Safety and Security

ChatHealth is part of an integrated NHS Trust which delivers close to £3m worth of care each year. As part of the NHS, we operate under the highest standards of safety and security. The ChatHealth central support team consists entirely of NHS staff, working to the same codes of conduct as many of the 40 healthcare organisations and 1,500 healthcare professionals that we support across the UK.

We provide detailed safe standard operating procedures and quality standards for local healthcare teams to use when they are providing ChatHealth messaging services. The standards and procedures have been developed in the long term in partnership with clinical teams, safeguarding experts, governance managers and advisory organisations such as the RCN and NSPCC. Overseen by our dedicated clinical lead, this clinical safety approach is subject to a continuous co-design cycle with all staff users and managers able to input on how we maintain high quality, up-to-date processes that effectively safeguard our most vulnerable service users.

The technology behind ChatHealth was co-designed with clinical teams and managers. Our dedicated clinical lead oversees our compliance with the NHS Digital information standards that are required for developing and maintaining IT systems in the health and care environment. We keep messaging safe with a range of safety features such as staff alerts and automated out-of-hours bounce-backs, which help to ensure no message ever goes unanswered.

ChatHealth has been assessed by NHS Digital and ORCHA, the World’s leading health app evaluation and advisory organisation. We are repeatedly tested for compliance against numerous standards to maintain our presence in the NHS app store and G-Cloud, the Government’s digital services platform. ChatHealth has also been evaluated by the National Institute for Clinical Excellence (NICE) under its evidence for effectiveness framework and has been presented with awards from healthcare watchdogs like the Patient Experience Network.

We are registered with the Information Commissioner’s Office in relation to data protection and work within all related compliance frameworks such as the NHS Confidentiality Code of Conduct, Care Records Guarantee, Caldicott Guardianship and the NHS Data Security and Protection Toolkit. We also comply with overarching statutory standards such as the Data Protection Act (1998) and the EU General Data Protection Regulations (GDPR) (2018).

ChatHealth operates to industry security standards in relation to access controls, threat countermeasures and tested disaster recovery functionality.  We operate countless technical controls to ensure our systems are kept secure, including multi-tiered anti-malware software, anti-ransomware services and multi-vendor firewalls.  We also have clearly defined processes for incident response which are a requirement of the many frameworks under which we operate.

We undertake frequent routine security testing of the IT infrastructure. There are also routine security tests of the platform cyclically or after all major changes. Testing and audits are undertaken by external partners and our own NHS information security service which is independently accredited by Tigerscheme, EC-Council and other major bodies.

All data at rest is encrypted to AES256 and all data in transit is encrypted to TLS1.2 as a minimum. Patient-identifiable information is only ever used to support essential day-to-day messaging transactions and no sensitive information is retained by ChatHealth in the long term. See Privacy and Terms to find out more.

We only work with highly accredited tier three cloud data centre service providers such as Amazon Web Services and Google Cloud. Any data flows which use cloud services are compliant with NHS Digital’s standards for off-shoring and use of public cloud services. We also use our own highly secure NHS physical data centres in the Midlands, UK.

Our key partner for technical delivery is a highly accredited NHS health informatics service which operates under a raft of recognised governance frameworks such as ISO27001:2017 Management of Email Systems, Cyber Essentials, IT Health Check and NHS Digital’s cybersecurity guidance (CareCERT Services).

More detailed information about our safety and security approach can be found in the ChatHealth service specification, Data Privacy Impact Assessment (DPIA) and Record of Processing Activity (ROPA) which are available on request. See Adopt ChatHealth if you would like more information.