is that information security can be incorporated from the beginning.
For all health care service there are several risks involved - for the patients, for health care workers, for the organization, and for the service itself. Our risk assessment has only focused on the purpose of a communication system, namely information exchange and storage. Risks related to different types of patient conditions should be identified through clinical studies.
A threat may have different outcomes, from common incidents with no practical implications, to (very rarely) a chain of events with disastrous results. Poor sound quality, for instance, may be acceptable in many situations, but can in other cases cause misunderstandings that lead to worse patient treatment and possible patient death. For a new service there are no measurements of unwanted events, therefore assessments of associated consequence and likelihood become approximations. We found this led to a worst-case type of thinking that may have overestimated the risk level of some threats. Further studies are therefore needed to map type of errors and problems that may arise when videoconferencing is used during real emergencies.
Video based communication with lay bystanders during prehospital emergencies may potentially improve the quality of prehospital patient care. In previous studies of simulated cardiac arrest, we have found that video calls are likely to improve confidence and reduce communication problems during prehospital medical emergencies [7, 9]. In this risk assessment, we used qualitative methods to find potential threats to information security of using such video calls. This study has revealed several issues that should be considered carefully in requirement specifications for such systems. We did not identify potential threats with unacceptable high risk levels, which indicates that it is possible to implement the reception of video calls from the public in dispatch centers. The time is ripe to initiate a discussion on how emergency call centers should implement the new possibilites given by the mobile multi-media devices carried by a large portion of the population.
SRB is an anesthesiologist (MD, PhD) with a background in computer science. PH is a computer scientist. EH is an expert on risk assessment with a background in computer science.
Acknowledgements and Funding
The authors acknowledge Oddvar Hagen, Mona Hagensen, Leif Erik Nohr and Dr Jeremiah Scholl for their participation in the risk assessment group.
The study was supported by grants from The Northern Norway Regional Health Authority through the Committee for Telemedicine Research Programme. Role of the funding body: None.
- World Health Organization: Global health risks. 2009, [http://www.who.int/healthinfo/global_burden_disease/global_health_risks/en/index.html]Google Scholar
- Murray CJ, Lopez AD: Mortality by cause for eight regions of the world: Global Burden of Disease Study. Lancet. 1997, 349 (9061): 1269-1276. 10.1016/S0140-6736(96)07493-4.View ArticlePubMedGoogle Scholar
- Krug EG, Sharma GK, Lozano R: The global burden of injuries. Am J Public Health. 2000, 90 (4): 523-526. 10.2105/AJPH.90.4.523.View ArticlePubMedPubMed CentralGoogle Scholar
- Tjora A: Calls for Care Coordination, compentence, and computers in medical emergency call centres. 2009, VDM Verlag Dr. MüllerGoogle Scholar
- Heward A, Damiani M, Hartley-Sharpe C: Does the use of the Advanced Medical Priority Dispatch System affect cardiac arrest detection?. Emerg Med J. 2004, 21: 115-118. 10.1136/emj.2003.006940.View ArticlePubMedPubMed CentralGoogle Scholar
- Forslund K, Kihlgren A, Kihlgren M: Operators' experiences of emergency calls. J Telemed Telecare. 2004, 10 (5): 290-297. 10.1258/1357633042026323.View ArticlePubMedGoogle Scholar
- Johnsen E, Bolle SR: To see or not to see - Better dispatcher-assisted CPR with video-calls? A qualitative study based on simulated trials. Resuscitation. 2008, 78 (3): 320-326. 10.1016/j.resuscitation.2008.04.024.View ArticlePubMedGoogle Scholar
- Morley P: Video instruction for dispatch-assisted cardiopulmonary resuscitation: two steps forward and one step back!. Crit Care Med. 2009, 37 (2): 753-754. 10.1097/CCM.0b013e318194d2e1.View ArticlePubMedGoogle Scholar
- Bolle SR, Johnsen E, Gilbert M: Video calls for dispatcher-assisted cardiopulmonary resuscitation can improve the confidence of lay rescuers-surveys after simulated cardiac arrest. J Telemed Telecare. 2011, 17 (2): 88-92. 10.1258/jtt.2010.100605.View ArticlePubMedGoogle Scholar
