• NHS England and NHS Digital say messaging app can be “useful” in the NHS but not for sharing sensitive data
  • NHS England previously said there was “no valid reason for its use within the NHS”
  • Ipswich and East Suffolk CCG has included WhatsApp groups in its cybersecurity planning

NHS England has shifted its position on the use of WhatsApp by staff in the NHS.

The national commissioning body said the encrypted messaging app can be “useful”, after previously stating that “there was no valid reason for its uses”.

Whatsapp icon

Ipswich and East Suffolk CCG has included WhatsApp groups in its cybersecurity planning

Responding to questions from HSJ, an NHS England spokeswoman said: “WhatsApp and other messaging services can provide a useful way for staff to communicate.”

The app should still “not be used to share identifiable or confidential patient data,” she said. Despite the change in tone, NHS England had not changed its policy, she added.

However, the position is a shift from NHS England’s last stated position in 2015 that the messaging service “should never be used for the sending of information in the professional healthcare environment” because of security concerns.

“There is no valid reason for its use within the NHS,” the information governance bulletin said.

NHS Digital also appears to have relaxed its stance since May, when it published a social media guide stating that WhatsApp should not be used for “work or official communications, unless it is part of your responsibilities”.

Chris Flyn, security operation lead at NHS Digital’s data security centre, told HSJ last week that WhatsApp could be “a good way for teams to quickly get in touch with each other and to share non-confidential information”.

However, because NHS Digital was not able to fully test the app’s security, it should not be used to send patient identifiable data, he said.

He said: “We would expect local data controllers to make sensible decisions about the data they share, in response to the situation at the time.”

The popular messaging service, which is owned by Facebook, has been the subject of debate within the NHS.

There have been several reports that many NHS doctors regularly use WhatsApp and other messaging apps to quickly share patient information.

The prevalence of WhatsApp being used by clinicians has raised data security concerns, particularly as it transmits information overseas, with columnists on hsj.co.uk, calling it “ticking time bomb”.

However, WhatsApp could have applications for communicating non-clinical information quickly, particularly if other IT systems are down, or in large parts of the NHS that still rely heavily on paper processes.

After the WannaCry ransomware attack in May, Ipswich and East Suffolk Clinical Commissioning Group updated its cybersecurity emergency planning to include WhatsApp groups to communicate quickly with GPs.

A CCG spokesman said: “The ongoing action plan for improvement includes the setting up of WhatsApp groups. These would be used to help with the coordination of logistical information only in an emergency. WhatsApp would not be used for transmission of confidential patient information.”