The majority of UK National Health Service trusts have no official policies restricting the use of consumer messaging apps such as WhatsApp and Facebook Messenger among clinicians and staff, and despite the clear privacy risks posed by the apps, many trusts don't provide more secure alternatives, a new CommonTime report has found.

It is the latest negative report on security for the NHS. Earlier this year, every one of the 200 trusts across the UK failed a government-led cyber assessment. And this month, a new report found NHS lost or misplaced almost 10,000 patient records in 2017 and handwritten notes are still common across 94 percent of trusts.

And, of course more than a dozen trusts in England and Scotland were crippled in May 2017 by the massive WannaCry ransomware attack.

While NHS has taken steps to bolster its cybersecurity position, like taking on an upgrade of its legacy Microsoft computers to Windows 10, more government funding is needed.

The UK's new Health and Social Care Secretary Matt Hancock announced in July the government would spend $540 million to upgrade NHS hospital IT infrastructure, with another $98 million to help those trusts that are still paper-based make the move to electronic health records.

But on a more basic level, the recent report shows too many hospitals are still behind on simple enforcements that could bring major improvements in patient privacy. CommonTime researchers found almost 58 per cent of the 136 trusts had no policy in place to discourage use of consumer messaging platforms.

CommonTime, which used the UK's Freedom of Information Act to view various hospitals policies, showed 56 per cent of trusts didn't equip staff with approved alternatives to consumer messaging applications.

A handful of trusts said tools including WhatsApp and iMessage were officially sanctioned at their hospitals, which highlights the difficulties in tracking how patient data is transmitted across those apps. There are also greater challenges in attempting to integrate those apps securely within the network.

Europe's newly enacted General Data Protection Regulation adds even more security concerns for the trusts.

As David Juby, head of IT and security at CommonTime said, GDPR compliance "requires that a health service data controller must consider if they are able to provide a copy of data if requested by a patient and that they able to erase personal data when requested."

On the other hand, the study showed 17 trusts had banned instant messaging apps wholesale.

That may help head off a big security concern but it could also have an adverse impact on patient care – 43 per cent of NHS hospital staffers said they depended on instant messaging and worried quality and safety could be impacted without it.

An earlier CommonTime report found almost half a million NHS employees use IM apps in their daily work at the trusts.

"As is usual, NHS staff have adopted technology, likely in the belief that they are doing the right thing to support patient care, in an increasingly pressurized environment," said Rowan Pritchard-Jones, chief clinical information officer at St Helens and Knowsley Teaching Hospitals NHS Trust, in a statement.

"It is incumbent on digital leaders to embed in our evolving culture the need to protect patient confidentiality, deliver these conversations into the patient record and support staff to have these interactions with the support of their organisations.”

The study also showed there are plenty of valid uses for IM apps, such as supporting patient handoffs and shift changeovers, soliciting second opinions, creating patient care plans and other functions.

In his July 20 speech announcing major new government funding for NHS technology, new Health and Social Care Secretary Matt Hancock emphasised his commitment to consumer-friendly tech.

"I came from a tech background before I went into politics, and I love using modern technology myself," Hancock said.

"Not only do I have my own app for communicating with my constituents here in West Suffolk, but as you may have heard I use an app for my GP."

He noted that at West Suffolk Hospital, where he delivered the speech, "Doctors and nurses will soon throw away their pagers and install a new smartphone app, removing the need to phone colleagues for details after getting paged – something that a pilot has shown should save nurses more than 20 minutes and doctors almost 50 minutes every shift."

But it's clear from the new report that the NHS needs to enact policies outlining the apps that staff can safely use and how to securely use them.

Wherever possible, officials also need to equip them with approved tools on par with their privacy and security policies.

Steve Carvell, head of healthcare at CommonTime, said many trusts have begun "supporting their staff, some with instant messaging applications specifically designed to cater for healthcare workflow and that can help staff work more effectively in pressured environments when they are caring for patients."

But he said many others still need to "take action to provide staff with the tools they need to communicate effectively in delivering patient care. Staff need to be given guidance to help ensure organisations can comply with ever more stringent data protection regulations."

Originally published on the US edition of Healthcare IT News.

To share tips, news or announcements, contact the HITNA editor on




White papers