- Yang CW, Wang HC, Chiang WC, Chang WT, Yen ZS, Chen SY, Ko PCI, Ma MHM, Chen SC, Chang SC, Lin FY: Impact of adding video communication to dispatch instructions on the quality of rescue breathing in simulated cardiac arrests-a randomized controlled study. Resuscitation. 2008, 78 (3): 327-332. 10.1016/j.resuscitation.2008.03.232.View ArticlePubMedGoogle Scholar
- Yang CW, Wang HC, Chiang WC, Hsu CW, Chang WT, Yen ZS, Ko PCI, Ma MHM, Chen SC, Chang SC: Interactive video instruction improves the quality of dispatcher-assisted chest compression-only cardiopulmonary resuscitation in simulated cardiac arrests. Crit Care Med. 2009, 37 (2): 490-495. 10.1097/CCM.0b013e31819573a5.View ArticlePubMedGoogle Scholar
- Federal Communications Commission: Chairman Genachowski Announces Steps to Bring 9-1-1 into 21st Century. [http://www.fcc.gov/headlines2010.html]
- International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC): ISO/IEC 27005:2008, Information Technology - Security Techniques - Information Security Risk Management. 2008, [1st edition 2008-06-15.]Google Scholar
- Bolle SR, Scholl J, Gilbert M: Can video mobile phones improve CPR quality when used for dispatcher assistance during simulated cardiac arrest?. Acta Anaesthesiol Scand. 2009, 53: 116-120. 10.1111/j.1399-6576.2008.01779.x.View ArticlePubMedPubMed CentralGoogle Scholar
- Norwegian Act of 14 April 2000 no. 31 relating to the processing of personal data [Personal Data Act]. [http://www.ub.uio.no/ujur/ulovdata/lov-20000414-031-eng.pdf]
- Norwegian Act of 18 May 2001 no 24 on personal health data filing systems and the processing of personal health data [Personal Health Data Filing System Act]. [http://www.ub.uio.no/ujur/ulovdata/lov-20010518-024-eng.pdf]
- European Parliament and Council of the European Union: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 1995, [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML]Google Scholar
- Kang S, Watt J, Ala S: Social copresence in anonymous social interactions using a mobile video telephone. Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, ACM. 2008, 1535-1544.View ArticleGoogle Scholar
- Cheung S, Deakin CD, Hsu R, Petley GW, Clewlow F: A prospective manikin-based observational study of telephone-directed cardiopulmonary resuscitation. Resuscitation. 2007, 72 (3): 425-435. 10.1016/j.resuscitation.2006.07.025.View ArticlePubMedGoogle Scholar
- Roppolo LP, Pepe PE, Cimon N, Gay M, Patterson B, Yancey A, Clawson JJ, Council of Standards Pre-Arrival Instruction Committee NAoEDwg: Modified cardiopulmonary resuscitation (CPR) instruction protocols for emergency medical dispatchers: rationale and recommendations. Resuscitation. 2005, 65 (2): 203-210. 10.1016/j.resuscitation.2004.11.025.View ArticlePubMedGoogle Scholar
- The Laerdal Foundation for Acute Medicine: Norsk indeks for medisinsk nødhjelp. Den norske lægeforening. 1999, Stavanger, 2Google Scholar
- Berg M: Implementing information systems in health care organizations: myths and challenges. Int J Med Inform. 2001, 64 (2-3): 143-156. 10.1016/S1386-5056(01)00200-3.View ArticlePubMedGoogle Scholar
- Parker J, Coiera E: Improving clinical communication: a view from psychology. J Am Med Inform Assoc. 2000, 7 (5): 453-461. 10.1136/jamia.2000.0070453.View ArticlePubMedPubMed CentralGoogle Scholar
- Malterud K: Qualitative research: standards, challenges, and guidelines. Lancet. 2001, 358 (9280): 483-488. 10.1016/S0140-6736(01)05627-6.View ArticlePubMedGoogle Scholar
- Malterud K: The art and science of clinical knowledge: evidence beyond measures and numbers. Lancet. 2001, 358 (9279): 397-400. 10.1016/S0140-6736(01)05548-9.View ArticlePubMedGoogle Scholar
- Aven T: Risk analysis: assessing uncertainties beyond expected values and probabilities, chap Risk analysis methods. 2008, Wiley, 57-84.View ArticleGoogle Scholar
- Smith A, Boult M, Woods I, Johnson S: Promoting patient safety through prospective risk identification: example from peri-operative care. Qual Saf Health Care. 2010, 19: 69-73. 10.1136/qshc.2008.028050.View ArticlePubMedGoogle Scholar
- Tränkler U, Hagen O, Horsch A: Video quality of 3G videophones for telephone cardiopulmonary resuscitation. J Telemed Telecare. 2008, 14 (7): 396-400. 10.1258/jtt.2008.007017.View ArticlePubMedGoogle Scholar
- Eisenberg MS, Hallstrom AP, Carter WB, Cummins RO, Bergner L, Pierce J: Emergency CPR instruction via telephone. Am J Public Health. 1985, 75: 47-50. 10.2105/AJPH.75.1.47.View ArticlePubMedPubMed CentralGoogle Scholar
- The pre-publication history for this paper can be accessed here:http://www.biomedcentral.com/1472-6963/11/244/prepub
This article is published under license to BioMed Central Ltd. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.