back to article Phone-fondling docs, nurses sling patient info around willy-nilly

UK doctors and nurses routinely share sensitive patient information via their smartphones, we're told. Two in three or 65 per cent of doctors at Imperial College London have used text messages to communicate with colleagues about a patient, and half (46 per cent) have used picture messaging on their smartphone to send a …

  1. dan1980

    "People will continue to look to use the simplest ways to share information. . . . It is therefore up to these organizations to provide usable and secure encryption technologies . . . as well as educating employees in best practice."

    I agree with all of that. HOWEVER, it is missing something, which is that there must be serious penalties for those found breaking the rules.

    Doctors and nurses are already very well-educated in the rules around liability and so forth and what they can and cannot do for a patient and what constitutes consent and so forth and there can be very serious repercussions when these rules are broken. It is therefore not at all unreasonable to extend that existing framework to the use of technology.

    One of the big problems with this modern era of 'cloud' and mobile and mobility and smart this and tablet that and internet-of-something-else, is that it carries a risk of control being moved away from IT departments.

    Some people argue that this is one of the chief benefits of such a paradigm shift as the mechanisms of IT departments can seem slow and overly bound by red tape and policies and thus are seen to prevent people from working as efficiently as they could without that control.

    And that is an understandable stance from a user as they just want to do what they need to as quickly and easily as possible.

    The issue is the lack of understanding - or care - as to why IT departments function the way they do. The reason that IT departments have established policies and procedures and frameworks is to ensure that the IT infrastructure and policies meet the established standards that have been set by management to adhere to their goals and the applicable laws.

    Unfortunately, you can't stop people taking photos on their phones and sending them via their private e-mail accounts or SMS'ing confidential details (thus producing two unsecured copies).

    So. while a safe and easy - and secure - method of transferring such data is certainly desirable, that takes longer to implement so the FIRST step to rectifying this rather serious issue is to educate staff and set out the penalties for not complying as soon as possible.

    The most important thing to explain is that convenience does not trump system security and patient confidentiality.

    Now, in health care, delays can cost lives but one suspects that in all but the TINIEST fraction of cases, there is no such urgency and information could be procured and exchanged through 'normal' means in a timely fashion. And, when there are frequent enough instances of people dying where medical staff have been unable or unwilling to help due to regulations or fear of lawsuits, such a stance (for privacy) would hardly be exceptional.

    Of course, loss of life is tragic and more so when it might have been avoided but doing wrong in an attempt to do right brings to mind something about laying roads at a sharp, downwards gradient.

    1. Anonymous Coward
      Anonymous Coward

      Load of bollocks

      You're proposing to lock out a clinically useful and efficient means of communication while IT sorts its shit out.

      Maybe ask the patient whether they care about the theoretical attack vectors against a What's App snap of a wound photo which in all probability identifies nothing about the patient.

      1. Anonymous Coward
        Anonymous Coward

        Re: Load of bollocks

        well said AC

        Who cares what the CEO of a "security startup" thinks. no experiance in real world just picks impractical to fix holes and goes to the extreme . securioty is , iunfortunately, always a compromise.

        Besides most medical staff have encrypted and mdm managed tablets.

        You wont see a wounded soldier refusing a shot of morphine because theres no plasters left

      2. AndrewDu

        Re: Load of bollocks

        Maybe ask the patient?

        Because (even if they were alert and in normal health) they would be just the right person to make a judgment on risk and technical security issues such as this?

        I think not.

      3. JEDIDIAH
        Devil

        Re: Load of bollocks

        In all of the (American) facilities I have been in, the staff are issued their own personal mobiles to use during their shift. They are actually pretty primitive. I've never seen an American nurse use a personal device on the job.

        Although I have seen them jibber jabber on their hospital supplied mobes in the middle of a procedure. I find THAT far more disturbing than a data breach.

        Clearly they are not autistic enough.

    2. LucreLout

      @Dan1980

      IT departments can seem slow and overly bound by red tape and policies and thus are seen to prevent people from working as efficiently as they could without that control. ....The issue is the lack of understanding - or care - as to why IT departments function the way they do.

      Why my IT department functions the way it does..... Briefly let me just say I work in the private sector, for a bank, so this is in no way a pop at NHS IT, though I'm sure it will be afflicted with similar problems.

      My department is rammed to the rafters with non-technical managers. I sit about 15 deep in the hierarchy (yes, 15). Nobody sat above me can work a compiler. I am the most senior actual IT staffer in the firm, and I'm at the bottom end of the hierarchy.

