A recent study of 2,107 doctors across five hospital sites in the U.K. found that 98.9 percent own a smartphone, with just over a third of them using web-based messaging apps to send clinical information. Yet, a survey published in the Journal of Hospital Medicine reported that only 27 percent of respondents said their organization had implemented a secure messaging application and only seven percent said most clinicians were using a hospital-issued messaging app.
These surveys show a clear demand for the integration of mobile technology into workflows. However, they also expose significant risks. Consumer-grade instant-messaging apps, like Whatsapp or Facebook, which are being utilized within healthcare organizations, may be convenient and accessible, but they also come with a number of risks, including:
- Patient privacy. Consumer messaging applications are built for communication between friends and not the sharing of confidential patient information. There’s always the potential that if a clinician loses their phone, or has it stolen or hacked, then people could discover these messages. A lot of consumer-facing apps, like WhatsApp and Facebook Messenger, have encryption built in but don’t have password protection on the apps. This means that if you know the password to, or can get into, a phone, then you can access all of the messages. A robust mobile health IT app needs to have extra layers of security so that once you log into your phone and go to the app, you should be prompted for a password specifically for that app or encounter a multi-factor authentication process.
- Extra risk around photo sharing. Photo sharing goes hand in hand with instant-messaging. Taking a photo on a smartphone is one of the most convenient ways for a clinician to show, document, and share any visible ailment. However, with this comes the additional risk of incidental, or accidental, back-ups to cloud-based storage systems. Many smartphone systems automatically sync photos to cloud services. This auto-backup function is fantastic for consumers but poses yet another security threat for clinicians, especially if the cloud account is shared with family members. There’s also the chance of accidentally showing restricted photos to friends when scrolling through files and even the chance of accidentally "sharing" them on social media. While clinicians do tend to be careful when taking photos of patients, there is always a chance of capturing an identifiable feature, such as a tattoo or part of the face.
- A lack of auditability. Conversations about an individual’s medical information need to be stored somewhere—preferably within the EHR. While records are kept within most consumer-facing apps, as you can easily discover by scrolling up, none are tied back to the patient’s medical records. There is significant benefit in having these conversations linked to the patient record, so that the communication is stored, linked, and able to be monitored and reviewed if required. It also allows clinicians from within the healthcare journey, who haven’t been included in those conversations, to see developments and the latest updates.
- Lack of upkeep. One of the great features of social media is the ability to communicate with groups easily, though in a clinical setting this can result in issues. If groups and mass communication aren’t managed well then clinicians, whose viewing permissions may have changed, could see and download anything posted within the group.
These fairly obvious risks can have a significant financial impact on a provider. Lapses in IT security and breaches in digital medical information have already led to numerous organizations around the world being penalized hundreds of thousands of dollars. While there are numerous benefits to using communication apps within a healthcare organization, there needs to be an emphasis on the use of hospital-issued messaging apps, as well as the protection of mobile data and strict BYOD policies.
Gain insight into how hackers identify organizational vulnerabilities and how you can prepare a line of defense against a new generation of attacks. Watch the webinar now!