Statistics from Altmetric.com
Instant messaging technology is fast, reliable and can transmit large volumes of data. It has the potential to revolutionise communication and decision making in a healthcare industry, which, for the large part, still lives in an archaic world of pagers and faxes. However, before we can tap into the vast potential of such technology, we must ensure we do not fall prey to data security breaches and the resultant scaremongering headlines of the Mail Online from October 2015 (figure 1).1
In the particular article they cite, which surveyed doctors and nurses at five London hospitals, over 95% of doctors and nurses who responded owned smartphones. Among the doctors, 64.7% had used SMS-based messaging, 46.0% had used picture messaging and 33.1% had used app-based messaging technology to transfer patient-related clinical information; 27.5% of them believed they had patient-related clinical information on their smartphones at the time.2 The implications for data security are obvious, yet seem to be ignored by practising clinicians. A further UK-based survey indicated that app-based messaging tools such as WhatsApp formed an important part of daily communication within clinical teams, with 72.5% of respondents believing that it was a ‘good thing’.3
A literature search centring around WhatsApp, conducted in June 2016, identified 41 articles in the published literature. Analysis of these articles revealed multiple uses for the app within healthcare, including communication between clinicians, communication with patients and education (figure 2). Published articles originated from a diverse set of countries and specialties, but, conspicuously, there were no articles originating from the USA, where the Health Insurance Portability and Accountability Act places strict regulations on the storage and transfer of medical records (figure 2). Interestingly, only 8 of the 27 articles dealing with the use of WhatsApp for communication between clinicians commented on the issues surrounding information security and patient confidentiality, five of which were from the UK.
A key development in April 2016 saw WhatsApp release a white paper detailing a new end-to-end encryption feature, which all users were alerted to (figure 3).4 This feature allowed secure, encrypted messages to be sent between users and within larger group chats and was ‘designed to prevent third parties and WhatsApp from having plaintext access to messages or calls’.
On the basis of these assurances, we sought to clarify the position of various bodies on the use of encrypted instant messaging systems such as WhatsApp within the National Health Service for communication within and between clinical teams.
Following an enquiry, the General Medical Council issued this response in April 2016:
In our guidance on the use of social media we define social media as ‘web-based applications that allow people to create and exchange content.’ This includes applications that are not accessible by the general public.
Such sites and applications can be useful places to find advice about current practice in specific circumstances. However, you must still be careful not to share identifiable information about patients, remembering that although individual pieces of information may not breach confidentiality on their own, the sum of published information online could be enough to identify a patient or someone close to them.
It would be compatible with this guidance to use WhatsApp to share images in which the patient cannot be identified. If the information is identifiable, however, it should usually only be shared outside the team providing direct care to the patient with informed consent (a disclosure to other clinicians who are not providing care to the patient is still a disclosure, even if it is for the purpose of seeking clinical advice—see our Confidentiality guidance, paragraphs 25 to 29).
Even with consent, we would advise doctors to refer to their Trust policies on information security for guidance on acceptable content exchange applications, or to use secure services that have been designed for the purpose of transfer of confidential information—such as NHS mail.
Following a similar enquiry to NHS England, the NHS Digital security team issued this response in August 2016:
The recent introduction of end to end encryption within the WhatsApp messaging application does not mean that NHS Digital are able to endorse the product for use within a clinical context, or indeed by NHS staff members for non clinical purposes. This is not because there are concerns regarding the efficacy of the encryption solution applied to the WhatsApp product, but rather because the use of 3rd party applications cannot be effectively managed by NHS organisations, and as such their use should not be encouraged and cannot be endorsed/approved by NHS Digital. If local organisations provide mobile devices for use by their staff, such facilities could be used instead of the 3rd party applications available to install upon personal devices.
We also conducted an online survey via the Health & Social Care Information Centre of all NHS Trust Caldicott Guardians, a senior person appointed at each trust responsible for protecting the confidentiality of patient and service user information. Of 228 Caldicott Guardians surveyed, only four replied, none of whom had a policy on the use of internet or app-based messaging tools for clinical communication. One trust responded with a social media policy for employees but this did not encompass the use of app-based messaging tools.
To further complicate matters, a recent article in The Guardian from January 2017 revealed a vulnerability in WhatsApp’s encryption protocol that allows interception and decoding of encrypted messages.5 The implications of this within healthcare are not fully understood, although it questions the privacy of these communications. Despite this, in the wake of the ransomware attack, NHS England and NHS Digital acknowledged that WhatsApp can provide a ‘useful way for staff to communicate’, although this seemed to be more in relation to having backup staff communication systems rather than for clinical information about patients.6
In addition to ensuring secure communications, there are a number of other considerations surrounding the use of instant messaging tools within the National Health Service. As with telephone communications, timely and accurate updates to the patient record of these communications are vital to patient care. Care must also be taken to ensure information is sent to the correct recipient/group of recipients and protect data in the event of a stolen device, both of which apply to email communications.
While there may be no immediate solution, we suggest some sensible basic principles, based on the above guidance, for clinicians and allied healthcare professionals when using technology for communicating about patients:
Think before using this technology: Do I need to use this? Is there another, more secure way (eg, nhs.net email)? What info do I need to communicate?
Try to avoid patient identifiable information: Does the recipient need to know who the patient is (name, DOB, hospital number)?
If using patient identifiable information, can you use this in an obfuscated way? Hospital number is only identifiable when combined with access to the hospital systems, so is probably the securest identifier to use, although using just one identifier increases the chance of error.
Choose a trusted secure messaging system: for example, Apple’s iMessage is secure between iPhones (but only iPhones), the company does not have access to the unencrypted version of the messages and the company has successfully resisted any political pressure to decrypt devices.7
We call upon the various stakeholders to collaborate and adopt a unified stance that allows clinicians to take advantage of the immense potential of instant messaging tools to improve and streamline patient care while ensuring the safety of patient data.
It may be that the future lies in bespoke messaging tools, designed specifically for the National Health Service and/or clinical settings that provide security and accountability while retaining the widespread accessibility of commercially available apps such as WhatsApp. There are a number currently in development (table 1). If adopted, such systems should be uniformly implemented across trusts and regions (perhaps via the NHS App Library), allowing for safe and accountable communication nationally that adequately protects patient confidentiality and the clinicians and staff involved. Such a secure national system may require National Health Service bodies to negotiate contracts and funding, similar to online referral platforms such as Refer-a-Patient (www.referapatient.org), which is widely used across the UK for regional specialist referral services. It remains to be seen, however, whether such bespoke messaging tools can reach a critical mass required for widespread use.
Contributors AC and SBCG conceived the idea, conducted the literature searches and drafted the manuscript. Both authors have satisfied the International Committee of Medical Journal Editors (ICMJE) criteria for authorship and have reviewed and approved the final version prior to submission. AC is the guarantor.
Funding This research received no specific grant from any funding agency in the public, commercial or not-for-profit sectors.
Competing interests None declared.
Provenance and peer review Not commissioned; externally peer reviewed.
If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.