Celo's makers say, unlike Whatsapp, you can't add outsiders to a group, or send a sensitive file to a stranger by mistake because you've mistyped a number. Photo / Supplied
Celo's makers say, unlike Whatsapp, you can't add outsiders to a group, or send a sensitive file to a stranger by mistake because you've mistyped a number. Photo / Supplied
Britain's National Health Service recently banned hospital staff from sharing patient files via Facebook-owned Whatsapp.
But our Ministry of Health has no plans for a crackdown, despite anecdotal evidence of the practice, and attendant privacy blunders, and a British Medical Journal study that found around one-third of medical professionals wereusing social media messaging to share sensitive files as work/life boundaries blur and overworked staff reach for the easiest solution.
The problem was highlighted to the Herald early this week by software developer Steve Vlok, who created secure messaging system Celo after his junior doctor girlfriend told him about widespread use of social media messaging in the NZ health system.
Vlok has signed up our two largest DHB's to his service - Auckland and Canterbury - but has bemoaned the fact he has to argue about messaging security DHB by DHB, and by the Ministry of Health's obtuse guidelines and various DHBs' failure to give a simple "yes" or "no" about using various social media products amid guidelines strewn with legal and technical jargon.
"Instead of mandating specific technology solutions that everyone must use, the Ministry expects to see health organisations make informed choices about the services they use, deputy director-general of Health Shayne Hunter says. Photo / Supplied
The Herald asked Deputy Director-General of Health Shayne Hunter, who has responsibility for IT issues, if he could say point-blank if use of Whatsapp was acceptable under the Ministry's security framework. And, if not, whether there would be any crackdown.
Hunter stuck to his earlier, broad-strokes, nothing-to-see-here take on events, however.
"The Ministry of Health does not use WhatsApp as a business tool and so has not assessed its level of conformance with HISO standards or the other minimum requirements," the Deputy Director-General said.
"The Ministry recognises that health organisations are complex technology and business environments, and work within a range of constraints. The Ministry expects health organisations to make informed choices about the digital services they use and to assess them against the minimum requirements for digital, data and technology services."
"The Ministry does not audit organisations for compliance with these requirements."
Meanwhile, Vlok - whose partner is now his wife, and a plastic surgeon in training with the ransomware-hit Waikato DHB, says technology providers are tired of DHB-by-DHB trench warfare, and a patchwork of security measures across the 20 regional health agencies. Security policy needs to be directed from the top, he says.
Change could be coming
In April, the Government said it would scrap the system of 20 regional DHBs in favour of a single national health agency, plus a new Māori Health Authority. The change will come into effect from July next year.
And May saw the Budget 2021 provision of $230 million operating spending and $170m capital spending earmarked for a new, centralised patient record system, to be developed over the next four years. That will provide an opportunity, if the Ministry of Health wants to take it, to integrate a single, secure messaging platform.
Vlok will be there for the change.
The one-time Frucor engineer, who went full-time on his Celo app in 2016, now has 20 staff, thanks to some DHBs backing him, and early-stage funding from backers including Sir Stephen Tindall, under-the-radar rich lister John Clough and Crown VC agency NZ Growth Capital Partners.
Vlok says while many social media messaging apps like Whatsapp are encrypted - which prevents interception - there's nothing to stop them being forwarded to anyone, or even the wrong person if you type the wrong phone number into WhatsApp. And images are often simply stored to a phone's unsecured camera roll.
Engineer Steve Vlok founded Celo in 2014 after his partner - then a junior doctor and now a plastic surgeon - told him about widespread use of social media for sharing sensitive files. Photo / Supplied
An image sent by Celo can only be forwarded to an authenticated member of your organisation or an approved partner. Attached files can only be saved to a hospital's patient record system. And an alert is sent to an administrator if someone screen-grabs or otherwise tries to beat security.
Vlok's company uses a case study of a sensitive paediatric image being sent by social media to a random person, which he describes as 'a parent's worst nightmare".
The way things stand, those sorts of incidents are still happening in most of our DHBs, he says.
