back to article Brit healthcare body rapped for WhatsApp chat sharing patient data

Staff at NHS Lanarkshire - which serves over half a million Scottish residents - used WhatsApp to swap photos and personal info about patients, including children's names and addresses. Following a probe, the UK Information Commissioner's Office (ICO) has now issued a heavily redacted official reprimand to the organization, …

  1. Dan 55 Silver badge
    Holmes

    Something not quite right here

    Communications were sent to both all staff and Teams with the instruction not to use WhatsApp for sharing personal data. NHS Lanarkshire subsequently seized the phones of staff involved which was completed by ███. All phones were deprovisioned, which NHS Lanarkshire confirmed deleted the chat, and staff have been issued with new phones.

    First of all, I bet many staff members had the unencrypted Google drive backup option enabled.

    Secondly, it appears WhatsApp is not good enough for the NHS but it's good enough for the government. Shouldn't the ICO have instructed that MPs and civil service phones with WhatsApp be requisitioned, a copy of the chats be taken to get them officially recorded, and WhatsApp and data be deleted from the phone by now?

    1. unimaginative Silver badge

      Re: Something not quite right here

      To say nothing of the Cabinet using Zoom during the lockdown - by the nature of Cabinet meetings they discuss highly classified information.

      Staff devices should be locked down and they should not be allowed to install software. Browsers should be locked down too to prevent uploads.

      I do some work with medical images. That is outside the NHS systems. I am currently looking at implementing some stuff with NHS APIs and there are mechanisms (hopefully secure) for transferring patient data (at least in NHS England - not sure what they have in Scotland).

      1. Anonymous Coward
        Anonymous Coward

        Re: Something not quite right here

        "Staff devices should be locked down and they should not be allowed to install software."

        It says that it was installed on the phones by the trust, presumably their IT department. That would probably be because the staff could not do it for themselves. The ones who will install stuff on NHS devices if they can tend to be finance and admin people - not the medical staff who actually do the work!

      2. John H Woods Silver badge

        Re: Staff devices should be locked down

        ideally by something like Ivanti, as it saves adversaries having to break into each endpoint device individually ...

    2. StrangerHereMyself Silver badge

      Re: Something not quite right here

      Just a thought: why don't NHS staff use Signal to exchange medical information (including pictures)?

      I personally believe WhatsApp is sufficiently secure if you abide by some simple policies (no cloud backup, no usage of WhatsApp web), but even the most privacy conscious paranoid should feel fine with Signal, right?

      1. Dr Who

        Re: Something not quite right here

        It's not the app that's the problem. It's the mechanism (or lack of it) for controlling access rights. Who decides who will be a member of the WhatsApp or Signal group? Who decides what each of those members can see or do with the data? There are no mechanisms in place on messaging apps whereby an organisation can maintain control of and audit who accesses what information.

        1. StrangerHereMyself Silver badge

          Re: Something not quite right here

          In WhatsApp it's the admin of the group who decides what people can be members.

          There is no authorization of data in messaging apps, nor is it practical to do so. For example, some apps don't allow screenshots to be made, but this is easily circumvented by just taking a picture of the screen with another phone.

  2. Anonymous Coward
    Anonymous Coward

    It seems odd to decommission the phones. If it's supplied through the portal, surely it should be possible to also delete it from the portal as well? Or are they not using intune/company portal and use some strange semi-functional inhouse unnecessary weirdness?

    1. FirstTangoInParis Bronze badge

      You’ve tried provisioning devices using Intune have you? If you succeeded, please can you explain what magic spells you used, so we can do this too?

  3. IGotOut Silver badge

    Sigh..

    "staff would have access to this in normal practice as there is no secure clinical image transfer system in NHS Lanarkshire"

    And there ladies and gentlemen, is why the staff resort to bodge jobs.

    Still digital transformation should be complete by 2177 after a multi trillion Pound consultation is done.

    1. Sir Sham Cad

      Re: Sigh..

      Secure mobile clinical messaging systems do exist. Unfortunately the staff know what they like and they like what they know so it can be difficult to make the new app(s) stick.

      1. Stork Silver badge

        Re: Sigh..

        Sounded like those systems had not reached Larnarkshire yet.

    2. cantankerous swineherd

      Re: Sigh..

      it's called fax

      1. Stork Silver badge

        Re: Sigh..

