– Growing use of technology is providing huge benefits to healthcare professionals, but improper use of tools such as digital messaging apps presents significant risks
By Joost Bruggeman, CEO and co-founder of Siilo
We only have to look at the devastating ransomware attacks on the Irish healthcare system earlier this year to see that the benefits of digitalisation do not come without risks. But when it comes to data security, all too often we see an alarming apathy. It is vital for those working in the healthcare sector to take note and learn lessons from these attacks.
This vigilance is particularly important when it comes to the implementation of digital messaging tools. A recent survey by the European Heart Rhythm Association (EHRA) members revealed that 88.3% of its members regularly use commercial instant messaging apps, like WhatsApp, for sharing clinical information with medical colleagues, yet 29.3% admitted they were unaware of EU data protection regulations. A further 46.7% indicated there are no regulations in place at their institution regarding the sharing of clinical data via instant messaging.
This is worrying but not surprising. Technology moves at a rapid pace, so it stands to reason that it frequently advances more quickly than the government and industry can create new standards to address it. What’s more, it is in nobody’s interest to stymie the use of tools which offer huge benefits to the medical profession.
These benefits were emphasised at the height of the pandemic, when information-sharing and fast decision-making was essential for helping healthcare professionals to learn how to deal with a hitherto unknown virus. In these circumstances, frontline staff came to appreciate the value of being able to instantly share details about individual patient cases, including photographs and other sensitive medical data.
So how can healthcare professionals continue to enjoy these benefits while also minimising the risks? This question was a key influence behind the development of specialist healthcare apps such as Siilo – which is fully compliant with GDPR and medical legislation. However, the importance of using healthcare-specific tools is not yet fully understood because there is a failure to differentiate between security and compliance.
The basic promise of ‘end-to-end’ encryption, which is offered by the best-known messaging apps, certainly provides a strong element of security – it means the servers of the app vendor cannot decrypt the message data even if they wanted to because they don’t have access to the encryption keys that belong to this encrypted data. However, this only applies to data whilst it is ‘in transit’ from one phone to another. What happens when the data is ‘at rest’, i.e. delivered to a phone or other device?
After a phone receives a message, several automatic actions take place with common messaging apps: photos and videos sync to the photo library of the phone, where the media is not encrypted; all conversations are backed-up by default onto the cloud services of the phone provider – where message data is also stored unencrypted. As such, all these unencrypted conversations are exposed to unauthorised third parties.
This is a huge problem because it becomes impossible for any medical professional sending an instant message on most services to be able to guarantee patient confidentiality. To try and get around this, it’s common practice to anonymise patient information within communications, but this can result in healthcare teams being unable to clearly identify which patient they are communicating about and potentially making mistakes, which must be prevented.
This highlights how ‘off-the-shelf’ messaging apps are simply not suitable for use within healthcare. They offer no guarantee of patient confidentiality, and worse still, they may compromise patient welfare. Reassuringly, in the 18-24 months since the pandemic first took hold, UK adoption of Siilo outpaced the global average by 113% and there are now more than 27,000 Siilo users across the UK’s healthcare sector, suggesting that a change in attitudes is underway.
While digitalisation offers tremendous benefits to the healthcare sector, it is essential that tools and technologies are truly fit to meet the standards expected. For communications technologies, this means applying absolute rigour to ensure patient confidentiality cannot be compromised.
5 things healthcare professionals should look for in their messaging service:
- Fingerprint/Facial Recognition & PIN code security:To keep your patient data confidential, make sure that you can secure your conversations and data with a mandatory PIN code and Face- or Touch-ID.
- Image-editing features: To guarantee patient anonymity, look for an app that allows you to blur or cover names and faces in a photo, as well as provides tools for pointing out critical aspects of an image for colleagues.
- Processor agreements:To be GDPR compliant, the messenger service should take responsibility, on your behalf as a healthcare professional, as the processor of your patient’s sensitive information. This ensures data privacy and security compliance at the individual and, with wider implementation, at the organisational level.
- Identity & medical verification:Apps that verify their users as individuals and medical professionals create environments that can be trusted. Make sure your messenger can guarantee that you are sending information to the right contact.
- Separation between personal/professional media: Prevent patient data from being uploaded to personal cloud services. Save photos, videos, and files directly to the messenger app rather than your device’s photo gallery.
Joost Bruggeman is a former surgery resident at Amsterdam University Medical Centre and now CEO and co-founder of Siilo. For more information, please visit www.siilo.com.
