Data protection and security are essential – the General Data Protection Regulation (GDPR) has made sure of that. However, new research has revealed that unsecured, ‘consumer’ messaging tools are still used by healthcare providers and further that sufficient action is not being taken to discourage their use. We assess the findings and consider alternatives for use in the general practice setting
The use of ‘consumer’ messaging services by medical professionals for work-related purposes has been heavily criticised – with the issue of security raised. NHS trusts have made clear that the technology, as well as the security standards of these platforms are not fit-for-healthcare.
Yet, a series of Freedom of Information requests have revealed that a substantial number of acute hospitals in England are not taking the necessary steps to prevent their use. The research undertaken by CommonTime, which analysed responses from 136 of England’s 151 acute trusts, also shows that nearly six in 10 trusts (58%) said that they don’t have a policy in place to discourage the use of such platforms and that the majority of trusts (56%) don’t provide staff with an alternative messaging app. Seventeen trusts said that they had banned instant messaging completely.
The 2018 report Instant Messaging in the NHS, however, showed that 43% of NHS staff are reliant on instant messaging at work, with many professionals believing patient care will suffer without access to technology. The report follows calls in July this year by health secretary Matt Hancock for greater use of apps for patient care.
A problem shared…
What we all love about messaging platforms – such as WhatsApp and Facebook Messenger – is that they are instant – instant responses to instant messages, which is essential to the fast-paced practice environment. They also enhance communication by providing a central hub where information and knowledge can be shared securely and with practitioners who might not be onsite. Something that can be essential where a GP, for example, requires some additional – perhaps specialist – insight on a particular patient case.
One example is the forum Doctors.net.uk and the app they developed called the ‘Emergency Room’. “A facility for members to ask questions that require a very quick response. Usually answered in a few minutes, this feature allows potentially life-saving information to be quickly passed into the right hands,” Dr Tim Ringrose, CEO of Doctors.net, explains.
Designed with care in mind
As Instant Messaging in the NHS highlighted, 43% of NHS staff are reliant on instant messaging at work, so why then are so many left to resort to unsecured messaging tools? “It’s ridiculous that we’re resorting to WhatsApp and other insecure apps rather than NHS-compliant forms of communication just to try and do our job properly,” says Dr Lucinda Scharff, who is part of the team behind Forward – an app designed by doctors, for doctors.
Forward was developed out of a need for technology that was designed specifically for the health sector, specifically, technology which enables efficient, time-effective communication, Dr Scharff says. Apps like this will incorporate familiar functions such as messaging and picture/file sharing, an accessible staff directory and access to patient profiles and updates. The benefit, Dr Scharff says, is that you’re not carrying around numerous bits of paper, but you are communicating and sharing the necessary information, efficiently.
Where there’s a need, there’s a secure way
While the research refers to the acute hospital setting, GP practices also need to be aware of the breaches of data laws and patient privacy the use of these applications can incur. In the busy practice environment communication is essential and the need for clinical staff to communicate – sometimes about a specific patient – does arise.
The use of consumer messaging platforms to share patient data has never been permissible according to NHS regulations. From a GDPR perspective – a prism that so many practice processes now need to be considered through – the level of restriction is increased and comes with high fines as well as reputational damage for practices that are not compliant.
“Doctors and staff need to communicate and connect efficiently, so simply prohibiting the use of consumer messengers like WhatsApp is not a solution. Practices should be aware that they should offer a compliant messenger, to solve the problem and work within the confines of GDPR,” Dr Joost Bruggeman and Arvind Rao, of Siilo, advise.
A white paper published earlier this year, Legal perspective on practising medical professionals using mobile messaging under UK law, investigates the legal implications relating to the use of unsecured messaging platforms within the UK healthcare sector.
In it, the authors highlight that mobile messaging services used by medical professionals must adhere to additional security and privacy standards and notes that patient data can be shared between medical professionals, using a mobile messaging device. However, the onus is the individual to ensure that the principles stipulated in the GMC’s confidentiality standards – Confidentiality: Good practice in handling patient Information – January 2017, in effect from April 25, 2017 – are followed, and that one of the permitted purposes for the disclosure and sharing of information taking priority over patient confidentiality applies.
A medical messaging service, the white paper says, is ‘…nothing more than a new application of a well-established, non-contentious custom and practice’ and, further, that ‘Codes of practice and guidance on the confidentiality of medical professionals to their patients clearly stipulate that the duty to share patient information can be as important as the duty to protect patient confidentiality, especially in connection with the provision of safe, complete and effective patient care.’
The way we communicate is changing, however, it’s important to ensure that how information is exchanged is compliant – that it not only takes into account a patient’s health outcomes but, in a world where compliance is critical, that they’re data is secure and protected.
How can GP practices ensure they are protecting patient data? Helene Viatge, business development and project manager at Cupris, shares some key points:
Using platforms such as Whatsapp to share patient-identifiable information is insecure and does not comply with the patient data protection laws for a number of reasons:
- data is not stored on UK-based, N3 approved servers;
- data is not encrypted on the user’s ‘phone;
- there is no PIN/login required to open WhatsApp – anyone with access to the ‘phone can access your WhatsApp data.
By default, all media shared on WhatsApp is saved to your native phone gallery, mixing patient images with a user’s personal photos. Family and friends could inadvertently access confidential patient information if sharing is enabled (a common situation). Even if you switch off WhatsApp backup of photos on your ‘phone, you have no way of knowing whether the person you’re sharing data with has done the same. This data could be accessed by unauthorised third parties or backed up to unauthorised cloud services.
However, lots of new secure communication platforms provide secure ways to communicate with doctors and with patients. Not only should the data be encrypted on the user’s ‘phone, and on the server, using origin tracking technology, but the user should have a secure, specific username/password or PIN to login to the communication platform; this way, anyone who takes the ‘phone is prevented from accessing patient data.
Mimicking banking security protocols, a user should have to re-enter their PIN if the app isn’t used for a set period of time or after they leave the app. Patient data should NOT be stored on the ‘phone’s native gallery or any public area of the file storage system and notifications should be hidden to prevent someone inadvertently seeing confidential patient data appearing on a user notification.