        Yeah, I remember those. Used one just last millennium.

    3. StrangerHereMyself Silver badge

      Re: Sigh..

      The NHS is so strapped for cash that it has to make hard choices: either implement a secure image transfer system or attract more medical staff.

      WhatsApp is relatively secure, safe for the unencrypted backup "loophole" which Meta has only halfheartedly fixed, and only in the last year.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sigh..

        WhatsApp is relatively secure, safe for the unencrypted backup "loophole"

        That's actually not even relevant. Out of all messaging apps, WhatsApp does something which makes it immediately unsuitable for any business or organisational use: it ships your address book wholesale to Meta (instead of using hashing to identify matches, which is what everyone else does).

        This means that having as much as one SINGLE entry in your address book which is personal rather than business information and for which you have not obtained permission to ship it to a jurisdiction with more holes in its privacy laws than your average Gruyère cheese and you've broken the law, period.

        You could say that using anything but WhatsApp would have been a better idea. Frankly, I don't know why the ICO is not going after that in the first place.

        1. StrangerHereMyself Silver badge

          Re: Sigh..

          Yes, I don't necessarily want my contacts to be known by Facebook or anyone else, but it's not the end of the world.

          I DO NOT want Facebook or anyone else to be able to read my private correspondence, and that's what WhatsApp is protecting nicely, otherwise the Five Eyes wouldn't be collectively (and I suspect in concert) be introducing laws that undermine end-to-end encryption.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh..

            There is a concept called 'hiding in plain sight' and the most blatant use of that is presently Zuckerberg renaming his company to 'Meta'.

            What WhatsApp (and thus Zuck) is after is NOT the contents (which is why they were quite happy to use decent encryption for it, taken from Signal code), it's who you know.

            You've got Gordon Welchman to thank for that.

            1. StrangerHereMyself Silver badge

              Re: Sigh..

              Zuckerberg is brilliant in the sense that he intuitively felt that people don't want their private correspondence to be read but care less about Facebook knowing their contact list. Sure, he could've made more money if he knew what people were talking about but that would've freaked them out and he would've lost them.

              I'm not sure how knowing my contacts profits him but I find the trade equitable. Running a service like WhatsApp used by billions isn't cheap you know?

              1. Anonymous Coward
                Anonymous Coward

                Re: Sigh..

                I have no problem you going all naked in detail for Zuckie boy, that's your own choice.

                What I object to is you uploading MY contact details, because you deny me the option to say no. It's not your data.

                1. Emir Al Weeq

                  Re: Sigh..

                  And that's the problem: so many people are happy to share their contacts list and don't consider that the data in it isn't theirs to share.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Sigh..

                    .. and the big question is if that is even legal for a business. As far as I can tell, without explicit permission of the person so exposed it is not.

                    Many companies still don't even follow the explicit requirement to state what they're going to do with your data (only putting a link to a separate page where it's buried in reams of other waffle is not 'explicit'), so for them to prove they have that permission is going to be interesting - read: they're breaking the law and it could cost them.

      2. Charlie Clark Silver badge

        Re: Sigh..

        Who says WhatsApp is secure enough for the storaing and transfer of sensitive patient information? This is a policy decision which has to be taken by someone responsible for data privacy. If this is the case, it's not permissible to use it.

      3. SundogUK Silver badge

        Re: Sigh..

        The NHS is NOT strapped for cash. They just spend most of it on useless administrators and DEI bollocks.

        1. John H Woods Silver badge

          Re: They just spend most of it on useless administrators and DEI bollocks.

          Simply not true. The NHS is somewhat lightly managed compared to other organizations of similar size. All sensible organizations of any significant size have DEI policies, those that don't tend to be somewhat problematic places to work.

  4. Pascal Monett Silver badge

    "there was no specific policy in place directly for WhatsApp"

    Staff used WhatsApp. That means that that was the easiest solution.

    Which, in turn, means that there was no official solution. Or that the official solution was a pain in the ass to use and not half as practical.

    People want to get the job done. If there is no official channel, they will find an unofficial one. The fact that they could install whatever they wanted on their work phones is another strike out.

    Oh wait, did they even have work phones ?

    It seems that everything concerning health in the UK is a bodge on top of an unfinished, poorly-thought-through and badly implemented job.

