Steve Vlok says a lot of our medical staff are sharing sensitive patient files over insecure social media messaging apps - including one case where a photo associated with a paediatric case was sent to a random member of the public.
"If you're a parent, that's your worst nightmare," Vlok says.
Yet the use of social media messaging, and associated gaffes, is commonplace in our hospitals, he says.
He should know. Vlok was an engineering student at Canterbury University in 2013 when his girlfriend - a registrar (or junior doctor) told him that the use of social media messaging tools like Facebook-owned Whatsapp was widespread.
Hospital staff wanted an easy way to group message and share files, and Whatsapp was on everyone's phones as work/life boundaries blurred.
Over the next two years, as he worked days as an engineering manager at drinks firm Frucor, Vlok set about developing a secure messaging and collaboration app that would comply with global health sector security and privacy standards, could be easily set up on a smartphone, and which easily integrate with patient record systems.
The result was a platform called Celo (pronounced "see-low"), which was promising enough to get backing from Sir Stephen Tindall's K1W1 fund and Crown venture capital agency NZ Growth Capital Partners and under-the-radar rich lister John Clough (a Hamiltonian who made his fortune selling software in Hong Kong after getting stranded in the city-state).
Vlok went full-time with Celo (also the name of his startup) in 2016.
Fast-forward to 2021 and, commercially, things are looking good for Celo.
Vlok now employs 20 staff, and numbers our two largest District Health Boards, Auckland and Canterbury, among his customers. The Hawke's Bay, West Coast, Counties-Manukau DHBs are also onboard, along with private operators MercyAscot and Unichem. And Celo has started to land its first offshore clients in Australia, the UK, Ireland, Switzerland, South Africa. He plans a funding round shortly to bankroll a push into the US.
The privately-held company doesn't share financials, but Vlok says over the past year his business has doubled as the pandemic has encouraged more digitisation of health systems in many countries.
But his key frustrations remain - from his contacts throughout the health system - and his wife, now a plastic surgeon working under the Waikato DHB - the Celo founder knows that use of Whatsapp and other social media messaging software is still widespread among medical staff, along with bloopers.
"It's very common for a registrar to join a hospital and the first question from a colleague is, 'What's your cell? I'll add you to our WhatsApp group.' It's very informal."
What's wrong with using WhatsApp? After all, Facebook makes a big deal about its group messaging app being end-to-end encrypted.
"That only cuts out middle-man attacks," Vlok explains. WhatsApp's encryption means if a cyber-thief does manage to intercept a message would look scrambled and unintelligible.
But the recipient can read it fine and forward it to anyone, who can also read it. And this is the problematic bit. It's easy to add anyone to a WhatsApp group, leading to ungoverned sprawl and, worse, you only need to enter someone's cellphone number to add them to a WhatsApp chat or forward them a message or file. Fat fingers mean sometimes the wrong number is entered, and sensitive files end up in random hands.
There's also the issue that images sent over WhatsApp are often saved to a phone's camera roll - from where they can be shared almost anywhere, via any app. More, WhatsApp is not PIN-protected, and work and personal contacts can be easily jumbled.
The problem is by no means restricted to NZ. A National Health Service study found WhatsApp use widespread in the UK health system. That followed a British Medical Journal investigation that WhatsApp was commonly used for sharing everything from second-opinions to radiology results. Overall, a third of medical staff used a social messaging app for work. The NHS banned the sending of patient information over the Facebook app in March 2020.
A message or file sent by Celo, by contrast, can only be shared with other, authenticated users on your organisation's Celo system, or a Celo system used by an approved partner (like a GP, pharmacist, social worker or therapist) - or with an integrated system such as a hospital's patient record database. A message or image could still be screen-grabbed by someone determined to beat the system - but even that would trigger a warning to an administrator.
Vlok's other frustration is that he has to "constantly reinvent the wheel" by pitching his product DHB by DHB across our 20 local health agencies.
An effort to sell it collectively to South Island DHB's was knocked back, despite Vlok offering a steep discount in an effort to get the locals onboard (Celo usually costs between $1 and $5 per user per month, depending on features; there's also a free basic version).
