Joost Bruggeman, former surgery resident at Amsterdam University Medical Centre, and CEO and co-founder of Siilo, discusses how secure digital communications tools can ensure patient confidentiality and solve healthcare data protection issues.


Instant messaging apps have become essential tools in our daily lives – their convenience, reliability and sheer ubiquity have transformed how most people communicate, both socially and professionally. At the height of the pandemic, their value within the healthcare sector became even more pronounced, as they enabled rapid information-sharing to help medical professionals learn how to deal with a hitherto unknown virus.

In these circumstances, medical staff came to appreciate the benefits of being able to share details about individual patient cases, including photographs and other sensitive medical data. It facilitated timely and seamless collaboration, without which many more lives would have been lost.

The benefits of ‘off-the-shelf’ messaging apps, however, don’t come without risks. Within the medical sphere in particular, a mistaken message could put patient confidentiality and data protection in jeopardy, while threatening one of the most fundamental aspects of healthcare ethics.


Overcoming data protection issues

Since instant messaging apps are clearly of value within the health and social care sectors, a solution is needed to overcome data protection issues. In fact, this challenge was understood some time ago, and was a key influence behind the development of specialist healthcare apps such as Siilo, which places data security and medical compliance at the heart of its development.

Designed specifically for healthcare professionals, Siilo undertook the task of preserving the usability that people expect from the technology, while simultaneously ensuring that patient data could be exchanged safely and compliantly. 

Paul Cowley, Chief Information Officer at St. John & St. Elizabeth Hospital (HJE) in St. John’s Wood, London, recognised the importance of adopting a messenger service which has been tailored to the healthcare sector’s unique challenges. “Timely, effective and safe patient care often requires rapid communication with multiple clinicians and sometimes offsite. A secure, easy-to-use app is needed to facilitate this level of care.

“While temporary guidance was issued during the pandemic that allowed the use of well-known commercial messenger services to help reduce the risk of patient care being compromised, as a hospital we recognised that such services increase risk both in terms of patient data security and patient care, particularly because of the need to anonymise communications wherever practical.”


Security and compliance

Unfortunately, many health and social care professionals and organisations are unacquainted with these issues. Indeed, a survey by the European Heart Rhythm Association (EHRA) revealed that 88.3 per cent of its members regularly use commercial instant messaging apps, like WhatsApp, for sharing clinical information with medical colleagues, yet 29.3 per cent admitted they were unaware of EU data protection regulations. A further 46.7 per cent indicated there are no regulations in place at their institution regarding the sharing of clinical data via instant messaging.

Given that specialist tools have been developed, why are they not mandated among healthcare professionals? The problem is that many health and social care providers still don’t understand the risks involved with off-the-shelf messaging apps because of a simple failure to differentiate between security and compliance. 

The basic promise of ‘end-to-end’ encryption, which is offered by the best-known messaging apps, certainly provides a strong element of security. It means the servers of the vendor cannot decrypt the message data even if they wanted to because they don’t have access to the encryption keys that belong to this encrypted data. However, this only applies to data while it is ‘in transit’ from one phone to another. What happens when the data is ‘at rest’, i.e. delivered to a phone or other device? 

After a phone receives a message, several synchronisations take place with common messaging apps;photos and videos are synced automatically to the photo library of the phone, where the media is not encrypted; all conversations are backed-up by default and automatically go onto the cloud services of the phone provider – where message data is also stored unencrypted. As such, all these unencrypted conversations are exposed to unauthorized third parties. 

Importantly, the professional who makes the decision to share information about their patient is always held responsible for protecting the patient’s confidential data. On a messenger app, this remains the same – the sender is always responsible and therefore needs to have control of what happens with the information on the receiving end of that communication. This control is often not possible and means many conversations taking place over common messenger apps are not compliant with medical confidentiality laws.

This is a huge problem because it becomes impossible for any healthcare professional sending an instant message on most services to be able to guarantee patient confidentiality. A way which is often used to get around this is to anonymise patient information within communications, but this also brings problems.

As recognised early on by Paul and his team at HJE, if healthcare teams cannot clearly identify which patient they are communicating about, it will almost certainly lead to confusion and mistakes. Since all healthcare professionals have sworn an oath to “do no harm”, this risk is often one not worth taking.


Communication and collaboration

For staff at HJE, Siilo has become a key tool in improving communication and collaboration between staff, and therefore improving patient care. A good example of this can be highlighted via its use in supporting the hospital’s Urgent Care Clinic (UCC), which is also helping to drive adoption in other departments.

“If a UCC doctor feels the need for input from a specialist consultant or the patient needs onward referral to a consultant, the UCC doctor can now use Siilo to contact a relevant specialist consultant rapidly and securely wherever they are.”

It is also proving to be an invaluable component in the day-to-day running of its medical team. “Siilo is now the ‘go to’ for some of our multi-disciplinary team meetings (MDTs). It solved a problem with a desire to increase the frequency of our MDT meetings without placing undue burden on the clinicians that contribute.

“It also allows ad-hoc MDT meetings where clinical circumstances dictate a patient’s case needs a review ahead of the next scheduled meeting. The messenger app allows clinicians to collaborate securely and contribute from whatever location they are working, regardless of their diary commitments.

We know the opportunities for the app are vast and since adoption, we are already seeing options becoming wider and wider, with more exciting use-cases being frequently put forward by staff.”

A growing number of healthcare organisations in the UK are recognising the tremendous benefits offered by digitalisation to the healthcare sector. While this is encouraging, it is essential that tools and technologies are truly fit to meet the standards expected. For communications technologies, this means applying absolute rigour to ensure patient confidentiality.


Joost Bruggeman is a former surgery resident at Amsterdam University Medical Centre and now CEO and co-founder of Siilo. For more information, please visit www.siilo.com.

For more information about St. John and St. Elizabeth Hospital, please visit: www.hje.org.uk