sb-eu logo
Story image

NHS staff breaking data security policies every day with WhatsApp

14 Mar 2018

​A new report has landed that reveals everyday healthcare professionals across the NHS are knowingly putting sensitive patient data at risk – not through malice, but necessity.

CommonTime published ‘Instant Messaging in the NHS’ that delves into the swelling issue of instant messaging apps (like WhatsApp and Messenger) being used to supplement official communication channels – a sign that NHS staff themselves are being driven to innovate faster than the trusts they represent.

The very first finding from the report is that the issue of NHS staff communicating via consumer-oriented instant messaging (IM) services is actually much bigger than has been previously reported.

A measly 15 percent of NHS staff use only Trust provided channels of communication, while a staggering 43 percent use consumer IM (to varying degrees).

There is also evidence to suggest that using IM apps to communicate with healthcare professionals for benign purposes such as shift handovers or rota management increases the likelihood that an individual will start to use the same technologies in more fractious ways.

Examples identified include communicating directly with patients, storing patient content on mobile devices and sharing medical documents.

A key driving factor of this is a marked dissatisfaction with provided channels of communication when compared to the efficiency that consumer IM apps offer. In fact, more than 30 percent of NHS staff believe patient care would be affected negatively if healthcare professionals weren’t able to use WhatsApp or other consumer IM tools.

So what’s so bad about using consumer IM services professionally? Bitglass head of EMEA Eduard Meelhuysen says there are a number of issues.

"As unsanctioned messaging platforms like Slack and WhatsApp spread, they enable rapid communication and file sharing. This obviates the need for conventional tools like email and causes IT to lose visibility and control over sensitive data,” says Meelhuysen.

“Moreover, in the battle between usability and security, usability tends to win.”

The report finds that thus far, attempts to stem the tide through education, the provision of alternatives and enforcement of policy are doing little to discourage staff with 1 in 50 receiving disciplinary actions for IM related incidents.

All of this findings no doubt leaves decision makers in a quandary – is it worth it ignore the dangers to data security in favour of the significant benefits that IM provides?

However, as adoption of such apps grows year-on-year (driven primarily by new entrants to the workforce), so too does the risk from accidental or malicious misuse.

Participants were able to recall a number of incidents that suggest consumer IM is a space for inappropriate communication and behaviours that are a detriment to confidentiality.

Examples include accidentally sending patient information to non-clinical staff, sharing ‘pertinent’ patient details on social media and sending patient photos to others for ‘entertainment purposes’.

Meelhuysen says within healthcare the issue is even more acute.

“Specifically within healthcare, the rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe,” says Meelhuysen.

“The only solution is to sanction cloud apps with a strong security track record, and combine them with third-party tools to secure data in the cloud.  Only then will the NHS be able to improve its ability to protect medical records, helping them focus on their core competency – delivering care services."

The report affirms a number of healthcare tech vendors are already in the process of developing systems designed to tackle the issues raised in the report, however, it recommends a coordinated approach to fully address the now culturally embedded reliance on consumer IM applications.

Inevitably, the report notes, if the status quo continues then there will be a pivotal event that will mean the NHS will either have to blame the individuals and take action against nearly half of the workforce, or bear the institutional responsibility for allowing such actions to persist.

The findings presented in the report are based on a survey of 823 NHS staff. This sample size (0.68 percent of the population) means that results can be presented with a confidence level of 95 percent and a 3.5 percent margin of error.

Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
CIOs massively underestimate Secure Shell risks - study
While CIOs say they are concerned about the security risks SSH machine identities pose, Venafi data indicates they seriously underestimate the scope of these risks. More
Story image
High demand for hackers on the dark web
"Since March 2020, we have noticed a surge of interest in website hacking, which is seen by the increase in the number of ads on forums on the dark web."More
Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
Asia Pacific FSIs pay $5.1 billion for breaching AML & data privacy
Financial institutions in Asia Pacific are paying a heavy price for not complying with some of the most common and widespread regulations designed to protect them and their customers.More
Story image
Three steps to a security-driven network for a stronger security posture
As the threat landscape continues to evolve and organisations stand to lose so much if they fall victim to an attack, it’s essential to ensure that security measures evolve in line with the network itself.More