      So, how does this come about and what do these people actually do? Well, there's a doctoral thesis in there somewhere, but essentially it boils down tot his:- A senior manager is hired whose primary skills are networking and managing upwards. They then abdicate their responsibility to more junior managers below them, while retaining authority for their area such that any success accrues to them, but no blame.

      What these people do is attend meetings and vendor presentations while producing extremely vague strategies based on things consultancies have sold or told to them. Their value add, in reality, is way below zero, because they prevent a coherent and efficient strategy being formed.

      How can none of them have any skills? Well, because the last thing they want is anyone with any knowledge sitting in their hierarchy, lest it be noticed that the emperor has no clothes.

      1. Prst. V.Jeltz Silver badge

        B arc material

        @lucrelout

        Youve just summed up whats wrong with our society dude. its derpressing. Imagine if those people could be trained to be useful? we'd be 15x more productive.

        They'll be first against the wall when I come to power. Unless they start making themselves useful.

    3. Anonymous Coward
      Anonymous Coward

      To Be Honest...

      ...I'm not sure I'd give a shit how the medics treating me were passing data / pictures around.

      They're not likely to be adding my full name, address, inside leg measurement to everything they send, it's going to be "that bloke in bed 10". Nor are they likely to include a picture of my face in the email carrying a picture of my <insert embarassing medical condition's name here> (unless of course it is my face, something that I cannot discount!). And even if their phone got hacked, it's hardly likely that any of that will ever get publically associated with me personally.

      Yes, they should take some care, but lets not get too paranoid about it. We want them to get their jobs done as quickly as pos.

      On a related topic, a friend is in a compliance department of a financial instituion, and their worst nightmare is traders having access to Excel. It's almost impossible for them to vett informal spreadsheets stuffed full of equations knocked up by some keen trader at home and emailed in, and the institution's own coders doing the developments properly cannot keep up with the needs of the traders. That's when the management have to know who in their organisation they can really rely on...

      And getting back to doctors in hospitals, it seems highly unlikely that any doctor is going to set out to deliberately gather and retain identifiable personal information on their own personal mobile. Perhaps we should trust to that more than we should trust to procedure, rules and technical oversight.

      I'm not a medic, nor a banker.

      1. I. Aproveofitspendingonspecificprojects

        IT smarts doctor

        Plus there is no reason to think a neighbour has set up a nest of tracking receivers in his bedroom to set up his own version of Emergency Ward 10 once the series ended.

  2. Mark Zip

    Threema works well for this.

    Suggestion: Threema ( https://threema.ch/en )

    Works very well for a friend of mine in a small practice (3 geographically separate offices) in USA. All members of the practice use it and all exchanges are secure.

    1. dan1980

      Re: Threema works well for this.

      .ch?

      1. seanf

        Re: Threema works well for this.

        Chillax - .ch is the country code top-level domain for Switzerland

    2. Anonymous Coward
      Anonymous Coward

      Re: Threema works well for this.

      Thank you. I was mapping out mentally what really should be done. A bit limited in that it seems only targeted at mobiles and some tablets but that's likely intentional looking at the feature set.

      This is solvable. IT can rant, rave, and repeatedly use the cattle prod but until securing the communication is dead simple for the client, it's a failure. Not the CIO, CEO, or BOFH, the client using it on the job. (The Department of the Bleeding Obvious here.)

  3. Anonymous Coward
    Anonymous Coward

    This happened to me

    I had a bicycle accident about a year ago and went to the emergency room, with a nasty hematoma in my abdomen and a small puncture wound on my groin (from a spoke that broke off...just missing the important bits!)

    The ultrasound tech wasn't sure if she needed to refer to a specialist for the puncture wound, so she asked me if she could take a couple pics on her phone to text to him to see if he needed to come in. I said no problem, he saw the pics and said it was no problem, so I got a few stitches and they sent me on my way.

    Sure, MMS isn't secure, and this was probably a HIPAA violation, but I'm sure the "fix" for that will be some sort of secure app that they'd need to use for this, which would require me to go through some complicated electronic signature process. I'm sure the company would charge $200 for each installation of the app and $20 per use, figuring that "hey insurance is paying for it, so why not stick our snouts in the trough". I think I'll stick with MMS if its alright with the rest of you...

    1. Anonymous Coward
      Anonymous Coward

      Re: This happened to me

      You forgot the server running Windows NT. (I was going to say Windows Server 2003 but that would offend my sensibilities. Enterprise still runs like a RR here.)

    2. John 110

      Re: This happened to me

      I think the important thing to remember is that info shouldn't be strewn around that contains info that can uniquely identify the patient, so unless your groin has a readily identifiable (and unique) feature (a tattoo of your social security number, maybe -- or wait, maybe you're a pr0n star...) it's probably ok to send pictures across public channels...