Vlok also pitches his app as quick and easy to get up and running. Celo is simple to download to your smartphone, and it's compliant with the data standards commonly used by hospital software systems - so it can be easily plugged into patient record management systems. He says a recent 500-person implementation in Wales was done in 24 hours. Today, "81 per cent of staff use it daily and 95 per cent weekly because it's so simple", he says.
The Celo founder says for security, efficiency, privacy and ease-of-use, there should be a co-ordinated approach across our health system, with a single communications platform chosen - be it his company's or another's.
With his partner working for the ransomware-devastated Waikato DHB, he's particularly wary of how hospital systems have to be tightly buttoned down. Sharing via social media, and a patchwork of policy between our different DHBs, goes in the other direction, he says - opening gaps for social engineering by hackers as they constantly probe for vulnerabilities.
Health boss responds
In April, the Government said it would scrap the system of 20 regional DHBs in favour of a single national health agency, plus a new Māori Health Authority. The change will come in effect from July next year.
And May saw the Budget 2021 provision of $230 million operating spending and $170m capital spending earmarked for a new, centralised patient record system, to be developed over the next four years. That will provide an opportunity, if the Ministry of Health wants to take it, to integrate a single, secure messaging platform.
But what's the ministry's reaction in the meantime to staff using social media apps for work, and decisions about secure messaging varying between DHBs?
Deputy director-general of health Shayne Hunter said in a written response to Herald questions:
"Individual health organisations across New Zealand will use a wide range of technology from many different suppliers to meet their business needs.
"The Ministry of Health encourages health organisations to ensure the digital services they use are safe, secure, integrated and reliable, and the Ministry provides requirements they are expected to meet. The requirements specify that organisations must govern the data they hold in line with security, data protection and use, privacy, social licence and Māori data sovereignty guidelines.
"The requirements also encourage an open approach where digital services support collaboration, continually evolve and are interoperable with other services – rather than working in isolation, or only working within an organisation.
"Instead of mandating specific technology solutions that everyone must use, the Ministry expects to see health organisations make informed choices about the services they use; this is likely to lead to consolidation of digital services over time without inhibiting innovation."
Hunter sent a link to Ministry guidelines that are heavy on information technology and legal jargon and that, as he had flagged, do not name specific apps.
Conformant or compliant? Say what?
Similarly, in a response to an Official Information Act request, the Hutt Valley DBH said, "Our mobile devices policy does not specifically refer to cloud-based messaging applications such as WhatsApp, Snapchat, and Messenger, but it outlines rules for acceptable use and reminds our clinicians to act in accordance with the principles and the spirit of the Health Information Privacy Code".
That code runs to 21 pages of rules and principles which are not hugely accessible. Similarly, the "A Digital, data and technology services – minimum requirements" guide linked to by Hunter includes a mash of "encouraged" and "required" standards - some of which are subject to "conformance" and some to "compliance". What is the difference, for those without a degree in linguistics? According to the MoH, in this context, "conformance" means "outcomes of a certain standard are being met, even if the standard itself may not be partially or fully followed."
While stressing its encryption, plus extra safeguards for those who sign up to its Business version, Facebook makes no claims that Whatsapp is complaint with HISO (Health Information Standards Organisation) guidelines used by health organisations worldwide, and referenced by our Ministry of Health's security framework.
'Do a better job'
The Herald asked Hunter if the Ministry of Health considers WhatsApp to be HISO-compliant. The deputy director-general did not immediately respond on that point, but given the Ministry's guidelines that new software only has be "conformant" (or partially compliant), and his reluctance to weigh in on individuals apps, critics like Vlok won't be expecting a specific response.
Vlok says it's simply not realistic for hospital staff working double shifts to wade through pages of obscurely-worded guidance.
He's fed up.
"We talk about wellbeing, but we've got staff working 65 hours a week and they need the right tools to do their job," he says.
"People have no time. If they think there's even a small edge to do their job more easily, they'll turn to WhatsApp. The chiefs and chairman of the DHBs need to do a better job."