    Stop throwing good money after bad. I rarely say this, but maybe it is time to nuke whatever exists, pour concrete over the remains and start fresh. But with a proper project this time.

    1. Doctor Syntax Silver badge

      Re: "there was no specific policy in place directly for WhatsApp"

      "Oh wait, did they even have work phones ?"

      Yes.

      Over the last few months we've spent too much time in the local hospitals. The nursing staff all seem to be equipped with phones. I hope it's a secure app they're using but they regularly use them for recording blood pressure readings.

      1. Anonymous Coward
        Anonymous Coward

        Re: "there was no specific policy in place directly for WhatsApp"

        I recently spent a week in hospital. All the staff carried phone type recording devices, even the cleaners. The patients' needs were ignored by the nursing staff since the machines seemed to demand constant masturbation. It took over 28 hours for a doctor to change my treatment request. The same system then told my GP that I had died.

        Bring back pen and paper.

        1. Richard 12 Silver badge
          Pirate

          Re: "there was no specific policy in place directly for WhatsApp"

          Easiest way to meet the targets. Now you're not waiting.

    2. Cav Bronze badge

      Re: "there was no specific policy in place directly for WhatsApp"

      "Or that the official solution was a pain in the ass to use and not half as practical."

      The problem is that many staff regard any security restrictions, at all, as a pain in the ass. That's just a poor excuse, not a reason to by-pass the restrictions.

      1. Richard 12 Silver badge

        Re: "there was no specific policy in place directly for WhatsApp"

        That's not true.

        The problem is almost always that some "security" gets imposed from upon high that is impracticable if not impossible to use, or doesn't even work.

        Usually both.

        Eg a lot of these systems require the nurse to remove gloves and re-scrub multiple times during a patient contact. Not possible in the real world.

    3. Roland6 Silver badge

      Re: "there was no specific policy in place directly for WhatsApp"

      >” Staff used WhatsApp. That means that that was the easiest solution.”

      WhatsApp and Zoom were the two solutions to hand back at the start of lockdown; need to remember the time pressure and supply constraints when he first lockdown was announced; basically, whatever remote working solution you needed had to be doable on the equipment you had deployed and could reasonable expect people to already have.

      Yes there were alternatives to WhasApp and Zoom such as Signal and Jitsi, not forgetting WebEx et al. However, as noted MPs were using these mainstream products so I expect many heard the media stories and “ if it’s good enough for them….”

      Fundamentally, this is a collective failure in business continuity planning etc. - however, unless you had been involved with say the IRA bombings in he city of London, who would of planned for workers having to suddenly work from alternative venues such as their home? But even then I suspect no one really considered it happening to everyone at the same time.

      In some respects it is noteworthy that the Cabinet Office kept so quiet over both the technologies government and its agencies should be using and how to make them secure.

      1. katrinab Silver badge
        Meh

        Re: "there was no specific policy in place directly for WhatsApp"

        The last IRA bombing was in 2001, and the last terrorist bombing in London was 7/7/2005. The options available for business continuity back then were very different to now.

  5. Eclectic Man Silver badge
    Unhappy

    Replacement of GDPR

    "According to the latest draft, the Secretary of State can use a statutory instrument to change, add or remove "the databases which the Board is required to oversee," rename the Board; or "require or authorise the Board to issue a code of practice or guidance" – a situation which would undermine the regulator's independence and influence its guidance and priorities."

    Basically, if an entity is able to hold the rich and powerful to account, it must be curbed and held under ministerial control. Independence is essential for any credibility for the ICO or whatever replaces it / him / her / them. Is this just an attempt to ensure that rich and powerful businesses can use personal data for profit without having to worry about being held responsible for using it without permission or holding it safely and securely?

    1. Version 1.0 Silver badge
      Happy

      Re: Replacement of GDPR

      Everyone that I've ever worked with in the health industries are always working to help their patients ... sure they may think about the data sharing but that's only a relatively minor issue once the patients health (or even their life) has been saved.

      Sure we have different icons but I'm OK to upvote your opinion, it simply illustrates that there are no simple answers to every issue these days.

      1. Eclectic Man Silver badge
        Facepalm

        Re: Replacement of GDPR

        My comment was about the replacement to the GDPR, and the weakening of the ICO. I should have made it clear that I was not commenting on the judgement made in the case in the article, which is my fault, sorry.