      PS please don't quote this out of context...

  4. Medical Cynic

    Several years ago my hospital trust had an enterprise-wide phone system with secure SMS and voicemail. It was easy to use [so people used it] and secure.

    That is the type of system to use, not personal phones. ICO will fine heavily for data breaches involving the use of personal phones.

    Ex Caldicott Guardian.

    1. Anonymous Coward
      Anonymous Coward

      my hospital trust had an enterprise-wide phone system with secure SMS and voicemail

      Wow SMS and voicemail. The NHS enters the early 1990s. And that included easy to use, high quality photo messaging, and all client devices were photo-capable and to the same high standard for the troops as well as the bosses?

      IME any corporate implementation invariably involves premium smartphones for the big swinging dicks, and the hoi polloi get to use some cheap shit that doesn't work properly "to save money". My employers (a c£7bn turnover UK operation) are not uncommon in this respect and expect the peasants to use Sammy Galaxy Ace 4's, which is a piece of unfit-for-purpose shit in a corporate environment. In fact, I wouldn't even give it to my kids.

      I suppose this comes down to priorities. If I was in hospital, I really wouldn't give a tinker's cuss about medical staff using private mobile devices to seek second opinions, or communicate information about my care. If some ne'r do well hacked in and found a picture of my wound, symptoms, or care plan, I'd not give a shit.

  5. Steve Davies 3 Silver badge

    Oblig...

    Quote

    Dr Nithin Thomas, founder and chief exec of security startup SQR Systems

    I guess he has some product to UpSell then?

    Or perhaps he wants to sell the biz?

  6. quattroprorocked

    Psychology matters

    If you want people busy people to be secure, don't let them use their phone. Telling them to use a specific app on their phone isn't good enough as it won't be an app they use often enough to be an automatic reaction.

    There is a case for giving all staff their own device For Medical Use. Maybe in a nice medical Red colour.

    Medical staff will be much more attuned to a Device/Task link than an App/Task one.

    This allows training / memos along the lines "Business Matter? Business Phone. Personal matter, personal phone" and then have a swear box that miscreants have to donate to every time they get caught flinging Business stuff to personal phones. And then also have the Uniforms and White Coats incorporate Phone Pockets. The one at the front for the Medifone (TM, me), and a buttoned up one under the armpit for the - deliberately hard to reach - Personal Phone

    1. Anonymous Coward
      Anonymous Coward

      Re: Psychology matters

      I've had some surgery recently, and one of the incisions has been slow to heal, and the surgeon has used his official (and presumably nominally secure) hospital smartphone to take pictures to record the recovery stages. The phone was extraordinarily slow compared with a normal one. (This was at Addenbrookes Hospital, which has been suffering from a new computer system recently.)

  7. Maldax

    The worlds gone mad!

    So people are happy to send photos of their 'anatomy" at the drop of a hat...but woe betide someone sending a photo of your ingrowing toe nail to get some advice!

    But i'm sure it wouldn't be beyond the imagination for FB to market a private version of WhatApp

  8. Anonymous Coward
    Anonymous Coward

    Nice Freudian slip there...

    "they don't have easy access to the information security measures they need, such as encryption," Peeper said.

    Err... I think that was Pepper?!

  9. tiggity Silver badge

    Mobile Phone use in a hospital

    So, is mobile use allowed in UK hospitals now?

    Last time I had misfortune to be in a hospital there were signs everywhere about switching mobiles off, but that was a while ago.

    1. druck Silver badge

      Re: Mobile Phone use in a hospital

      That was more to do with protecting the extortionate monopoly of the hospital payphone. They had a fig leaf to hold on to by saying it could interfere with medical equipment, but since pagers were phased out every doctor/nurse/paramedic uses their mobile on the ward, so they can't really stop you.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mobile Phone use in a hospital

      You don't really want to lie ill in bed surrounded by people bellowing into their mobile phones, do you?

      1. John Brown (no body) Silver badge
        Joke

        Re: Mobile Phone use in a hospital

        "You don't really want to lie ill in bed surrounded by people bellowing into their mobile phones, do you?"

        Surely have as normal an environment as possible can only help?

        1. Peter2 Silver badge

          Re: Mobile Phone use in a hospital

          Once upon a time there was equipment that did do weird and not helpful stuff when mobiles were around, so rather than replacing said equipment, it was far easier to stick up a sign telling people to turn their dammed phones off.

