- The United Kingdom National Health Service released new instant messaging guidelines for clinicians in the acute care setting, including privacy policies for sharing patient data.
The guidance follows a damning CommonTime report that found the majority of NHS trusts lacked official policies around consumer messaging apps like Facebook Messenger and WhatsApp. What’s worse is that 97 percent of clinicians routinely used those apps to send patient data without those security measures in place.
In response, officials have provided standards for determining whether an app is safe to use in the healthcare setting. This includes only using apps with encryption standards, end-user verification and passcode protection.
The guidelines take it a step further to require clinicians to only use apps that can be remotely wiped in case of loss or theft, along with message retention features that delete messages after a set amount of time. And these apps should only be used if an organization doesn’t provide a suitable alternative.
“Instant messaging can have clinical utility but remember that the law places obligations on organizations to protect patient confidentiality,” according to the guidelines. “If you are a clinician, you may also have to defend yourself against regulatory investigation if you have not taken sufficient steps to safeguard confidentiality.”
Those safeguards include keeping clinical records separate from the app and deleting patient notes after they’ve been transcribed into a patient’s medical record. Clinicians should also avoid sharing devices and ensure lock-screen notifications are disabled.
The guidelines also provided standards for the app use, which include ensuring clinicians are communicating with the correct person or group, as there are often similar names stored in an address book. IM group administrators should also routinely review membership.
Providers also need to make sure the app is not linked to any other platforms, especially social media or a device’s photo library. And social groups must be separate from the clinical or operational information. Lastly, two-factor authentication is required.
The guidance is just the latest security measure enacted by NHS following more than a year of security incidents and troubling reports.
NHS was crippled by the global WannaCry attack in May 2017, after failing to patch a known vulnerability. Nearly a year late, all 200 NHS trusts failed a government security audit – many for failing to patch known flaws. And in August 2018, a report from think tank Parliament Street found NHS lost 10,000 paper patient records last year.
While NHS falls under different healthcare guidelines, their struggles reflect similar issues faced by health systems in the United States.
In fact, Centers for Medicare and Medicaid Services clarified its position on healthcare texting platforms earlier this year, stressing the need for security. The guidelines are similar to NHS in that texting is only allowed through a secure platform with encrypted messaging and can’t include patient orders.
“It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients,” according to CMS.