Research at St George’s University Hospital NHS Foundation Trust has found the use of WhatsApp in the NHS to be “a privacy and clinical safety timebomb”, according to a press announcement.
A soon-to-be published study of 77 staff members in the trauma and orthopaedics department revealed that 87 percent of staff used smartphone apps to discuss patient cases at work, despite 56 percent not being sure whether the information was secure.
Why it matters
There has long been controversy about the use of instant messaging in the NHS and the introduction of the EU’s General Data Protection Regulation (GDPR) last year resulted in new legal and practical implications.
A Freedom of Information Act (FOI) request by tech company CommonTime last year found that 58 percent of 136 NHS trusts had no policy in place to restrict the use of consumer messaging platforms.
Joost Bruggeman, co-founder of the healthcare messaging start-up Siilo, said that patient data shared on WhatsApp when he worked as a surgeon in 2010 was still available in iCloud - now deleted - and automatically synched with his other household devices including Apple TV.
“This is a serious breach in terms of confidentiality. I’ve heard numerous accounts of other colleagues who have said their kids were playing in front of the TV and patient images popped up,” he explained.
This inspired him to develop the Siilo app, which launched in the Netherlands in 2016 and is being used in more than 60 NHS organisations, including the orthopaedics department at St George’s.
The GDPR compliant app can only be accessed with a pin number, touch or face ID and does not synch data with personal apps or devices.
Other healthcare-specific messaging apps used in the NHS include Hospify, Forward, and MedxNote.
What’s the context?
In response to privacy and security concerns, NHS England, NHS Digital, Public Health England and the Department of Health and Social Care published joint guidance on instant messaging in November last year.
This sets out that staff should only use apps and messaging tools that meet the NHS encryption standard, disable notifications on a device’s lock-screen to protect data privacy, and should delete notes once they have been added to a patient’s medical record.
“The guidance is there to help NHS organisations set local policies and advise individual clinicians of the risks to be aware of when using instant messaging – we do not advocate or promote any particular tools,” an NHS England spokesperson told MobiHealthNews.
On the record
Bruggeman said the NHS instant messaging guidelines did not go far enough and focused too much on encryption which is “just a very tiny part of making something suitable for clinical communications.”