        If I recall correctly the first person prosecuted under the old Data Protection Act was a vicar who used his computer to manage the Boy Scouts troop he led, but had not actually sought their parents' permission to hold their personal information on said computer. Contrast this with the case when a customer of Barclays Bank discovered that he could view anyone's account details except his own and the ICO did not prosecute Barclays and he had a great deal of trouble in getting the bank to apologise for claiming he had hacked into their system.

        In the case in the article, although technically they breached the GDPR, it would appear they had a genuine clinical reason for transferring the information, and frankly if my health depended on someone using insecure comms once in a while, I probably would not mind that much.

        Have an upvote yourself, as I know that in the UK NHS staff are under a great deal of stress.

      2. cantankerous swineherd

        Re: Replacement of GDPR

        their are several simple answers, one of which is sacking people who spaff patient data willy nilly, thus encoraging the others.

        no doubt the fish is rotting from the head, but that's no excuse for this behaviour

        1. Anonymous Coward
          Anonymous Coward

          Re: Replacement of GDPR

          I disagree. I would start with the people who made it possible for the staff to do this in the first place.

          Anyone with half a brain knows of far more secure applications which are still free, but don't at least not ship data to those who really cannot be trusted (Zuck, mainly), which also help separating business from private use. You then pick up the people who still do this and encourage them to switch.

          If you make it easy for people who really have other things to do to improve what they do without too much change you stand a better chance to get somewhere than sacking the people whose skillsets are already rare to come by.

          1. Roland6 Silver badge

            Re: Replacement of GDPR

            Remember this was the start of lockdown; the clocks were ticking, real world events weren’t waiting for the IT department, the only viable solutions were those that required zero procurement of devices and would work with whatever you have deployed and your staff already had access to privately.

            Those responsible for government IT were remiss in not using gCloud to fire up a government Jitsi service. Remember one of the big things about cloud is the speed with which new services can be spun up…

        2. Sam Haine

          Dock their pay

          Docking a percentage of the pay of all the individuals responsible (all the way up the corporate hierarchy) would help to concentrate the minds of those who need to learn and save the NHS body money. Win/win!

  6. Mike 137 Silver badge

    Unintentional adversaries

    The obvious problem here is that use of mobile phones bypasses good old fashioned central firewalling that could block access to such services, so 'anything goes' essentially undetected -- the old BYOD problem writ large..

    This is just one more example of convenience enlarging the threat space out of control. Another obvious one is the combination of 'JavaScript for everything' on web sites and their increasing live reliance on multiple code repositories. Not only is running unverified code inherently dangerous, but the threat increases disproportionately to the number of independent repositories drawn on, as to get any given site to render, inevitably in the absence of prior knowledge of what resources it draws on, we have to browse with all controls disabled. That of course leaves us unwittingly open to the malicious actor.

    The net result of these and similar 'conveniences' is that it's becoming well nigh impossible to secure the digital environment, and it's primarily due to the dveloper/vendor community failing to recognise (or ignoring) the potential adverse consequences.

    1. Doctor Syntax Silver badge

      Re: Unintentional adversaries

      See my note above re use in hospitals. What seems to be needed is a class of device best described as a smartphone with wifi, VOIP but no access to mobile phone bands. Preferably such devices would be run on a local-only network with only a gateway for VOIP to the outside world. This would meet the need for a mobile client for the organisation's own systems, essential voice communication and better security than a general purpose phone.

      1. Anonymous Coward
        Anonymous Coward

        Re: Unintentional adversaries

        The devices exist and getting reliable wifi across a campus of hospital buildings dating back centuries is a nightmare. Hence pagers and faxes.

      2. Roland6 Silver badge

        Re: Unintentional adversaries

        The device you are describing is an iPhone/iPad managed by Jamf…

        For one client we fortuitously got a delivery of 80 iPads just before lockdown, that first week my lounge became an iPad commissioning production line, with my partner becoming a courier getting those devices out to staff isolating in their homes…

        However, because not everyone had WiFi and Internet, the iPads had 4G SIMs (thankyou EE for donating them).

        1. Anonymous Coward
          Anonymous Coward

          Re: Unintentional adversaries

          It's a shame that JAMF requires a Windows server in the setup.

          If the server part worked on Linux we would have been able to use it for quite a large deployment, but starting by mandating a weak point at the very center of the management infrastructure got it nulled by our security team so we're evaluating other solutions now. Shame.

