sb-eu logo
Story image

NHS staff breaking data security policies every day with WhatsApp

14 Mar 2018

​A new report has landed that reveals everyday healthcare professionals across the NHS are knowingly putting sensitive patient data at risk – not through malice, but necessity.

CommonTime published ‘Instant Messaging in the NHS’ that delves into the swelling issue of instant messaging apps (like WhatsApp and Messenger) being used to supplement official communication channels – a sign that NHS staff themselves are being driven to innovate faster than the trusts they represent.

The very first finding from the report is that the issue of NHS staff communicating via consumer-oriented instant messaging (IM) services is actually much bigger than has been previously reported.

A measly 15 percent of NHS staff use only Trust provided channels of communication, while a staggering 43 percent use consumer IM (to varying degrees).

There is also evidence to suggest that using IM apps to communicate with healthcare professionals for benign purposes such as shift handovers or rota management increases the likelihood that an individual will start to use the same technologies in more fractious ways.

Examples identified include communicating directly with patients, storing patient content on mobile devices and sharing medical documents.

A key driving factor of this is a marked dissatisfaction with provided channels of communication when compared to the efficiency that consumer IM apps offer. In fact, more than 30 percent of NHS staff believe patient care would be affected negatively if healthcare professionals weren’t able to use WhatsApp or other consumer IM tools.

So what’s so bad about using consumer IM services professionally? Bitglass head of EMEA Eduard Meelhuysen says there are a number of issues.

"As unsanctioned messaging platforms like Slack and WhatsApp spread, they enable rapid communication and file sharing. This obviates the need for conventional tools like email and causes IT to lose visibility and control over sensitive data,” says Meelhuysen.

“Moreover, in the battle between usability and security, usability tends to win.”

The report finds that thus far, attempts to stem the tide through education, the provision of alternatives and enforcement of policy are doing little to discourage staff with 1 in 50 receiving disciplinary actions for IM related incidents.

All of this findings no doubt leaves decision makers in a quandary – is it worth it ignore the dangers to data security in favour of the significant benefits that IM provides?

However, as adoption of such apps grows year-on-year (driven primarily by new entrants to the workforce), so too does the risk from accidental or malicious misuse.

Participants were able to recall a number of incidents that suggest consumer IM is a space for inappropriate communication and behaviours that are a detriment to confidentiality.

Examples include accidentally sending patient information to non-clinical staff, sharing ‘pertinent’ patient details on social media and sending patient photos to others for ‘entertainment purposes’.

Meelhuysen says within healthcare the issue is even more acute.

“Specifically within healthcare, the rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe,” says Meelhuysen.

“The only solution is to sanction cloud apps with a strong security track record, and combine them with third-party tools to secure data in the cloud.  Only then will the NHS be able to improve its ability to protect medical records, helping them focus on their core competency – delivering care services."

The report affirms a number of healthcare tech vendors are already in the process of developing systems designed to tackle the issues raised in the report, however, it recommends a coordinated approach to fully address the now culturally embedded reliance on consumer IM applications.

Inevitably, the report notes, if the status quo continues then there will be a pivotal event that will mean the NHS will either have to blame the individuals and take action against nearly half of the workforce, or bear the institutional responsibility for allowing such actions to persist.

The findings presented in the report are based on a survey of 823 NHS staff. This sample size (0.68 percent of the population) means that results can be presented with a confidence level of 95 percent and a 3.5 percent margin of error.

Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More
Story image
Backups as a last line of defence are under threat
Malware can incrementally overwrite and encrypt backups, rendering them inadequate as an insurance policy against ransomware.More
Link image
How to head off a rise in DDoS attacks
Many businesses invest in costly DDoS mitigation and protection solutions, but few test them. NCC Group tests all environments and is one of only two AWS DDoS Test Partners. Claim 10% off your next DDoS service today.More
Story image
Revealed: Imperva publishes research on decade old botnet, responsible for millions of attacks
Imperva Research Labs has revealed findings of a six-month intensive investigation into a botnet that has been exploiting CMS vulnerabilities.More