Security and compliance should be front of mind for healthcare professionals
Digital messaging apps have become an important facet of everyday life, enabling people to quickly and easily stay in touch with friends, family, and colleagues any time, anywhere. This convenience, however, doesn’t come without risk, and we have all experienced messages being sent to the wrong people or groups.
When communicating with friends, a mistaken message may be amusing or, at worst, embarrassing, but in the workplace, the consequences can be far more serious. In the medical sphere in particular, the potential for such errors poses a significant risk to patient confidentiality and data protection, which even threatens that most fundamental aspect of healthcare ethics, the Hippocratic Oath.
However, many medical professionals are unacquainted with this issue. A recent survey by the European Heart Rhythm Association (EHRA) revealed that 88.3% of its members regularly use instant messaging apps for sharing clinical information with medical colleagues, yet 29.3% admitted they were unaware of EU data protection regulations when sharing clinical data. A further 46.7% indicated there are no regulations in place at their institution regarding the sharing of clinical data via instant messaging.
This is worrying but not surprising. Technology moves at a rapid pace, so it stands to reason that it frequently advances more quickly than the government and industry can create new standards and procedures to address it. What’s more, instant messaging tools offer huge benefits to medical practitioners, so the demand for them is strong. This was clearly illustrated at the height of the pandemic, when information-sharing and fast decision-making was essential for helping healthcare professionals to learn how to deal with a hitherto unknown virus.
In these circumstances, frontline staff came to appreciate the value of being able to share details about individual patient cases, including photographs and other sensitive medical data. It facilitated rapid knowledge-sharing, without which many more lives would undoubtedly have been lost.
The answer, therefore, is not to simply banish messaging apps, just when they have proven themselves indispensable. The better solution is for technology providers to create messaging tools which are fit for purpose and which meet the demands of medical staff, all without the associated risks that come with universally available providers. In fact, the data-security challenge was recognised some time ago, and was a key influence behind the development of specialist healthcare apps such as Siilo – the only tool on the market which is compliant with GDPR and medical legislation. However, the importance of using specialist tools is not yet fully understood because there is a failure to differentiate between security and compliance.
The basic promise of ‘end-to-end’ encryption, which is offered by the best-known messaging apps, certainly provides a strong element of security – it means the servers of the vendor cannot decrypt the message data even if they wanted to because they don’t have access to the encryption keys that belong to this encrypted data. However, this only applies to data whilst it is ‘in transit’ from one phone to another. What happens when the data is ‘at rest’, i.e. delivered to a phone or other device? This is a question that even data protection officers in healthcare cannot answer.
After a phone receives a message, several synchronisations take place with common messaging apps: photos and videos are synced automatically to the photo library of the phone, where the media is not encrypted; all conversations are backed-up by default and automatically go onto the cloud services of the phone provider – where message data is also stored unencrypted. As such, all these unencrypted conversations are exposed to unauthorized third parties.
This is a huge problem because it becomes impossible for any medical professional sending an instant message on most services to be able to guarantee patient confidentiality. A way which is often used to get around this is to anonymise patient information within communications, but this also brings significant issues – if healthcare teams cannot clearly identify which patient they are communicating about, it will almost certainly lead to confusion and mistakes which could easily be prevented.
What this means is that off-the-shelf messaging apps are not suitable for use within healthcare. Using them offers no guarantee of patient confidentiality, and worse still may compromise their welfare. What’s more, the recent ransomware attack on the Irish Health Service’s IT system has again highlighted the importance of robust data security. Little wonder, perhaps, that Siilo experienced a 908% surge in app downloads in Ireland following the recent incident.
Digitalisation offers tremendous benefits to the healthcare sector, but it is essential that it is truly fit to meet the standards expected within the medical profession. For communications technologies, this means applying absolute rigour to ensure patient confidentiality cannot be compromised.
Joost Bruggeman is a former surgery resident at Amsterdam University Medical Centre and now CEO and co-founder of Siilo. For more information, please visit www.siilo.com
Philip Luce is CEO at Cromwell Hospital, London. The hospital started using Siilo as the pandemic took hold last year.
“Technology has been crucial during the pandemic to enable medical professionals to continue to provide the very best patient care. Here at Cromwell Hospital, Siilo is a key digital tool we introduced early on, that has proved invaluable as the pandemic developed.
“It has enabled consultants in multidisciplinary teams (MDTs) to safely and securely discuss patient cases, share notes, scans and test results remotely. This has been key in supporting our rapid access patient pathways, enabling patients’ test results to be reviewed, and consultants to collaborate in real-time to develop tailored treatment plans. This streamlines our patient pathways, helping to ensure our patients’ treatment has not been delayed.
“The ease of use and the speed in which teams were able to access and start using the app meant we were able to keep up with the pace and demands of such a unique and fast-moving crisis.
“It is really important that we have timely communication between our clinicians to enable speedy diagnosis and tailored treatment plans for our patients. It also means we don’t have to worry about breaching patient confidentiality, we’re able to communicate more efficiently and are able to ask questions to other medical professionals across organisational boundaries.”
Example of using Siilo to improve patient care
“Our consultant clinicians used Siilo to review the future treatment of a 46 year-old-patient who had been advised to stop chemotherapy, in place of radiotherapy treatment. The lead consultant created a new patient file, to review the information at hand, and subsequently the Breast Team collectively approved of the decision to pursue a different method of treatment.”
How crucial is this type of technology beyond Covid?
“The pandemic has changed the way we all work, and this includes at our hospital. Technology such as Siilo enables our consultants to communicate securely with one another in real-time – this is a great benefit to the delivery of rapid, quality patient care during Covid-19 and beyond the pandemic.
“Providing a platform for these conversations to take place virtually means consultants are able to ensure that patients are getting the right and best treatment for them and their condition. For our patients, this means they don’t have any delays in their treatment plan, and this can leave them with peace of mind during what can be a worrying time.”
5 Things to look for in your messaging service
- Fingerprint/Facial Recognition & PIN code security: To keep your patient data confidential, secure your conversations and data with a mandatory PIN code and Face- or Touch-ID.
- Image-editing features: To guarantee patient anonymity, cover names or faces in a photo with the Blur tool and point out critical aspects of a photo for colleagues with the Arrow tool.
- Processor agreements: Ensure data privacy and security compliance at the individual and organisational level with a Sillo Processor Agreement. To be GDPR compliant, the messenger service takes responsibility as the processor of your patient’s sensitive information on your behalf as a healthcare professional. This is automatically signed when you start using our application
- Identity & medical verification: To ensure you are sending information to the right contact, identify verified medical professionals at a glance with Siilo badges.
- Separation between personal/professional media: To prevent patient data from being uploaded to personal cloud services, save photos, videos, and files directly to the Siilo app rather than your device’s photo gallery.