Safe messaging

Can you guarantee the safety and confidentiality of your patients when using digital messaging apps? Security and compliance should be front of mind for healthcare professionals, says Joost Bruggeman.

Digital messaging apps have become an important facet of every­day life, enabling people to stay in touch quickly and easily with friends, family and colleagues anytime, anywhere. 

This convenience, however, does not come without risk and we have all experienced messages being sent to the wrong people or groups.

When communicating with friends, a mistaken message may be amusing or, at worst, embarrassing, but in the workplace the consequences can be far more serious. 

In the medical sphere in particular, the potential for such errors poses a significant risk to patient confidentiality and data protection. 

However, many medical professionals are unacquainted with this issue. A recent survey by the Euro­pean Heart Rhythm Assoc­iation (EHRA) revealed that 88.3% of its members regularly use instant messaging apps for sharing clinical information with medical colleagues, yet 29.3% admitted they were unaware of EU data protection regulations when sharing clinical data. 

A further 46.7% indicated there were no regulations in place at their institution regarding the sharing of clinical data via instant messaging.

Huge benefits

This is worrying but not surprising. Technology moves at a rapid pace, so it stands to reason that it frequently advances more quickly than the Government and industry can create new standards and procedures to address it. 

Instant messaging tools offer huge benefits to medical practitioners, so the demand for them is strong. 

An example of a case study function in the Siilo medical messaging app

This was clearly illustrated at the height of the pandemic when information-sharing and fast decision-making was essential for helping healthcare professionals learn how to deal with a hitherto unknown virus.

In these circumstances, frontline staff came to appreciate the value of being able to share details about individual patient cases, including photographs and other sensitive medical data. This facilitated rapid knowledge-sharing, without which many more lives would undoubtedly have been lost.

Fit for purpose

The answer, therefore, is not to simply banish messaging apps, just when they have proven themselves indispensable. The better solution is for technology providers to create messaging tools which are fit for purpose and which meet the demands of medical staff, all without the associated risks that come with universally available providers. 

An example of the blurring and arrow tools used in the Siilo app

Data-security challenges were recognised some time ago and were a key influence behind the development of specialist healthcare apps such as Siilo.

However, the importance of using specialist tools is not yet fully understood because there is a failure to differentiate between security and compliance.

The basic promise of ‘end-to-end’ encryption, which is offered by the best-known messaging apps, certainly provides a strong element of security. It means the servers of the vendor cannot decrypt the message data even if they wanted to because they do not have access to the encryption keys that belong to this encrypted data.

Stored unencrypted 

However, this only applies to data while it is ‘in transit’ from one phone to another. What happens when the data is ‘at rest’ and delivered to a phone or other device? This is a question that even data protection officers in healthcare cannot answer.

After a phone receives a message, several synchronisations take place with common messaging apps. 

Photos and videos are synced automatically to the photo library of the phone, where the media is not encrypted. All conversations are backed up by default and automatically go onto the cloud services of the phone provider – where message data is also stored unencrypted. 

As such, all these unencrypted conversations are exposed to unauthorised third parties. 

This is a huge problem because it becomes impossible for any medical professional sending an instant message on most services to be able to guarantee patient confidentiality. 

A way which is often used to get around this is to anonymise patient information within communications, but this also brings significant issues. If healthcare teams cannot clearly identify which patient they are communicating about, it will almost certainly lead to confusion and mistakes which could easily be prevented.

No guarantee

What this means is that off-the-shelf messaging apps are not suitable for use within healthcare. Using them offers no guarantee of patient confidentiality and, worse still, may compromise their welfare. 

What’s more, a recent ransomware attack on the Irish Health Service’s IT system has again highlighted the importance of robust data security. Little wonder, perhaps, that Siilo experienced a 908% surge in app downloads in Ireland following the recent incident.

Digitalisation offers tremendous benefits to the healthcare sector, but it is essential that it is truly fit to meet the standards expected within the medical profession.

For communications technologies, this means applying absolute rigour to ensure patient confidentiality cannot be compromised.

Joost Bruggeman (right) is a former surgery resident at Amsterdam University Medical Centre and now chief executive and co-founder of Siilo