Facebook's WhatsApp has been growing in user numbers to become one of the globally dominant and most widely used messaging apps. And as such, it was only a matter of time before it found its way expanding from the casual, private userbase to professionals, even in fields such as healthcare – that must surely rank as some of the most sensitive.
The website providing a guide to the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) asks the pertinent question: is using WhatsApp in a professional setting by healthcare workers compliant with the law? Specifically – if doctors and nurses choose to exchange information about their patients' health via WhatsApp – can patients count on this private data to remain safe – according to the standard set by the protected health information (PHI)?
PHI regulates anything from information about a person's health status to their healthcare payments – in other words, it's a collection of extremely comprehensive and sensitive personal information.
But could all that be getting out in the wild if professionals exchanged it via WhatsApp? The HIPAA guidance website analyses the circumstances both from the point of view of the legislation and the way WhatsApp is deployed to conclude a resounding – just don't do it.
Despite WhatsApp deploying end-to-end encryption – and more on that later – the conclusion here is that the app, though it can still be used by healthcare professionals “for general communication” – is not up to par as a trusted app to transmit and exchange patients' electronic protected health information (ePHI) – though “de-identified PHI” can still be exchanged on the platform, the HIPAA website said.
Then, there's UK's national healthcare service, the NHS, where nurses using the app to communicate about patients has raised privacy concerns. “We use WhatsApp for everything, reminding other nurses about problems with patients, which patients to be careful with or which patients have problem relatives who they need to look out for. Having a group chat for a ward can be quite useful to keep everyone up to date on what's been going on,” one NHS nurse said to Reclaim The Net.
Another shed some light on the treatment of patients' medical data: “It's not so much the nurses that are sharing patient stuff, it's usually the doctors that use it to share more personal stuff. Lots of doctors take photos of patients' wounds and x-rays and share them with other doctors on WhatsApp. It's kind of worrying when you think that Facebook owns WhatsApp, and we all know what they're like with privacy.”
However, the NHS has recently suffered other technological setbacks like the organization's slow and reluctant upgrading from some pretty abysmal existing technologies, like Microsoft's Windows XP.
That, in the end, cost the NHS a lot of money and good faith in the 2017 WannaCry ransomware disaster.
You might think – that was then. But even now, as MobiHealthNews reports that a St. George's University Hospital NHS Foundation Trust study has found that the NHS is “a privacy and clinical safety time-bomb.”
The study is based on “77 staff members in the trauma and orthopedics department revealing that 87 percent of staff used smartphone apps to discuss patient cases at work, despite 56 percent not being sure whether the information was secure.”
EU's General Data Protection Regulation (GDPR) plays into the way the UK deals with this type of data and privacy issues. When and if the UK leaves the EU, the GDPR will continue to be enshrined in the national law – so it's particularly disconcerting that a recent Freedom of Information Act (FOI) request has found as many as 58 percent of 136 NHS trusts lacking any policy in place whatsoever when it comes to protecting patients' personal medical data from messaging apps.
The study, that is yet to be published, is comprehensive – and one of the points it touches upon is Facebook's WhatsApp.
Even if WhatsApp's redeeming feature seems to be its end-to-end encryption – there's more to the story than meets the eye. While direct communication may be protected – allowing backups on WhatsApp means that data stored in this way becomes vulnerable to outside snooping. That was revealed in one of the controversies of the day, back in the summer of 2018 – and Buzzfeed expanded on it at the time.
On the other hand – it's a no brainer that emergency services, and those they work to assist in a crisis can greatly benefit from a real-time communication tool that will make their work as efficient as possible. But, as Nursing Times observes, – “Instant messaging can have clinical utility – but remember that the law places obligations on clinicians to protect patient confidentiality.”
Outside the immediate medical tasks – UK's health service might have mitigated some damage from deploying vast amounts of outdated Windows operating systems that made it a soft target in 2017 for the WannaCry crisis. Digital Health writes that NHS staff using encrypted messaging apps like WhatsApp as an unofficial communication channel back then was not such a bad idea – the website claims that “national bodies and trusts told us it worked well during the incident.”
But the NHS in 2018 felt it was the right time to introduce some new rules when it comes to using WhatsApp to exchange sensitive patient data.
The guidance is designed to help doctors and nurses use messaging apps “safely to coordinate patients' care during emergencies.”
The guidance recommends using messaging apps that “meet the NHS encryption standard”; not allowing other people to use their device and not allowing lock-screen notifications; and keeping “separate clinical records and deleting the original messaging notes once any advice has been transcribed and attributed in the medical record.”