You can’t blame staff for using commonly available apps to communicate –  but they pose risks to patient confidentiality, argues Felix Jackson, who calls for leaders to introduce compliant technology

After the recent WannaCry NHS shutdown debacle, it’s tempting to blame a shadowy criminal underworld in remote corners of North Korea for all our NHS cyber-woes.

However, new figures from the information commissioner have now categorically shown what many who work in and around health data have long known: we need to be looking much closer to home to ensure we can protect patient data and NHS IT systems from potential breach.

New analysis of information commissioner reports has revealed that a full two thirds of data breaches are down to internal human error. Furthermore, of all the breaches reported between the start of 2013 and the end of  2016, nearly half (43 per cent) happened in the healthcare sector.

With the volume of breaches in health way ahead of any other sector (the second highest was local government, which accounted for 11 per cent), we clearly have a problem. And, with health data now being touted as more valuable than financial data on the dark web, it’s an increasingly alarming one.

So it is baffling to say the least that NHS staff are being set up to fail by being expected to use archaic, Cold War-era tech.

If new technology exists that allows them to bypass clunky old NHS systems such as 1950s pagers, and provide a better response to an urgent developing situation it’s a no-brainer they’ll take that option

Frontline health and care clinicians and teams are a conscientious and enterprising group of professionals who are dedicated to providing the best care for patients possible – especially in an emergency.

So if new technology exists that allows them to bypass clunky old NHS systems such as 1950s pagers, and provide a better response to an urgent developing situation it’s a no-brainer they’ll take that option.

Faced with a choice between saving a limb or even a life or taking a data risk by sharing information – well, there’s no contest.

It is commonly understood that popular consumer messaging system WhatsApp was used by medics responding to the recent terror attacks in Manchester and London. These were just the latest examples of a growing reliance on non-compliant tech in the absence of an alternative to dial-up urgent resource.

BMJ study published in 2015 reveals that even back then just over a third of 2,107 doctors across five hospital sites surveyed said they used Whatsapp to discuss clinical information. With the growth in use of the popular messaging platform in the UK over the past two years, that number has surely grown.

Eye opening

A recent debate I was involved in online saw comments from junior doctors, pharmacists and consultants all acknowledging the risks but confirming that they use non-compliant messaging out of necessity. The comments are eye opening:

“WhatsApp works really well to coordinate out of hours staff responding to terrorist attacks, without jamming switchboard,” said one senior consultant, while a senior nurse confessed: “WhatsApp is widely used, and potential for breaking confidentiality [must be remembered]. Really handy though.”

Another junior doctor added: “I wish we didn’t have to, but won’t deny it has helped communication with patient care TREMENDOUSLY. Until someone screws up, that is.”

A fellow junior doctor hinted at the scale: “I remember seeing a team in a peripheral hospital down the country run their ENTIRE LIST through whatsapp and I still feel sweaty about it.”

All of this is against a backdrop of a clear edict from NHS England banning the use of WhatsApp, stating “it should never be used for the sending of healthcare information” and there is “no valid reason for its use within the NHS”.

The reasoning behind the NHS ban is clear: despite much touted ‘end-to-end encryption’ the platforms are not compliant with sensible UK data regulations, so the potential for human errors in leaving non-password protected devices in a public place or sharing identifying data with the wrong person is hugely increased.

Health and care chiefs can’t ignore this issue any longer. Frontline staff need and deserve better. There has to be a focus on providing compliant tech, especially as the NHS prepares for the European Union General Data Protection Regulation (GDPR) compliance deadline which is now now less than a year off (May 2018) and is likely to usher in much tougher data protection penalties and significant changes to how organisations handle, protect and move personal data. 

Instant messaging is an inarguably more efficient way for frontline health and care staff to communicate, but we need a system that doesn’t put patient confidentiality on the line.

Dr Felix Jackson trained as an anaesthetist and is founder of medCrowd.