Why NHS Guidelines on Mobile Messengers are Flawed
NHS England, NHS Digital, Public Health England and the Department of Health and Social Care have developed a set of guidelines around the use of instant messaging channels such as WhatsApp by healthcare practitioners. NHS trusts are warned to use only apps and other messaging tools that meet NHS encryption standards, and to make sure that staff only use their own devices and prevent other people from borrowing them.
In the guide, staff are advised to disable message notifications on their devices’ lock screens so that patient confidentiality is protected, to keep separate clinical records from personal files, and to delete the original messaging notes once they have been transcribed and migrated to the official patient medical record.
All of which sounds reasonable, right?
The trouble is these guidelines are likely to give NHS staff the ammunition to think that using applications like WhatsApp and Telegram as a work messaging app is perfectly safe, secure and compliant; a seriously short-sighted view.
A poor prescription
There are a number of fundamental inadequacies in the guidelines that need to be addressed if we are to improve collaborative communication in the NHS and ultimately provide better patient care.
For instance, there is a total lack of clarity. The guidelines are designed to set out clear information governance considerations for staff on the use of instant messaging software in acute clinical settings. However it fails to define what an acute clinical setting is which could lead to inappropriate use of mobile messengers. Let me demonstrate this with two scenarios:
Example 1: I am a resident in general surgery and see an acute patient in A&E. This patient needs immediate attention from my consultant, and I message that person instead of calling.
This is an acute clinical setting where the use of messengers could be considered dangerous as it might cause delays, and a statement like this from the NHS could be interpreted that messaging can be legitimately used in this situation.
Example 2: I am a consultant in interventional radiology. I see something during the procedure on my patient that I do not understand, but know I can save this person if someone can diagnose the problem. To get some clarity, I broadcast the patient's images on Twitter and as a result, save the life of my patient because I made the decision to prioritise the patient over their privacy.
In this instance, and in cases of mass casualties or level one trauma events, would doctors be wise to prioritise privacy over patients’ lives? The guidelines need to make clearer statements on this.
Disregarding compliance by design
If the guide is designed to educate NHS staff on how to judge if a messenger is suitable for sharing patient data, shouldn’t they do more than focus on five features and recognise these as mandatory functions? Well, in the list they mention five criteria, but in the table they drop “end-user verification,” perhaps the most important one. Are they assuming that the features listed make them ‘compliant’, simply because they have stated this on their websites, privacy statements and end user agreements? What about transparency of the security measures? What about a processor agreement between the medical professional) and the software provider? If so, they have missed the fundamental requirements of GDPR.
To be GDPR compliant, security-by-design is the rule, not the exception. The guidelines expect all users to disable certain features that are ‘on by default’ to force compliance, but by relying on their good nature you can never guarantee that the receiving end – which is most important to you as the data sharer – has also got their settings right. There are too many compounding factors and risk for human error that could result in sensitive patient data getting into the wrong hands.
Separating personal from professional
The guidelines conclude that users should ‘separate social groups on instant messaging from any groups that share clinical or operational information’ putting the onus firmly on the users with great expectations for them to transcribe and delete messages and protect patient confidentiality. In order to address this, users must therefore have another app installed alongside their personal choice, ignoring the fact that certain apps lack the option to create different chat types.
The authors of the guide chose not to include applications that are specifically designed to cater for clinical professionals, which by design separate the personal and professional aspects of users’ lives. Not just apps like Siilo -which passes the requirements listed in this document without breaking a sweat - but also our dedicated counterparts Hospify and Forward.
What is apparent is that the governing bodies involved in the guide neglected to carry out adequate research on the matter. They dismissed the enormous amount of educational material available in the public domain, and the opportunity to set a precedent by moving away from mainstream options and advocating the use of clinically proven alternatives that are really changing the NHS for the better.
We can only hope that on reflection, they acknowledge the shortcomings in the guide and consider the array of options available to them.