WhatsApp, the Facebook-owned digital messaging platform, is a useful communication tool – but how secure is it, and should you really be using it to share practice information? We speak to security expert Kevin Curran, a member of the Institute of Electrical and Electronics Engineers and a professor of cyber security at Ulster University, to get his inside view
In November NHS England released its long-expected guidance on using instant messaging services within acute care settings. It’s long been known that staff have been using services like WhatsApp to communicate with one another, in many cases sharing patient-identifiable information.
Rather than ruling out the use of WhatsApp, NHS England is cautiously enthusiastic, urging clinicians to ‘minimise the amount of patient-identifiable data you communicate’. This is a shift from the previous position held by NHS England that no patient information should be shared at all on any instant messaging service.
The NHS England guidance includes some simple steps for healthcare employees to follow, including:
- Only using apps and other messaging tools that meet the NHS encryption standard.
- Not allowing anyone else to use their device.
- Disabling message notifications on their device’s lock-screen to protect patient confidentiality.
- Keeping separate clinical records and deleting the original messaging notes once any advice has been transcribed and attributed in the medical record.
Many practices will already be using WhatsApp, seemingly, with the implicit blessing of NHS England, but just how safe is it? We ask independent IT expert Kevin Curran some key questions.
How secure is WhatsApp?
WhatsApp offers end-to-end encryption as standard. This is an extremely secure method of communication because it only allows the users sending or receiving to read the messages. This makes it more secure than other platforms, such as Twitter, Instagram or Snapchat, which do not offer this service.
One of the most important underlying features of WhatsApp is that signal protocol, designed by Open Whisper Systems, is the basis of its encryption. This is a solid implementation of end-to-end encryption.
Should NHS staff have faith in its ability to encrypt messages?
It is the actual information being transmitted that needs to be considered. There is nothing to worry about if practice staff are using it to co-ordinate their days off, ask for supplies, order food etc. – but if they were to identify individual patients, and outline their personal health problems, then, of course, it is much more important to ensure it never leaks.
Are there any known vulnerabilities?
There are no gaping holes that we know of and the signal protocol is quite impressive. However, the recent news that Facebook is planning on merging the messaging services of Facebook messenger, Instagram and WhatsApp means that there are legitimate concerns about the future security of the platform, which may cause issues for the NHS and its patients.
Currently, WhatsApp is Facebook’s only service to use end-to-end encryption as standard; Facebook has it as an option and Instagram does not offer it at all. The main issue arising from the proposed merging of services is to what level the messages will be encrypted, particularly when travelling between platforms.
If practices are using WhatsApp how can they ensure that they remain safe and protected from virtual threats?
Users must follow, for the most part, the same safe computing principles on mobiles as they do on traditional desktops. Many mobile service providers have security policies in place – such as secret questions or personal PINs along with multi-factor authentication.
Users should always set a passcode, keep devices locked when not in use and use biometric features like fingerprint recognition, if available. They should not store personal details like passwords or PIN numbers in texts or emails on the device. They should also be aware of the problem of rogue networks and the possibility of attacks on public wifi networks (an issue Practice Business has covered before).
Staff can protect themselves by installing something called a ‘mobile anti-virus client’ which will offer significant protection. There are paid and free mobile anti-virus options on the market but, unfortunately, some of these can be ‘heavy weight’, taking a toll on your overall device performance and battery life. Again, security often comes at the expense of convenience.
So, is WhatsApp safe?
Our relatively short modern IT history to date has already shown us that organisations are not good at securing access in web-facing portals so the decision to place such sensitive information on-line at this time is certainly ‘interesting’. Yes, the world’s information is moving online, and people want to access remote services globally 24/7, but, as health records are in the most sensitive category of personal data, military grade encryption/ protection, and the strongest of user-authentication mechanisms must be in place.