sb-eu logo
Story image

NHS staff breaking data security policies every day with WhatsApp

14 Mar 2018

​A new report has landed that reveals everyday healthcare professionals across the NHS are knowingly putting sensitive patient data at risk – not through malice, but necessity.

CommonTime published ‘Instant Messaging in the NHS’ that delves into the swelling issue of instant messaging apps (like WhatsApp and Messenger) being used to supplement official communication channels – a sign that NHS staff themselves are being driven to innovate faster than the trusts they represent.

The very first finding from the report is that the issue of NHS staff communicating via consumer-oriented instant messaging (IM) services is actually much bigger than has been previously reported.

A measly 15 percent of NHS staff use only Trust provided channels of communication, while a staggering 43 percent use consumer IM (to varying degrees).

There is also evidence to suggest that using IM apps to communicate with healthcare professionals for benign purposes such as shift handovers or rota management increases the likelihood that an individual will start to use the same technologies in more fractious ways.

Examples identified include communicating directly with patients, storing patient content on mobile devices and sharing medical documents.

A key driving factor of this is a marked dissatisfaction with provided channels of communication when compared to the efficiency that consumer IM apps offer. In fact, more than 30 percent of NHS staff believe patient care would be affected negatively if healthcare professionals weren’t able to use WhatsApp or other consumer IM tools.

So what’s so bad about using consumer IM services professionally? Bitglass head of EMEA Eduard Meelhuysen says there are a number of issues.

"As unsanctioned messaging platforms like Slack and WhatsApp spread, they enable rapid communication and file sharing. This obviates the need for conventional tools like email and causes IT to lose visibility and control over sensitive data,” says Meelhuysen.

“Moreover, in the battle between usability and security, usability tends to win.”

The report finds that thus far, attempts to stem the tide through education, the provision of alternatives and enforcement of policy are doing little to discourage staff with 1 in 50 receiving disciplinary actions for IM related incidents.

All of this findings no doubt leaves decision makers in a quandary – is it worth it ignore the dangers to data security in favour of the significant benefits that IM provides?

However, as adoption of such apps grows year-on-year (driven primarily by new entrants to the workforce), so too does the risk from accidental or malicious misuse.

Participants were able to recall a number of incidents that suggest consumer IM is a space for inappropriate communication and behaviours that are a detriment to confidentiality.

Examples include accidentally sending patient information to non-clinical staff, sharing ‘pertinent’ patient details on social media and sending patient photos to others for ‘entertainment purposes’.

Meelhuysen says within healthcare the issue is even more acute.

“Specifically within healthcare, the rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe,” says Meelhuysen.

“The only solution is to sanction cloud apps with a strong security track record, and combine them with third-party tools to secure data in the cloud.  Only then will the NHS be able to improve its ability to protect medical records, helping them focus on their core competency – delivering care services."

The report affirms a number of healthcare tech vendors are already in the process of developing systems designed to tackle the issues raised in the report, however, it recommends a coordinated approach to fully address the now culturally embedded reliance on consumer IM applications.

Inevitably, the report notes, if the status quo continues then there will be a pivotal event that will mean the NHS will either have to blame the individuals and take action against nearly half of the workforce, or bear the institutional responsibility for allowing such actions to persist.

The findings presented in the report are based on a survey of 823 NHS staff. This sample size (0.68 percent of the population) means that results can be presented with a confidence level of 95 percent and a 3.5 percent margin of error.

Story image
Ransomware the most common cyber threat to SMBs - report
The survey found that 60% of managed service providers report that their SMB clients have been hit as of Q3 2020. More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
With cyber-threats continuing to evolve, organisations need to remain in the fight in 2021
Teams can make improvements in 2021 by having a more comprehensive understanding of the threats that are out there and defining how they conduct operations to offer flexibility to adapt better.More
Story image
How has COVID-19 transformed our perception of work?
Almost three quarters (74%) of people never want to return to pre-COVID-19, traditional work paradigms, putting more pressure on employees to adequately support and secure changing workplace environments.More
Story image
Palo Alto Networks launches enterprise data loss prevention service
"As a single centralised cloud service, Palo Alto Networks Enterprise DLP can be deployed across an entire large enterprise in minutes with no need for additional infrastructure."More
Story image
Attivo solutions launch on McAfee marketplace
Attivo Networks’ endpoint security solutions are available for free trial and purchase through McAfee’s new cloud marketplace.More