          In due course, this equipment was replaced however the signs remained. Generations of staff had passed through since then, and nobody knew why the signs were there in the first place. The admin staff assumed the medical staff needed them up, and the medical staff assumed the IT staff needed them up. The IT staff assumed the medical staff had some weird old equipment, but considering the worst case risk was that there might be a stack of filled body bags, nobody was willing to stick their neck out and say "no, we haven't needed those signs up for a decade now".

          1. IvoryT

            Re: Mobile Phone use in a hospital

            "Once upon a time there was equipment that did do weird and not helpful stuff when mobiles were around,"

            Theoretical. There were no reproducible cases of this. Occasionally equipment malfunctions, and it is easy to blame new technology. We had a ban on phones on the ITU floor of our hospital because of this meme - but they were freely used on the floors below and above - presumably the effects only radiated horizontally.

      2. JEDIDIAH
        Linux

        Re: Mobile Phone use in a hospital

        > You don't really want to lie ill in bed surrounded by people bellowing into their mobile phones, do you?

        No. I want to be the one bellowing into my mobile phone.

        Videoconferencing: perhaps you've heard of it?

        1. Anonymous Coward
          Anonymous Coward

          Re: Mobile Phone use in a hospital

          Where I work, we have some free WiFi for patients & public and I have helped a few people set up Skype connections to family. If they had money to burn, they could even try facetiming, as long as their family also had some overpriced Apple playthings.

  10. David Pollard

    Shouldn't all 'phones be secure as a matter of course?

    Why should we not expect electronic communication devices generally to be as secure as a letter or a private conversation. Medicine isn't the only area in which people have an expectation of privacy and confidentiality.

  11. Kirstian K
    Flame

    The answer is simples

    Snapchat...... it very securely deletes itself once seen, and don't doctors only need a few seconds per patient anyway...

    BTW: I am of the actual opinion that if my life depends on it, I would take the insecure save me now, and not give a toss about if a hacker of some sort got a glimpse of my todger, or knew I have a boil on my bum.....! oh wait a mo, is this site secure, I just gave away personal information that could seriously impact my existence...

  12. Eddy Ito

    Doctors and nurses were using smartphone apps to communicate medical data, even though they realized that this might not be the best approach, in the absence of a more secure alternative.

    In the absence of a more convenient or cheaper alternative, surely.

  13. Jean Le PHARMACIEN

    Disciplinary action awaits....

    I work in an NHS hospital; on wards with patient contact. I have a smartphone (actually had one since my Nokia 9500 Communicator for same purposes) on which I keep reference materials/clinical guidlines/specialist references. Stuff that means I don't have to run about looking for the nearest terminal that's not broken/partly functional/working but in use to look up the latest info on cotrimoxazole via a CVC.

    I have read and taken the NHS courses on data protection - as have all these doctors and nurses - it's part of your required mandatory training. Not following the requirements is a disciplinary offence.

    As a result I have never:

    1. used SMS/Text for conveying/communicating any patient information [don't get me started on why text is a rubbish protocol for anything important - just let me say IT IS NOT INSTANT MESSAGING and no audit trail]

    2 used email for conveying/communicating any patient information [even standard Trust intranet/Exchange is apparently not secure enough]

    3 ever used Facetwit or whatever it is, ever, at all

    Does this make me :

    A. Smug self righteous b*****d

    B. Boring so'n'so with no snese of up and coming use of technology

    C. so scared of disciplinary process in the NHS and it's 'no blame culture' which is no blame as long as I can stick the blame on someone else (been there and seen that)

    D. all of the above

    E. I wouldn't like my personal information bandied about insecurely so stick to what's in the NHS regs

  14. Cynic_999

    Is is really that important?

    I don't believe that increased security is all that important in this particular case. The information is unlikely to be profitable for anyone, so doctor's phones won't be especially targeted. So the insecure bit is mainly instances where a phone is left on a bus or train etc. And if that happens, is the data leak likely to be particularly detrimental to the people affected? Perhaps someone could come up with a *likely* scenario in which a patient is adversely affected, but I cannot think of any that are all that probable.

    1. lucki bstard

      Re: Is is really that important?

      'Perhaps someone could come up with a *likely* scenario in which a patient is adversely affected' - If the patient didn't give consent. That type of person is probably the one who will complain as well.

    2. Domino
      Devil

      Re: Is is really that important?

      Cynic_999: The information is unlikely to be profitable for anyone

      Except insurance companies, and maybe blackmailers if STDs are involved..

      1. JEDIDIAH
        Linux

        Re: Is is really that important?

        > Except insurance companies, and maybe blackmailers if STDs are involved..

        My insurance company already knows how sick I am.

    3. JimBob01

      Re: Is is really that important?

      And of course …if you have nothing to hide then you have nothing to fear, right?

