niivue / niivue-vscode

NiiVue extension for vscode + standalone web app
https://niivue.github.io/niivue-vscode/
MIT License
24 stars 7 forks source link

Concerns about Patient Privacy and Image Access #56

Open aranca2504 opened 6 months ago

aranca2504 commented 6 months ago

Yo! I'm using the image viewer and I'm impressed by its performance. Congratulations on creating such an excellent viewer! Given that we handle sensitive patient data, I'd be grateful if you could answer these questions:

  1. Does the extension access/store the images it reads locally on the user's machine?
  2. If the extension does access the images, are there any measures in place to protect patient privacy and data security?
  3. Are there any logging or tracking functionalities?

Thank you very much in advance! Arnau

korbinian90 commented 6 months ago

These are important questions, thanks for asking!

  1. The extension runs locally and accesses the images from the user's machine only for displaying. Everything stays local.
  2. There are no specific measures in place to protect patient privacy. However, due to the model of only displaying data, I think there is not much concern.
  3. There is no tracking and there is only very little logging about hardware events, not related to the data. Everything is developed open source, here, in this repository.

I think it's best if I explain how the extension works and what the extension does with data in more detail: The extension is a javascript bundle that is once downloaded when installed into vscode. After that point, it is a complete offline extension and doesn't use any cache, storage or network connectivity. The extension runs inside a sandbox environment and vscode is handling the file access. The locally running extension receives the file and displays it.

This extension has a second mode, where it can run as a webpage: niivue.github.io/niivue-vscode/ For that case the data handling is identical. When the page is opened, a javascript bundle with the app is loaded. Then, the app does all the processing offline by itself. Data access is via the file handler of the browser. No storing or sending of any data. The webpage is a progressive web app, and can be used offline after installing (this is currently only supported by google chrome)

Logging: The extension does no logging at all, but the underlying base niivue library does a tiny amount of hardware logging. This is written as javascript log: image I don't think vscode does store it, but I'm not sure about that.

If anything is unclear, or you think could be improved, please don't hesitate to tell me ;)

Maybe it would be good to add a Data Privacy explanation with the most important points to the Extension Manual.

All cudos for performance and the base capabilities of the viewer library go to Chris Rorden and his team working on the Niivue base.

aranca2504 commented 6 months ago

Thanks for answering! Everything clear now. And absolutely, adding a Data Privacy section to the manual is a great idea. Thanks again!