          1. Roland6 Silver badge

            Re: Unintentional adversaries

            “ It's a shame that JAMF requires a Windows server in the setup.”

            Must admit , I’ve only used the cloud version.

    2. ITMA Silver badge
      Devil

      Re: Unintentional adversaries

      " the old BYOD problem writ large.."

      As I've always referred BYOD to - Bring Your Own Disaster

      1. Anonymous Coward
        Anonymous Coward

        Re: Unintentional adversaries

        I'm going to borrow that one, thanks. Very useful.

  7. cantankerous swineherd

    take the electronics off the muppets and give them a pen and paper

    1. John H Woods Silver badge

      Re: pen and paper

      Yeah, that'll be great for medical images ...

  8. t245t Silver badge
    Big Brother

    WhatsApp: the encrypted platform

    WhatsApp: the encrypted platform, which begs the question as to why it is necessary to store encrypted msgs on their servers ref.

    The ICO noted that since WhatsApp stated it was an encrypted platform, staff thought it would be secure

    Isn't this also a case of the sellers over-selling the product?

    1. Roland6 Silver badge

      Re: WhatsApp: the encrypted platform

      WhatsApp is an “encrypted platform” (as is Zoom) within a reasonable definition of secure communications targeted at the general public. Obviously, like all secure products it is possible to configure and use them in an insecure way.

      As for overselling, did WhatsApp or Zoom claim to have a CLAS certification?

  9. Tron Silver badge

    If they use official, secure channels...

    ...the patient will be dead before they get a reply. But at least their privacy will be protected.

    The NHS is on its knees for lack of staff. If you sack staff for doing what works, over privacy considerations, you won't have an NHS any more. Then your privacy will be ensured, unless you leave a note about what was wrong with you, to be found with your body, when the neighbours complain about the smell for the eighth time.

    We are an undeveloping third world country. As for sketchy bits of Africa, just be grateful for any care you get. You are one of the lucky ones.

    All of the emergency services use their mobile phones when they need to, to save your skin. Appreciate it. Life matters more than privacy.

    1. Roland6 Silver badge

      Re: If they use official, secure channels...

      >” ...the patient will be dead before they get a reply. But at least their privacy will be protected.”

      Once the patient is dead, patient privacy/GDPR no longer applies and the records can be communicated by insecure means…

      1. the spectacularly refined chap

        Re: If they use official, secure channels...

        GDPR no longer applies, but the Access to Health Records Act kicks in. Different set of rules but certainly no free for all.

        1. Roland6 Silver badge

          Re: If they use official, secure channels...

          The AHRA is interesting, given the current government intent to pass patient data to Palantir et al.

          From the guidance it would seem the AHRA is focused solely on the right of specific individuals to access a deceased persons medical records, it places no constraints on what the entity holding those records can do with those records.

          So it would seem an entity holding medical records can hold and disclose such records (in full or in part) to whomever they chose, however, only those satisfying the strictures of the AHRA have the right to see the complete records held by the entity.

  10. Alan Hope

    Whatsapp gave them a heady taste of efficient clinical communication

    I get the GDPR breach, but what was the "actual harm" / "actual clinical benefit" assessment in this case?

    There will be a clamp-down, but multi-way communication between busy clinicians will become more cumbersome and unreliable.

    1. Fred Flintstone Gold badge

      Re: Whatsapp gave them a heady taste of efficient clinical communication

      Not really.

      Replace it with someone that can be properly managed like Threema Work.

      I've used it, and it, er, works. You could also use any other secure messaging app for free, but making it manageable gives you better control and it has a gateway API for integration.

      Better still, because you pay for it you also have a company you can yell at if something doesn't work. I've never had cause to (as it does the job), but apparently that makes management feel more at ease.

    2. John 110
      Black Helicopters

      Re: Whatsapp gave them a heady taste of efficient clinical communication

      I'm going to get political here. I'll assume the Reg picked this story up from mainstream media, who take any opportunity to promote their "SNP-bad" agenda. And NHS Lanarkshire is Scottish of course. I'm sure that other health areas used similar potentially breaching technologies, but just got on with it (and away with it).

      PS don't take my word for the bias, Compare the daily headlines on BBC news for Scotland vs UK. The BBC agenda quickly becomes obvious.

