NHS Ransomware

We all witnessed the NHS falling victim to a crippling ransomware attack that took out most of the major IT systems in up to 45 sites across the country including general practices. In the following days and weeks, clinical personnel were unable to access information on the central network, including patient records, x-rays, blood results and appointment information.

In order to reduce disruption and delays in treatment, doctors sought alternative methods to communicate with each other, with some choosing to use the consumer messaging service WhatsApp. In the case of the Royal London Hospital, they told its staff to use the application to share pictures of scans to help with diagnosis, suggesting it was a ‘secure and infallible way’ to decide on the best course of treatment.

However, despite this individual case, the Trust said the use of WhatsApp was ‘not in line with their policies’; the reasons for which were not disclosed. However, there are a number of assumptions that can be determined in relation to the use of consumer messaging apps to transmit sensitive personal information:

Joost Bruggeman
Joost BruggemanFormer surgical resident and founder of Siilo
Explains the difficulties of using WhatsApp in primary care

Password protection

The majority of mobile devices have an option to increase the security of their smartphone, either through passwords, number locks or fingerprints. However, not all GPs protect their devices and given that WhatsApp does not require credentials to login, this means that if an unprotected phone or tablet was found, someone could gain access to personal patient data.

Syncing with Cloud storage

WhatsApp allows users to sync messages through Cloud applications such as Google Drive and iCloud; a function that is beneficial to the average user. In sensitive situations however, this could lead to leaked data exposing information on other personal devices, in that household for example. Imagine a doctor’s home where kids play in front of a computer with the screensaver on and it displays sensitive and sometimes graphic information; it happens.

Keeping unauthorised backups

WhatsApp automatically makes a backup of your conversations as they consider it a bad user experience if someone cannot look over historic messages. In the case of medical information this means clinicians inadvertently allow WhatsApp to keep copies of patient information on their servers, which they are not authorised to do. It is also unclear what security measures are in place but reports have revealed vulnerabilities.

The impact on patient safety

Many clinicians choose to anonymise data manually when sending material via WhatsApp, in a bid to protect their patient’s confidentiality. However, this could potentially be at the expense of patient safety, where it is vital to have no doubt that the patient is getting the correct diagnosis and course of treatment based on the correct stats. If you remove identification from scans or blood tests, there is a risk that they may be accidentally associated with someone else.

While WhatsApp is considered the gold standard for consumer messaging and deemed secure for general consumers after adding end-to-end encryption, there are significant concerns about its suitability for the NHS. A recent whitepaper authored by legal firm Mishcon de Reya detailed the legal implications of mobile messengers in clinical settings, and while they have been shown to improve patient safety, there are more appropriate options on the market. It is at the clinicians’ discretion to research specifically designed applications, like Siilo, that remove the risks associated with WhatsApp.