Like many industries, clinicians have capitalised on the instant-messaging revolution and are now using mobile devices within healthcare organisations.

However, recent reports have found that a number are using them in ways that have privacy and security risks that could end up costing employers a lot.

A recent study of 2,107 doctors across five hospital sites in the UK found that 98.9 percent own a smartphone with just over a third of them using web-based messaging apps to send clinical information ( While a survey, published in the Journal of Hospital Medicine, found that only 27 percent of respondents said their organization had implemented a secure messaging application and only seven percent said most clinicians were using a hospital-issued messaging app(

These surveys show a clear demand for the integration of mobile technology into workflows. However, they also expose significant risks. Consumer grade instant-messaging apps, like Whatsapp or Facebook, which are being utilised within healthcare organisations, may be convenient and accessible but they also come with a number of risks including;

Patient privacy: 

Consumer messaging applications are built for communication between friends and not the sharing of confidential patient information. There’s always the potential that if a clinician loses or has their phone stolen or hacked then, people could discover these messages. A lot of consumer-facing apps, like WhatsApp and Facebook Messenger, have encryption built in but don’t have password protection on the apps. This means that if you know the password to, or can get into, a phone then you can access all of the messages. A robust mobile health IT app needs to have extra layers of security so that once you log into your phone and go to the app, you should be prompted for a password specifically for that app or encounter a multi-factor authentication process.

Extra risk around photo sharing: 

Photo sharing goes hand in hand with instant- messaging. Taking a photo on a smartphone is one of the most convenient ways for a clinician to show, document, and share any visible ailment. However, with this comes the additional risk of incidental, or accidental, back-ups to cloud-based storage systems. Many smartphone systems automatically sync photos to cloud services. This auto-backup function is fantastic for consumers but poses yet another security threat for clinicians, especially if the cloud account is shared with family members. There’s also the chance of accidentally showing restricted photos to friends when scrolling through files and even the chance of accidentally ‘sharing’ them on social media. While, clinicians do tend to be careful when taking photos of patients there is always a chance of capturing an identifiable feature such as a tattoo or part of the face.

A lack of auditability: 

Conversations about an individual’s medical information need to be stored somewhere – preferably within the EHR. While records are kept within most consumer-facing apps, as you can easily discover by scrolling up, none are tied back to the patient’s medical records. There is significant benefit in having these conversations linked to the patient record, so that the communication is stored, linked and able to be monitored and reviewed if required. It also allows clinicians from within the healthcare journey, who haven’t been included in those conversations, to see developments and the latest updates.

Lack of upkeep: 

One of the great features of social media is the ability to communicate with groups easily, though in a clinical setting this can result in issues. If groups and mass communication aren’t managed well then clinicians, who’s viewing permissions may have changed, could see and download anything posted within the group.

These fairly obvious risks can have significant financial impact on a provider and breaches in digital medical information have already led to numerous organisations around the world being penalised hundreds of thousands of dollars for lapses in IT security. While there are numerous benefits to using communication apps within a healthcare organisation, there needs to be an emphasis on the use of hospital-issued messaging apps, as well as the protection of mobile data and strict BYOD policies.