‘Off-the-shelf’ messaging apps pose huge risks for patient confidentiality and data protection
The convenience that we have come to expect and enjoy from instant messaging apps has seen them become essential everyday tools. When used for professional communications, however, their use can bring with them significant risk.
This is particularly the case within the medical sphere – a mistaken message can put patient confidentiality and data protection in jeopardy, while threatening the most fundamental aspects of healthcare ethics.
Unfortunately, however, many pharmacists and other medical professionals are unacquainted with this issue. A recent survey by the European Heart Rhythm Association (EHRA) revealed that 88.3% of its members regularly use instant messaging apps for sharing clinical information with medical colleagues, yet 46.7% indicated there are no regulations in place at their institution regarding the sharing of clinical data via instant messaging.
This is worrying but not surprising. Technology moves at a rapid pace, so it stands to reason that it frequently advances more quickly than the government and industry can create new standards and procedures to address it. Yet the demand for instant messaging tools is strong.
These benefits were emphasised at the height of the pandemic, when the unique situation created huge demand for collaboration and information-sharing on treatments and best practices. For pharmaceutical professionals, messaging apps facilitated dialogue among peers on topics such as how to maintain a safe practice for themselves and their patients, and they enabled patient cases to be shared so that collective knowledge was quickly improved. The apps also provided easier access to doctors to support discussion on issues such as dosage or medication changes.
Since instant messaging apps are clearly of value to medical professionals, a solution is needed to overcome data protection issues. In fact, this challenge was recognised some time ago, and was a key influence behind the development of specialist healthcare apps such as Siilo – the only tool on the market which is compliant with GDPR and medical legislation. However, the importance of using specialist tools is not yet fully understood because there is a failure to differentiate between security and compliance.
The basic promise of ‘end-to-end’ encryption, which is offered by the best-known messaging apps, certainly provides a strong element of security – it means the servers of the vendor cannot decrypt the message data even if they wanted to because they don’t have access to the encryption keys that belong to this encrypted data. However, this only applies to data whilst it is ‘in transit’ from one phone to another. What happens when the data is ‘at rest’, i.e. delivered to a phone or other device?
After a phone receives a message, several synchronisations take place with common messaging apps: photos and videos are synced automatically to the photo library of the phone, where the media is not encrypted; all conversations are backed-up by default and automatically go onto the cloud services of the phone provider – where message data is also stored unencrypted. As such, all these unencrypted conversations are exposed to unauthorized third parties.
This is a huge problem because it becomes impossible for any medical professional sending an instant message on most services to be able to guarantee patient confidentiality. A way which is often used to get around this is to anonymise patient information within communications, but this also brings problems – if healthcare teams cannot clearly identify which patient they are communicating about, it will almost certainly lead to confusion and mistakes.
What this means is that off-the-shelf messaging apps are not suitable for use within healthcare. What’s more, the recent ransomware attack on the Irish Health Service’s IT system has again highlighted the importance of robust data security, while common scams such as account hijackings, as recently reported among WhatsApp users, still continue to catch out even the most safety-conscious.
Digitalisation offers tremendous benefits to the healthcare sector, but it is essential that it is truly fit to meet the standards expected within the medical profession. For communications technologies, this means applying absolute rigour to ensure patient confidentiality cannot be compromised.