Image © Elen11

Short Term Pain From New European Data Regulations Will Lead To Long Term Gain in Digital Health

By James Flint & Neville Dastur, Co-founders, Hospify

Neville Dastur is a consultant vascular surgeon and IT developer with his own medical software company; James Flint is a former technology journalist turned tech entrepreneur. They are co- founders of Hospify, a secure, GDPR-compliant healthcare messaging platform currently undergoing extensive trials in the UK.

Issue 5

Damaging as it was, the WannaCrypt ransomware attack earlier this year made one thing very clear to everyone who heard about it: the UK’s health comms are broken.

Doctors, nurses and support staff at hospitals and surgeries throughout Britain and indeed Europe rely on a crazy network of landlines, pagers, paper records and out-of-date computers to stay in touch with one another, and this system – or lack of it – is dysfunctional to the point of being actively dangerous.

It’s not unusual for medical staff in the same hospital to have to make up to ten switchboard-mediated calls before they can talk to one another, a situation which wastes valuable time as well as increasing patient and professional frustration.

So when WannaCrypt made many of the ancient Windows machines underpinning this network inoperable, it also made many hospitals up and down the country inoperable, with catastrophic results for patient care.

What is also worryingly clear, however, is that despite these shortcomings there is no money available to improve the situation. NHS IT procurement has been a financial black hole for decades ( and many of the data standards that health care professionals have been expected to abide by – such as the need to both encrypt sensitive data and at the same time make it available for access in the event of patient data requests – often seem – and often are – confusing and contradictory.

And yet in the world beyond the confines of the ward and the surgery, encrypted secure communications are today taken for granted. In the UK 72% of people now own a smartphone and as a result have access to a multitude of apps that allow them, for no additional charge, to communicate via text, email, pictures, video and social media with any of the billions of other people on the planet who now also carry similar devices with them wherever they go. And that’s before they’ve even made a phone call!

These days most doctors (98%) and nurses (95%) own smartphones, and it will come as no surprise to anyone that they’re routing around the problems of legacy systems by turning to consumer messaging apps. According to a recent study published by the BMJ [], in the course of their work 65% of doctors have used SMS, 33% have used app-based messaging, and 46% have used their smartphone camera and picture messaging to send a photograph – for example of a wound or X-ray – to a colleague for an opinion. Around 94% of doctors and 29% of nurses said they used their smartphone to communicate while at work, and more than 50% of doctors reported that they were now using their smartphone to replace the traditional bleep.

So where’s the issue? Institutional health comms are failing, but everyone’s got a smartphone and they’re all using that? Problem solved, right?

Not quite. Because riding into this situation on its great white charger is the small matter of the General Data Protection Regulation (GDPR). From May of next year this new set of European rules – already enshrined in UK law and with us regardless of what happens with Brexit – will classify the transmission of patient identifiable data via servers that are not geographically based solely in the European Economic Area (EEA) as a data breach.

On top of that, the rules demand that all data breaches be reported, and that fines of up to 4% of the offending Trust’s, surgery’s or medical business’s annual turnover be levied on those who do not comply.

Since WhatsApp, iMessage, Slack, Telegram, Snapchat and all the other commonly used messaging apps will just as likely pass your data via North America as via Europe, using these apps to send any data relating to a patient is pretty much guaranteed to put you – or the institution you work for – in breach of the GDPR, regardless of whether or not the data has ended up in the wrong hands, and regardless of whether or not the data has been encrypted.

There are other issues too – the need to provide for patient access requests is one example that counts these tools out for use in the health industry. As NHS England points out in its Information Governance bulletin [ uk/20160603154026/https://www.england.nhs. uk/wp-content/uploads/2015/01/ig-bull-21.pdf], "Whatever the other merits of WhatsApp, it should never be used for the sending of information in the professional healthcare environment. WhatsApp, which is owned by Facebook, is a consumer service, which does not have a service level agreement with users and has no relevant data security certification. There is no valid reason for its use within the NHS."

The NHS is already the worst performing public-sector body when it comes to data breaches and has been fined £1.3m by the ICO for data transgressions over the past few years. Once GDPR outlaws WhatsApp, the fines are likely to get worse, and it’s only a matter of time before a medical negligence or personal injury claim based on either unauthorised use of messaging or a failure of the existing communications infrastructure is brought against a Trust.

The upshot is that the one industry in which fast and efficient communication is quite literally a life-or-death issue is the one industry which cannot take advantage of the plethora of virtually free communication tools that the vast majority of us keep in our pockets, take entirely for granted, and use every day.

It’s not all bad news however. The GDPR – the same set of rules that’s about to scare the pants off everyone – may also prove to be the set of rules that allows the situation to improve, and improve rapidly. Its arrival has allowed the Information Commissioner’s Office (ICO) to reformulate UK legislation into a coherent rubric that is relatively free of many of the paradoxes of the past.

Since similar clarity in the form of the HiPAA guidelines was introduced to the US in 1996, a marketplace of digital health apps has been able to thrive secure in the knowledge that there are best data practice standards to which they can conform.

So while in the short term GDPR compliance may bring some pain for those slow to stop using consumergradetoolsinappropriately,itwillalsoallow increasing innovation to take place in the market place, innovation that will unlock a wave of digital solutions for healthcare that inadequate, out-of-date and contradictory regulatory standards have managed to stifle for so long.

James can be contacted on:

Neville can be contacted on: