The sharing of patient data by care providers is often a matter of duty to patient health – and is also unavoidable. There has been much controversy recently about the use of commercial and unsecure messaging platforms in the healthcare sector.
A recently published White Paper – authored by the law firm Mishcon de Reya and Siilo, a secure messaging platform for healthcare – offers a legal perspective on using consumer messaging services in clinical settings. Here we consider the findings and speak to Dr Joost Bruggeman and Arvind Rao, of Siilo, about communication and security
In summer 2017 the use of social media messaging services by medical professionals for work-related purposes was highlighted in the media. The issue lay in questions of security; NHS trusts have made very clear that the technology and security standards of these platforms are not sufficient for use within healthcare.
The White Paper, Legal perspective on practicing medical professionals using mobile messaging under UK law, investigates the legal implications relating to the use of social media messaging within the UK healthcare sector. In it, the authors highlighted that mobile messaging services used by medical professionals must adhere to additional security and privacy standards. It also pointed out that patient data can be shared between medical professionals, using a mobile messaging device; however, the onus is the individual to ensure that the principles stipulated in the GMC’s confidentiality standards – Confidentiality: Good practice in handling patient Information – January 2017, in effect from April 25, 2017 – are followed, and that one of the permitted purposes for the disclosure and sharing of information taking priority over patient confidentiality applies.
A medical messaging service, the White Paper says, is ‘…nothing more than a new application of a well-established, non-contentious custom and practice’ and, further, that ‘Codes of practice and guidance on the confidentiality of medical professionals to their patients clearly stipulate that the duty to share patient information can be as important as the duty to protect patient confidentiality, especially in connection with the provision of safe, complete and effective patient care.’
So, how should GPs approach messaging? What should practices be aware of from a legal perspective? And, what of patient data security?
Considering the legal perspective on practicing medical professionals using mobile messaging
What differentiates a secure messaging service tailored to the healthcare sector from other, consumer platforms?
Consumer platforms are geared towards making it easy for users to communicate and share information within their social networks and with other apps. For these services, data needs to be easily accessible from different devices and retrievable through automated backups.
That’s all very understandable and convenient but, when it comes to patient information, we need to be assured that the data is confined to a secure environment – which is controllable by the authorised professional – and that the professional is confident that all recipients fall under the same regime. Patient data – for example, names or photos – shouldn’t be backed up automatically on WhatsApp servers that are located outside the EU and aren’t authorised within the secure environment. Patient photos should not be shared into a user’s photo gallery which synchronises with other devices and services as this could, unintentionally, spread sensitive data to unauthorised locations. These are just two examples of potential leaks from consumer messaging platforms.
Secure messaging services for the healthcare sector, by contrast, will adhere to a number of criteria:
- A high level of security should be applied to the data in transit (i.e. when sending) and at rest (i.e. when the data is on the ‘phone and the servers). This means that the minimum standard that should be applied for data sent should be end-to-end encryption rather than older techniques – such as transport layer security. Any sensitive data stored on the phone should also be encrypted and separate from the user’s personal data to prevent leaks to other apps or devices.
- These services should comply with high information governance standards, including GDPR compliance, for processing patient data. ISO27001 is an internationally accepted standard when it comes to the processing of sensitive data. In line with the ISO27001 standards, NHS Digital also has its own information governance requirements that healthcare companies can obtain from the IG Toolkit website. We believe that level 3 compliance gives the most comfort when it comes to sharing patient information.
- These services should follow a business model that is not focused on exploiting the data. This means it should be transparent and focused on serving healthcare professionals who share sensitive information, instead of seeing the data sent in messages as the core product.
What are the benefits – to practice, doctors and staff – of investing in such messaging technology?
In the UK, the use of beeper and fax is still widespread, while obviously no longer being the most efficient means of communication. ‘Phone calls are fast but are predominantly only one-to-one and rely on both parties being available at the same time. Using a messenger lets you communicate synchronously as well as asynchronously, easily share photos and videos and effectively communicate in groups. This increases the potential efficiency of doctors and staff and makes it easy to share knowledge within teams or amongst peers.
Research has shown that a messenger saves healthcare professionals at least 2.5 minutes in comparison to an average ‘phone call of 5.8 minutes. It even saves 4.2 minutes in comparison with the use of a beeper. Therefore, there are growing reports in the media of doctors and staff turning to consumer messengers; however, this is not only a liability for the users, but also for practices and trusts.
The benefit of using a compliant messenger is that it increases security, preventing compliance issues – for example, with regulations and standards such as GDPR and ISO27001 – while empowering doctors and staff to collaborate more efficiently, with the assurance that it is safe to share patient information.
The GMC has a stipulated set of standards that all medical professionals must adhere to when it comes to a patient’s right to confidentiality, whether working face-to-face or via a communication platform.
What are the key standards that practices need to look out for when it comes to the transfer of patient data via messaging platforms?
Firstly, practices must ensure that they are sending information over a compliant messenger that, as a minimum, follows the criteria stated earlier (a minimum of end-to-end encryption for all data sent and encryption for stored data, compliance with regulations such as GDPR and ISO27001 and a business model that is not focused on exploiting the data).
Secondly, they must ensure that doctors and staff know when to anonymise data and when they shouldn’t.
Finally, practices should choose a messaging platform that is proven, and has already been embraced by a large number of healthcare professionals.
The whitepaper says that, ‘It is important that ICT businesses adopt clear and efficient processes for dealing with technological developments; data storage being restricted to what is strictly necessary, security incidents and breach notification and investigation, security checks and tests and restricted access to any and all information uploaded by medical professionals via the platform.’
What might these processes look like, and how can practices ensure that they are using technology that processes data securely?
An ideal process should include:
- Checking that data sent is end-to-end encrypted and that data on the ‘phone is passcode protected, stored encrypted, and separately from the user’s personal data;
- Putting a processor agreement in place between the user and practice and the service provider;
- Choosing a service with the highest level of information governance. The platform and its servers should be at least ISO27001. Assessing the level of information governance a service is applying is also important; this can be found in publications on NHS Digital’s Information Governance Toolkit website.
- Finally, choosing a messenger that is user-friendly is an important part of the process. If the experience doesn’t surpass that of WhatsApp, or other consumer messenger services, then uptake is likely to be limited.
What impact will GDPR have on the use of messaging platforms and how can practices/the technology they employ ensure compliance?
Using consumer messaging platforms to share patient data has never been compliant with NHS regulations. The introduction of GDPR will be an additional restriction that is accompanied with high fines and possible reputational damage if practices are not compliant. Doctors and staff need to communicate and connect efficiently, so simply prohibiting the use of consumer messengers like WhatsApp is not a solution. Practices should be aware that they should offer a compliant messenger, such as Siilo, to solve the problem and work within the confines of GDPR.