      1. Insert sadsack pun here

        Re: Whatsapp gave them a heady taste of efficient clinical communication

        This is literally a persecution complex.

  11. abend0c4 Silver badge

    Will there be a similar response...

    ... to the Federated Data Platform?

    This particular example seems to be poorly considered, but relatively harmless - in a hospital there are patient observations hanging from the end of every bed for everyone to read. But the "big picture" of mass data sharing seems to be waved right through.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will there be a similar response...

      the "big picture" of mass data sharing seems to be waved right through

      Well duh, that's probably because someone is either getting some nice, umm, "sponsorship" for that one, or a nice cushy job.

      Plus ça change, plus c'est la même chose, if you pardon my French..

  12. Plest Silver badge
    Unhappy

    Ubiquitous for a reason - quick and easy

    Here's the thing, people are inherently lazy and will take the easy option that mostly works OK. There's nothing secure and worthwhile that approaches the usefulness of WhatsApp. You ask anyone about the messaging they use most for friends, family and work, WhatsApp is always first.

    I don't like it but when you can convince millions of an alternative, then I'm for it but when every weekend work project is run for hours over WhatsApp, when every sudden family meetup is quickly organised over WhatsApp the day before Aunty Janice's operation, then you'll have the Devil's own job of getting people off it.

  13. John_Ericsson

    As ever the IT guys in the comments demonstrate they don't know what Information Governance is, but speak as if they do.

  14. Roland6 Silver badge

    “an official reprimand [PDF], is nonetheless eye-opening.“

    What is notably absent from the report is any concrete indication that the needs WhatsApp satisfied are now satisfied in other ways (although a redacted mitigation indicates they might have implemented a suitably secure system).

    So when the next pandemic comes around and staff have to work from home again, will they once again be reaching for WhatsApp and Zoom?

  15. easytoby

    Used everywhere

    WhatsApp is in wide use right across the NHS. On issued phones and personal devices. The issue here is a breach because someone outside was added (so - I agree with the address book leak issue).

    It's an unfixable problem as far as I can see. But we are a in a better place than when it was by SMS.

    The investigation here does nothing to address the issue that WhatsApp is the default messaging solution for both front line teams and and management teams in many hospitals. I know this is the case because I manage data security (as best I can) within a hospital. We know WhatsApp is there and in use, but cannot offer a compelling alternative.

  16. Alligator

    CLITS

    The product name for the CLinical Image Transfer System writes itself. Now if only the NHS could find one...

  17. ShingleStreet

    The reprimand is not about the technology

    In my opinion, the issue here is about the lack of control over implementation and ongoing use of the technology, rather than about the technology itself.

    If NHS had done a proper risk assessment, then with controls such as the following, they MAY have considered it appropriate to proceed with pre-nominated classifications of data.

    Data in transit:

    - analysis of the messaging service to ensure that encryption meets strength requirements, that keys are managed appropriately, that data remains encrypted between user endpoints and that encrypted blocks are not persisted along the way

    Data at rest:

    - configuration of Mobile Device Mgt infrastructure so that the app and its data reside in an encrypted image managed by the MDM client

    - appropriate settings of the messaging app enforced by MDM to eliminate off-device, cloud backups etc

    - configuration of the MDM to disable screenshotting

    - audited human process to clear chats of data which is no longer current

    - appropriately managed and audited MDM access control

    - tightly controlled and audited human processes for provisioning access and re-attesting ongoing access to the chat group to the necessary staff only and only via MDM controlled devices

    Once these sort of controls (and I’ve no doubt left out some really obvious ones) were possible and in place, then really the only data leak should come through loss or misuse (eg. taking a photo) of a legitimate device whilst in session and the NHS would need to decide as part of its pre-implementation risk assessment whether human-dependent policies and training were sufficient mitigation and the residual risk acceptable.

  18. Anonymous Coward
    Anonymous Coward

    It's funny because DHSC and NHS England policy guidance at the start of the pandemic left NHS orgs somewhat powerless to restrict WhatsApp use as nationally/UKly, the guidance was to use whatever tools were necessary for that purpose. The prohbition of patient data being sent through WhatsApp was not made. The national orgs and Government Departments are as much to blame for this free for all.

    https://web.archive.org/web/20221118224255/https://transform.england.nhs.uk/information-governance/guidance/use-mobile-messaging-software-health-and-care-settings/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like