  15. chivo243 Silver badge

    Going off Topic

    What if the woman making a stink about a slave pirate playmobile was this pic El Reg staged for this article?

  16. Graham Marsden
    Big Brother

    "up to these organizations to provide usable and secure encryption technologies"

    ... but not *too* secure - Signed GCHQ

  17. Havin_it
    Paris Hilton

    Just to be sure I'm not finally losing my cake...

    ...That photo's of a nurse fellating a grandpa, yeah? Everyone else seeing this?

    I mean, that's my interpretation. I did consider that it was a prostrate weeping relative, but gramps seems a little too happy for that.

    Doesn't seem all that germane, is all. We all know y'all have a nice big bucket of Playmobil to play with, so why recycle? And where's Optimus Prime?

    1. Anonymous Coward
      Anonymous Coward

      Re: Just to be sure I'm not finally losing my cake...

      That photo's of a nurse fellating a grandpa, yeah? Everyone else seeing this?

      Yup. Funny, I just noticed that too. I'm clearly getting slow in my old age :)

    2. Huw D

      Re: Just to be sure I'm not finally losing my cake...

      The old feller is on a decent BUPA plan.

      The bloke in the next bed has to wash it himself.

  18. MachDiamond Silver badge

    The world is a stage

    If a hospital finds that being able to send pictures of patients is a benefit, they should implement a secure network that works exclusively through the hospital's internal network. I would much rather doctors and nurses use voice to communicate rather than text given the poor grammar of many people and the highly fluid shorthand code that is used frequently. It's faster and easier to get a clarification on something said while in a conversation. The spelling of drugs follows no rules and many of them have similar names making it easy to mis-type them into a phone (which will try to autocorrect). This is why it's a recommended practice to write something such as "for pain" on a prescription so a pharmacist doesn't dispense blood pressure meds by mistake.

    The cell phone network everywhere (and especially in the US and UK) is monitored and recorded by The Man®. While an individual picture or text might not be a problem, in the aggregate, it starts getting much easier to put a name with the patient. Government data repositories get hacked too so having the least amount of your personal information stored electronically anywhere is a thing to keep in mind.

    My last caution is that off the shelf smartphones are not built to be thoroughly cleaned. In fact, if you get them wet, the moisture indicator changes color and there goes any warranty. Doctors are working with people whose illnesses might not be immediately diagnosed and may not worry about everything they have touched and where they may have set down their phone even though they will wash their hands frequently and change gloves between patients. It would be a real PIA to find out that while visiting the doctor for something minor, you left with a case of measles.

  19. Anonymous Coward
    Anonymous Coward

    Whose device is that?

    A lot of the people using a smartphone (iPhone anyway) or tablet may not be using their own device. They belong to the hospital.

    The NHS does not do BYOD. That is a silly idea anyway. If you need a device, your employers should pay for it and how is IT going to support 5,000 different types of devices?

    Whatever the device, it will be locked down and as secure as we can make it. It will either connect to the hospitals own Exchange servers or to NHS.net - the magically secure webmail system.

  20. Tweetiepooh

    It's not communication within the hospital

    that is the problem. In that case the "records" are accessible on the "secure" terminals. It's contacting the consultant on the golf course and he isn't going to be carrying multiple devices, affects the swing too much.

  21. Neil Hoskins

    NHS IT is unbelievably restrictive, partly due to misguided security policies and partly due to outdated hardware and software (Internet Explorer 8 on Windows XP is typical). So staff are always going to do whatever they can to bypass the bollocks and use time and labour-saving 21st century technology. As they're medics and not techies, this will be done with high-street defaults rather than more appropriate security. The solution is obvious: the IT departments need to catch up with 2015 technology.

    1. Anonymous Coward
      Anonymous Coward

      IE8...Luxury! I am viewing El Reg via IE6 her in my particular Trust!!

  22. AndrewDu

    Surprise!

    Seller of a secure communications product thinks NHS should buy more secure communications products.

    Well colour me astonished.

  23. UKSP

    Clearly there's a need for extra tech so create it

    If I was in a bed in need of urgent medical attention I'd be 100% happy about a nurse snapping my ailing areas to share with colleagues... if it was the quickest way to help me. Of course there are issues utilising existing tech, it's true, but more importantly (much more) it also highlights a massive opportunity to develop another system that is superior. E.g make an 'NHS compatible' handheld device (a glorified tablet designed for the purpose of IOW) for snapping patients' areas that can send only to registered NHS staff...so the recipient has to have an NHS account and app which they need to login to see what's been sent. Until then security be damned. Top marks to the NHS for using what is available to them to help people.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like