Views
Instant messaging no quick data fix
In Views
Bookmark
Record learning outcomes
By Joost Bruggeman
The convenience we have come to expect and enjoy from instant messaging apps has seen them become essential everyday tools. When used for professional communications, however, their use can bring with them significant risk. In healthcare, a mistaken message can put patient confidentiality and data protection in jeopardy, while threatening the most fundamental aspects of healthcare ethics.
Unfortunately, many health professionals are unacquainted with this issue. A recent survey by the European Heart Rhythm Association (EHRA) revealed that 88 per cent of its members regularly use instant messaging apps for sharing clinical information with medical colleagues, yet 47 per cent indicated there are no regulations in place at their institution regarding the sharing of clinical data in this way.
This is worrying, but not surprising. Technology moves rapidly, so it stands to reason that it frequently advances more quickly than government and industry can create new standards and procedures to address it. What’s more, instant messaging tools offer huge benefits right across the medical professions, so demand for them is strong.
These benefits were emphasised at the height of the pandemic, when this unique situation created huge demand for collaboration and information sharing on treatments and best practices. For pharmacy professionals, messaging apps facilitated dialogue among peers on maintaining safe practice for themselves and their patients, and they enabled patient cases to be shared so that collective knowledge improved quickly. The apps also provided easier access to doctors to support discussion on issues such as dosage or medication changes.
Since instant messaging apps are clearly of value to medical professionals, a solution is needed to overcome data protection issues. This challenge was a key influence behind the development of specialist healthcare apps such as Siilo, which is the only tool on the market that is compliant with both GDPR and medical legislation. However, the use of specialist tools is not yet fully understood because there is a failure to differentiate between security and compliance.
The basic promise of ‘end-to-end’ encryption, which is offered by the best-known messaging apps, certainly provides a strong element of security: it means the servers of the vendor cannot decrypt the message data, even if they wanted to, because they don’t have access to the encryption keys that belong to this encrypted data. However, this only applies to data whilst it is ‘in transit’ from one phone to another. What happens when the data is ‘at rest’ – for example, when it has been delivered to a phone or other device?
After a phone receives a message, several synchronisations take place with common messaging apps: photos and videos are synced automatically to the photo library of the phone, where media is not encrypted; all conversations are backed up by default and automatically go onto the cloud services of the phone provider – where message data is also stored unencrypted. As such, all these unencrypted conversations can be exposed to unauthorised third parties.
It is impossible for any medical professional sending an instant message on most services to be able to guarantee patient confidentiality. Anonymising patient information within communications to get around this also brings problems: if teams cannot clearly identify which patient they are communicating about, it will almost certainly lead to confusion and mistakes.
What’s more, the recent ransomware attack on the Irish Health Service’s IT system has again highlighted the importance of robust data security, while common scams such as account hijackings, as recently reported among WhatsApp users, still continue to catch out even the most safety-conscious.
Digitalisation offers tremendous benefits to the healthcare sector, but it is essential that it is truly fit to meet the standards expected within the medical professions. For communications technologies, this means applying absolute rigour to make sure that patient confidentiality cannot be compromised.