Story image

NHS staff breaking data security policies every day with WhatsApp

14 Mar 2018

​A new report has landed that reveals everyday healthcare professionals across the NHS are knowingly putting sensitive patient data at risk – not through malice, but necessity.

CommonTime published ‘Instant Messaging in the NHS’ that delves into the swelling issue of instant messaging apps (like WhatsApp and Messenger) being used to supplement official communication channels – a sign that NHS staff themselves are being driven to innovate faster than the trusts they represent.

The very first finding from the report is that the issue of NHS staff communicating via consumer-oriented instant messaging (IM) services is actually much bigger than has been previously reported.

A measly 15 percent of NHS staff use only Trust provided channels of communication, while a staggering 43 percent use consumer IM (to varying degrees).

There is also evidence to suggest that using IM apps to communicate with healthcare professionals for benign purposes such as shift handovers or rota management increases the likelihood that an individual will start to use the same technologies in more fractious ways.

Examples identified include communicating directly with patients, storing patient content on mobile devices and sharing medical documents.

A key driving factor of this is a marked dissatisfaction with provided channels of communication when compared to the efficiency that consumer IM apps offer. In fact, more than 30 percent of NHS staff believe patient care would be affected negatively if healthcare professionals weren’t able to use WhatsApp or other consumer IM tools.

So what’s so bad about using consumer IM services professionally? Bitglass head of EMEA Eduard Meelhuysen says there are a number of issues.

"As unsanctioned messaging platforms like Slack and WhatsApp spread, they enable rapid communication and file sharing. This obviates the need for conventional tools like email and causes IT to lose visibility and control over sensitive data,” says Meelhuysen.

“Moreover, in the battle between usability and security, usability tends to win.”

The report finds that thus far, attempts to stem the tide through education, the provision of alternatives and enforcement of policy are doing little to discourage staff with 1 in 50 receiving disciplinary actions for IM related incidents.

All of this findings no doubt leaves decision makers in a quandary – is it worth it ignore the dangers to data security in favour of the significant benefits that IM provides?

However, as adoption of such apps grows year-on-year (driven primarily by new entrants to the workforce), so too does the risk from accidental or malicious misuse.

Participants were able to recall a number of incidents that suggest consumer IM is a space for inappropriate communication and behaviours that are a detriment to confidentiality.

Examples include accidentally sending patient information to non-clinical staff, sharing ‘pertinent’ patient details on social media and sending patient photos to others for ‘entertainment purposes’.

Meelhuysen says within healthcare the issue is even more acute.

“Specifically within healthcare, the rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe,” says Meelhuysen.

“The only solution is to sanction cloud apps with a strong security track record, and combine them with third-party tools to secure data in the cloud.  Only then will the NHS be able to improve its ability to protect medical records, helping them focus on their core competency – delivering care services."

The report affirms a number of healthcare tech vendors are already in the process of developing systems designed to tackle the issues raised in the report, however, it recommends a coordinated approach to fully address the now culturally embedded reliance on consumer IM applications.

Inevitably, the report notes, if the status quo continues then there will be a pivotal event that will mean the NHS will either have to blame the individuals and take action against nearly half of the workforce, or bear the institutional responsibility for allowing such actions to persist.

The findings presented in the report are based on a survey of 823 NHS staff. This sample size (0.68 percent of the population) means that results can be presented with a confidence level of 95 percent and a 3.5 percent margin of error.

Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.