UK law changes pose a threat to the security of messaging apps – and therefore their use in the NHS. In The BMJ today, doctors warn that patient care will suffer if they can no longer use apps such asWhatsApp and Signal to share information.
In March 2020, in the face of the pandemic, clinicians were officially allowed to use messaging services such as WhatsApp "where the benefits outweigh the risk," reversing years of caution about their use in patient care – provided the apps used encryption, explains journalist Stephen Armstrong.
The most recent NHS England advice continues that policy, advising healthcare workers to use two-step verification and disable message notifications on the lock-screen.
And yet two recent pieces of legislation – one passed and one pending – threaten the use of any end-to-end encrypted messaging in the NHS.
October's Online Safety Act instructs the UK communications regulator Ofcom to monitor user-to-user apps and software, while an amendment to the Investigatory Powers Act – expected in the spring – says technology companies can't introduce new security software or make any significant changes to the security of their existing service without UK government approval.
What this means, in effect, is that the government will have installed surveillance of all encrypted messaging, making it impossible to be sure patient data is secure, writes Armstrong.
Not only that, but the app providers – including major tech companies such as Meta, owner of WhatsApp and Facebook, Apple and Signal – have warned that the new requirements may force them to withdraw services from the UK if it unduly impacts their ability to innovate and introduce new security features.
Marcus Baw, an emergency medicine and general practice doctor in Yorkshire, says if WhatsApp were to disappear, "we'd have an NHS wide problem immediately."
Ross Anderson, professor of security engineering at Cambridge University, also points out that "as Signal and WhatsApp upgrade their software a number of times a week to deal with bugs or new threats, the UK would have to be treated like Burma or North Korea and simply avoided rather than wait for GCHQ approval – which could take months".
"The combination of the IPA reforms and the online safety Act presents the possibility of a shocking level of state interference," says Meredith Whittaker, president of Signal Foundation. "If the choice came down to adulterating the security features that allow us to keep the privacy promises we make to the people who rely on Signal in the NHS or leaving, we would leave."
An Ofcom spokesperson told the BMJ they will use their new online safety powers "in a way that is compatible with rights to privacy and freedom of expression" and "won't be reviewing all harmful online material or be able to read private online messages."
But Mike Grocott, professor of anaesthesia and critical care medicine at the University of Southampton, argues that tech companies are not prepared to subject their apps to this level of government surveillance. If encrypted messaging apps withdraw from the UK, patient care would suffer, he says.
"Care is better when doctors can talk to each other," agrees Sam Smith from patient privacy group MedConfidential. "For a range of situations doctors find themselves in, only a general app like WhatsApp is easy to use."
For Marcus Baw, the entire problem could have been avoided if NHS IT leaders had had the vision to build an end-to-end encrypted NHS approved app linked to NHS mail.
His hope is that someone in government is going to realise the electoral foolishness of the two pieces of legislation. "The tech companies are serious," he says. "Can you imagine the outcry from the population if WhatsApp withdraws from the UK? It would be an act of catastrophic self-harm by any government. Perhaps for once common sense will prevail."