The United Kingdom’s state run National Health Service has issued updates on the guidelines for their staff on the usage of instant messaging apps and programs by certified clinicians that are to be followed in settings for acute care, to maintain established privacy policies in regards to patient data.
With the NHS recognizing the need for instant messaging software, especially in emergency situations which require quick response, making them an essential aspect of the NHS tools, matching compliance with confidentiality regulations is seeing increasing importance.
Controversial Findings in CommonTime Report Set Off NHS Move
The guidelines were put forth by the NHS following the release of findings in a CommonTime healthcare report on the subject, which found that a vast number NHS staff rely greatly on apps including iMessage, WhatsApp, and Facebook Messenger. Also, a number of trusts associated to the National Health Service did not have any policies about the use of messaging apps including WhatsApp and Facebook Messenger. The report also stated that more than 95% of practicing clinicians used these messaging apps to receive and transmit potentially confidential patient data without any security measures in place.
In response to the findings of the CommonTime report, the NHS has set up guidelines to help healthcare practitioners within the UK to determine whether an instant messaging app is appropriate to use for healthcare purposes. These steps aim to protect healthcare practitioners from regulatory investigations regarding the safeguards on patient confidentiality.
Andrew Miles, who is a consultant general surgeon and a Royal College of Surgeons Council Member, stated that: “Patient safety is enhanced when NHS staff can quickly communicate confidential patient information between teams, such as by instant messaging.”
Patient Data Confidentiality Policies to Structure Guidelines
Some of the things that clinicians need to check in an app are end-user verification, pre-set standards of encryption, and password protection among others. In addition, the app needs to have capabilities for remote data wipes and auto deletion of messages after pre-set times, in cases of theft or loss of device.
The guidelines also include a number of specific standards for the use of apps, including the transmission to information to the right person or group and the regular review of group membership, to eliminate chances of miscommunication from similar names in address books.
NHS staff also has to keep notifications from popping up on a locked screen, not share access of the mobile device, while keeping clinical records separately, and deleted messages after the transcription process is complete. Staff must remember that conversations held on instant messaging platforms can be subject to requests under the Freedom of Information Act.
In addition to this, the guidelines state that instant messaging apps being used by healthcare practitioners cannot be permitted to connect with social media or photo libraries of the user’s device. Two-factor authentication is also pushed to be mandatory for such apps. The use of third party instant messaging apps is to be permitted only if the healthcare organization does not provide an appropriate alternative for use. At present, more than 50% do not offer any suitable alternative.
The guidelines are strong on emphasizing that they are not endorsing any particular instant messaging app service, but that the focus is on what clinicians must keep in mind when looking to use instant messaging apps on mobiles.
These measures are anticipated to protect healthcare organizations associated with the NHS from threats such as the WannaCry attack of 2017, which resulted in the loss of 10,000 records of patients registered in the NHS at the time.