Privacy Watchdog Slams Sharing of Patient Data Via WhatsAppShadow IT Incident: Health Staff Shared Images and Video Using Unauthorized Tool
Britain's privacy watchdog admonished a Scottish National Health Service board after finding its staff had used WhatsApp for the unauthorized sharing of patient data. Legal and security experts say the use of WhatsApp and other messaging applications for workplace communications is common and typically falls outside official oversight - an example of what compliance and security officials dub "shadow IT."
The Information Commissioner's Office on Monday formally reprimanded NHS Lanarkshire over privacy violations. The board is the third-largest in Scotland, serving 655,000 rural and urban patients.
The ICO's investigation found that from April 2020 to April 2022, 26 staff - and one "unauthorized individual" - had access to a WhatsApp group in which they shared patient information over the course of at least 533 messages. Information included names and birthdates of adults and children and, in some cases, phone numbers and addresses, as well as treatment details. In addition, members of the group posted 15 images, three videos and four screenshots.
The ICO said staff had violated the U.K. General Data Protection Regulation by sharing patient data "via unauthorized means and secondly, a disclosure of personal data."
NHS Lanarkshire said the WhatsApp group had been formed during the coronavirus pandemic as a response to restrictions on in-person contact. "The team took this approach as a substitute for communications that would have normally taken place in either a clinical or office setting, but was not possible at that time," Trudi Marshall, the nurse director for Health and Social Care in North Lanarkshire, told Information Security Media Group in a statement.
The privacy shortcomings at NHS Lanarkshire trace to workarounds implemented early in the pandemic. The health board told the ICO that executives had authorized the use of WhatsApp to facilitate communications for the COVID-19 Gold Command Group, a group created to handle the strategic response to a major incident. WhatsApp was added to the health board's portal containing approved applications for download onto NHS Lanarkshire mobile devices. But the ICO found that at the same time, the health board "was adopting a new platform for managing mobile devices" and had no formal process for verifying that WhatsApp was not being used to share patient data. It also had no specific policy detailing what constituted the acceptable use of messaging applications such as WhatsApp.
While the ICO hasn't fined NHS Lanarkshire, its investigation remains open, pending appropriate fixes being put in place.
"There's no suggestion that the data was misused, that anybody acted unprofessionally with it - but it did expose the data to risk," Information Commissioner John Edwards told BBC Radio's "Good Morning Scotland" program. "I think the clear message for other boards is to really consider a risk assessment when deploying new technologies and new communications platforms," he said.
Cybersecurity expert Brian Honan said the problems at NHS Lanarkshire are a classic case of shadow IT, referring to employees using unapproved tools to try and get their job done. Organizations can either proactively manage the associated risks or else they will have no control over what's already happening, he said.
"Organizations can't just ignore this and hope the problem goes away - or never happens," said Honan, who runs Dublin-based BH Consulting. "They need policies, training and, where possible, technology to manage the risk."
London-based attorney Jonathan Armstrong at London law firm Cordery Compliance predicts that the problem of shadow IT will grow, expanding a decadeslong battle between workers and CIOs as well as the security professionals charged with securing data.
"As a greater percent of the working population becomes digital natives, we're going to see more and more of these issues," said Armstrong. "Facebook is for grandparents, email is for old folks, too - the tech-savvy use different tools to get the job done and you need to understand that and build it into your plans."
Armstrong advises organizations to assume nothing when it comes to how employees might be using approved or unapproved technology. "People think WhatsApp and similar messaging applications are encrypted and are less careful than they should be," he said.
Honan cautions that in such cases in the future, "other supervisory authorities may not take such a gentle approach." Accordingly, he recommends that any organization that handles personal information for customers or patients "be careful with your own staff's use of personal messaging platforms" since using those platforms could violate GDPR or the U.K.'s implementation of it, which is the Data Protection Act.
The ICO said it expects the board to address shortcomings by mid-January 2024. It recommended that NHS Lanarkshire consider providing staff with a secure clinical image transfer system, which could have helped prevent this privacy breach.
NHS Lanarkshire submitted an action plan to the ICO on March 10, committing the organization to undertaking remedial actions.
"We have already taken a number of steps including looking at alternative apps that can be introduced for the transfer and storage of images and videos within a care setting," NHS Lanarkshire's Marshall said.