In the most recent news around data security, NHS Lanarkshire has received a reprimand from the Information Commissioner’s Office (ICO) around the use of WhatsApp by staff to discuss and share information about patients between April 2020 and April 2022, during the Covid-19 pandemic, including one unauthorised individual being temporarily added to the group.
On the face of it, this is a story of policies not being properly created or adhered to, and of technological workarounds in the absence of suitable secure communications solutions. But this case is arguably much more complex due to the challenging circumstances during the pandemic, the potential levels of skills and understanding around technology, human behaviour, but also ICO guidance that could itself have led to misinterpretation. It also talks to the inevitable nature of data breaches when teams feel under pressure to work efficiently, securely and without access to suitable communication platforms.
I should emphasise that since not all the facts are available around NHS Lanarkshire, this article isn’t intended to cast judgement or critique Lanarkshire or the ICO, but instead look at the incident (and similar incidents) from all angles, and to consider what we can learn from it.
Allowing use of WhatsApp
Unfortunately, too many data breaches result from ‘simple’ mistakes, and whilst naturally human error (or non-cyber related incidents, according to the ICO) remains one of the leading causes of data incidents, often, error in judgement can also play a large role. In the case of NHS Lanarkshire, the conclusion infers the lack of an appropriate policy, and a specific group that didn’t follow or weren’t supported to follow such a policy.
Whilst this is a very easy conclusion to draw, let’s consider the circumstances in late March 2020 and the ongoing period during which the pandemic dictated many actions, not solely isolated to the NHS, but across society in general.
Firstly, in the initial months of the pandemic, many services were forced to find solutions to unique issues which had previously never been considered under BAU policy consideration. Secondly, very few organisations were writing detailed policies, but rather putting their efforts into keeping some form of care continuity, often learning to work remotely for the first time.
As it happens, in March 2020 the ICO, and the then national digital arm of NHS England (NHSX), took the unprecedented step of allowing the use of WhatsApp (and other platforms) in clinical care “where the benefits outweigh the risk”.
The Information Commissioner offered assurance to NHSX that she “cannot envisage a situation where she would take action against a health and care professional clearly trying to deliver care.” Whilst NHSX did not preside over Scotland, the ICO position would have likely been similarly interpreted in Scotland, and one can assume a similar position would have been taken.
If you liked this content…
No alternative solution
In 2020, I was working closely with both NHSX and NHS England, but also working with a frontline community provider in order to solve care issues with digital, and on the board of another provider looking to balance risk and patient benefits. Through all of these avenues it was very clear that services across the board were taking the relaxation of information governance rules on board, in order to keep care running, with many examples of WhatsApp use in community services such as health visiting, but also in those services where multi-disciplinary teams or partners were working together to support individuals in need, when the IT infrastructure was not up to the job.
In my work during Covid I lost count of distressed staff in services, struggling to help a particular patient in which the sharing of media such as a video or imagery was needed, as appears to be the case in the case in question. It’s easy to forget how intense the times were, but I can’t help but empathise with any team who may have taken similar steps in a moment in which there was no other alternative solution available to them other than risk letting down or even harming patients.
During the summer of 2020, I supported a provider in the delivery of some education and discussion around secure communications, including helping clinical services to properly consider the risks and benefits of using WhatsApp, which, as was referenced in the ICO reprimand, is visibly labelled as encrypted. I clearly remember the surprise and consternation that the tool they believed to be secure and safe presented a number of risks that they had no idea about, with many moving away from WhatsApp even though many still lacked a secure alternative. Digital skills can often be limited, or at least were limited in 2020, and given the ICO / NHSX guidance, it is very easy to see how staff across different sites could believe that they were doing the right thing for their patients based on the information they had at the time.
My final point is a behavioural one. With the exception of the immediate behavioural changes around digital at the beginning of the pandemic, it is very difficult to undo something once in motion. Technical debt is a real thing: just ask people still using pagers and faxes. Anyone who has supported digital change in the NHS will know how difficult shifting away from something that is ‘doing the job’ can be. This is especially true when the superseding solution either doesn’t exist or is perceived to be less effective than the previous one.
Weighing up the risks
The sad fact is that over three years on, many NHS providers still lack the tools to securely provide the convenient functionality that WhatsApp offered but in a secure way: 1. Sharing across different sites, especially those on different Microsoft Teams tenants, 2. Sharing video and images securely, and 3. Direct secure sharing with service users (which wasn’t, as far as I understand, the case with NHS Lanarkshire). NHS Lanarkshire, for example, is now in the process of exploring a solution.
Ideally the response, and the response of other organisations seeking to not only respond to data breaches, but stop them happening in the first place, will cover the different scenarios around not only human error prevention, but also to help services serve their patients in a way that their judgement doesn’t become misjudgement and lead to consequences. Solutions such as Zivver that are built to provide the functionality and security needed to support and protect patients would have enabled clinical services to avoid this happening, especially considering the complex behavioural factors. Zivver is an email security platform used by healthcare organisations globally to prevent data leaks. Its Secure Email and Secure File Transfer solutions safeguard sensitive patient information whilst allowing healthcare providers to transform system and patient interactions.
While the ICO reprimand should hopefully drive helpful discussions around better policies, digital tools and support for services, it’s important to recognise that the NHS Lanarkshire scenario, and no doubt many unreported incidents, happened against a complex, challenging and confusing backdrop. I have little doubt that the services themselves felt their decision was in the interest of their patients, and that the “benefits outweighed the risk.”
