published between 2016 and 2019
The high incidence of sensitive patient data exchanged between physicians via Whatsapp and iMessage evidenced in this study demonstrate potential violations of the new General Data Protection Regulation (GDPR) due to come into effect in May 2018. The GDPR outlines specific requirements for the processing and storage of data of which patient data is arguably the most sensitive. Breaches are expected to generate fines of up to 4% of annual turnover or 20 million euro – for authorities such as the NHS and HSE, this is potentially catastrophic.
Images of Xrays, blood results or wounds, taken via the mobile device in a doctor’s pocket, can be streamed via the famously insecure Apple iCloud in the USA, and suggested for potential upload to social Apps such as Facebook by default. Such material shared via Apps such as Whatsapp are downloaded by default to the image gallery on a smartphone and streamed between all networked devices, whether the recipients open the message or not. Such images can contain EXIF data, such as geographical co-ordinates, date, time, make and model of device etc. Such images are required to be encrypted and stored securely with the patient’s medical notes.
It cannot be overstated that ‘free’ communications solutions such as iMessage, WhatsApp, Signal, Secure Chat etc. are not free at all - if cash is not being paid for an App, the data of the clinician and patient is the commodity being paid for the functionality. Typically Apps have...
It cannot be overstated that ‘free’ communications solutions such as iMessage, WhatsApp, Signal, Secure Chat etc. are not free at all - if cash is not being paid for an App, the data of the clinician and patient is the commodity being paid for the functionality. Typically Apps have access a range of material on the users’ smartphone, including contact lists (to access and download), calendars (to read and amend entries) email, SMS, iMessage etc. (to read and send communications to those in the contact lists without notifying the owner), microphone (to access and record) and location (to track). If we are being ‘cost aware’ is access to a doctors diary, address book, email, digital messages, microphone and location/movements actually a cost worth paying?
The danger posed by lost phones is indeed alarming, and the importance of thoroughly cleaning devices before they are upgraded or discarded cannot be overstated either.
Security and data protection must be a central concern, not only for health service administrators, but for clinicians who understand that confidential patient data is no trivial issue. Patients disclose intimate personal information with the understanding that it will be stored and communicated securely and safely.
There is a range of technical solutions for the appropriately secure, efficient communication of patient data – Apps such as Hospify for example. It is essential that clinicians are provided with access to approved technical solutions, digital professionalism training and regular technical updates by the health service urgently, if they are to adhere to the new GDPR and an avoidable data protection disaster is averted.