NHS employees are putting data at risk 'every day'
New research has found that staff at NHS trusts are putting sensitive patient records and data at risk of cyber crime on a daily basis, though not through any fault of their own.
According to CommonTime’s analysis of the use of instant messaging apps like WhatsApp and Messenger - entitled “Instant Messaging in the NHS”, the number of NHS employees communicating via such means is far bigger than previously reported.
Only 15 per cent of health staff use Trust-approved or provided channels of communication, while 43 per cent use consumer-oriented instant messaging (IM) services.
If staff use these IM services to communicate non-critical information - such as shift handovers or rota management - they are more likely to use it for more important tasks, however. Examples of risky IM behaviour include communicating directly with patients, storing patient content on mobile devices and sharing medical documents.
A deep dissatisfaction with existing channels is the main factor driving NHS staff this way, with 30 per cent believing that patient care would be badly affected if they were not able to use WhatsApp.
One in 50 have received disciplinary actions for IM-related problems, though the use of such apps has grown year-on-year, as has the risk of accidental or intentional misuse.
The report highlights examples from interviewees that include sending patient informtation to non-NHS staff, sharing patient details on social media and even sending photos of patients to others for “entertainment purposes”.
Its authors call for the development of secure messaging apps to be developed by healthcare tech providers to tackle some of these issues, particularly in the wake of the upcoming General Data Protection Regulation (GDPR). Otherwise, they write, there could be a “pivotal event” where the NHS will have to blame individuals and discipline more than half of its workforce, or bear institutional responsibility for any security breaches.
The news comes alongside a warning from IT firm Claranet that two-thirds of businesses lack sufficient data management practices to adhere to GDPR which comes into power from 25 May.
