Facebook Messenger, WhatsApp, iMessage use at UK NHS adds new security concerns
A majority of U.K. National Health Service trusts have no official policies to discourage the use of consumer messaging apps such as WhatsApp and Facebook Messenger among clinicians and staff, according to a new CommonTime report.
The study found that despite the clear privacy risks posed by those apps, many trusts also don't provide other more secure alternatives for staff to use.
This is just the latest negative report on security for NHS. Earlier this year, every one of the 200 trusts across the UK flunked a government-led cyber assessment. And just this month, a new report found NHS lost or misplaced almost 10,000 patient records in 2017 and handwritten notes are still common across 94 percent of trusts.
And, of course more than a dozen trusts in England and Scotland were crippled in May 2017 by the massive WannaCry ransomware attack.
While NHS has taken steps to bolster its cybersecurity position, like taking on an upgrade of its legacy Microsoft computers to Windows 10, more government funding is needed.
The UK's new Health and Social Care Secretary, Matt Hancock announced in July that the government would spend $540 million to upgrade NHS hospital IT infrastructure, with another $98 million to help those trusts that are still paper-based make the move to electronic health records.
But on a more basic level, the recent report shows too many hospitals are still behind on simple enforcements that could bring major improvements in patient privacy. CommonTime researchers found nearly 58 percent of the 136 trusts had no policy in place to restrict use of consumer messaging platforms.
CommonTime, which used the UK's Freedom of Information Act to view various hospitals policies, showed a similar majority of trusts (56 percent) didn't equip staff with approved alternatives to consumer messaging applications.
A handful of trusts even said tools like WhatsApp and iMessage were officially sanctioned at their hospitals, which highlights the difficulties in tracking how patient data is transmitted across those apps. And there are greater challenges in attempting to integrate those apps securely within the network.
And Europe's newly enacted General Data Protection Regulation adds even more security concerns for the trusts.
As David Juby, head of IT and security at CommonTime pointed out, GDPR compliance "requires that a health service data controller must consider if they are able to provide a copy of data if requested by a patient and that they able to erase personal data when requested."
IM still valuable for care quality, efficiency
On the other hand, the study showed 17 trusts had banned instant messaging apps wholesale.
That may help head off a big security concern, but it could also have an adverse impact on patient care: Some 43 percent of NHS hospital staffers said they depended on instant messaging and worried quality and safety could be impacted without it.
An earlier CommonTime report found that nearly half a million NHS employees use IM apps in their daily work at the trusts.
"As is usual, NHS staff have adopted technology, likely in the belief that they are doing the right thing to support patient care, in an increasingly pressurized environment," said Rowan Pritchard-Jones, chief clinical information officer at St. Helens and Knowsley Teaching Hospitals NHS Trust, in a statement.
"It is incumbent on digital leaders to embed in our evolving culture the need to protect patient confidentiality, deliver these conversations into the patient record and support staff to have these interactions with the support of their organizations," he added.
The study also showed there are plenty of valid uses for IM apps, such as supporting patient handoffs and shift changeovers, soliciting second opinions, creating patient care plans and other functions.
In his July 20 speech announcing major new government funding for NHS technology, new Health and Social Care Secretary Matt Hancock emphasized his commitment to consumer-friendly tech.
"I came from a tech background before I went into politics, and I love using modern technology myself," Hancock said. "Not only do I have my own app for communicating with my constituents here in West Suffolk, but as you may have heard I use an app for my GP."
He noted that at West Suffolk Hospital (where he gave the speech), "Doctors and nurses will soon throw away their pagers and install a new smartphone app, removing the need to phone colleagues for details after getting paged – something that a pilot has shown should save nurses more than 20 minutes and doctors almost 50 minutes every shift."
But it's clear from the new report that NHS needs to enact policies that outline the apps staff can safely use and how to securely use the platforms. And wherever possible, officials need to equip them with approved tools on par with their privacy and security policies.
Steve Carvell, head of healthcare at CommonTime, said many trusts have begun "supporting their staff, some with instant messaging applications specifically designed to cater for healthcare workflow and that can help staff work more effectively in pressured environments when they are caring for patients."
But he said many others still need to "take action to provide staff with the tools they need to communicate effectively in delivering patient care. Staff need to be given guidance to help ensure organisations can comply with ever more stringent data protection regulations."