WO2018206472A1

WO2018206472A1 - Messaging system

Info

Publication number: WO2018206472A1
Application number: PCT/EP2018/061629
Authority: WO
Inventors: Garfield CONNOLLY; Imre AGOCS; Niall RAFFERTY
Original assignee: Medxnote Ltd
Current assignee: Medxnote Ltd
Priority date: 2017-05-08
Filing date: 2018-05-04
Publication date: 2018-11-15
Anticipated expiration: 2019-11-08
Also published as: GB2562469B; GB2562469A; GB201707359D0

Abstract

A messaging system providing a virtual pager facility is disclosed. The virtual pager facility allows messages sent to a virtual pager to be delivered to one or more users having subscribed to the virtual pager. The system includes a group communication facility whereby a message sent to a messaging group is delivered to a plurality of users associated with the group. A virtual pager is defined in the messaging system as a recipient of messages and is associated with a virtual pager identifier. A set of subscribed users are also associated with the virtual pager. The set of subscribed users may change over time. When a message addressed to the virtual pager is received, specifying the virtual pager identifier, a messaging group is created comprising a set of users selected based on the current set of subscribed users associated with the virtual pager, and a group identifier is assigned to the messaging group. The message is then sent to the created messaging group.

Description

Messaging system

The present invention relates to an electronic messaging system. Pagers have been an important communication tool for some decades in particular application contexts, such as hospitals. Pagers are commonly associated with particular roles (e.g. the on-call anaesthetics consultant) and allow the role holder to be contacted in a simple manner, without needing to know which individual is currently occupying that role - the pager is physically passed from one individual to another when the role is transferred, so that a message to a particular role can reach the relevant individual. However, the functionality of pagers is limited compared to modern smartphones, and, since most individuals already have a smartphone, it may be considered undesirable to be required to carry multiple devices. Smartphones provide more advanced communication facilities - but given their many other functions, smartphones are generally specific to a user and are not shared between users in the way that pagers are. In principle, SMS text messaging and other instant messaging services such as WhatsApp (TM) can be used for communication instead of pagers, but this necessitates knowing at any given time the specific user one wishes to contact. As an alternative, some services allow group messaging, whereby a message can be sent to all the users that are part of a specified group (e.g. an "anaesthetist group"). However, in a scenario such as the hospital setting, this can be undesirable, since not only will the message be sent unnecessarily to all members of the group, creating excessive message traffic, but it will then not necessarily be clear which member of a group may or should act upon a message. Furthermore, users that are not members of the group are generally unable to send messages to the group.

Another problem that arises in many applications (such as the hospital setting) is that of message security. Conventional messaging services implement end-to-end encryption, whereby a message is encrypted at a sender device and decrypted at a recipient device, such that the message remains encrypted whilst traversing the public Internet, where the messaging server is typically located. While this level of security is generally desirable, the encryption means that it is not possible to implement automated functions that respond to messages (such as "chat bots"), unless the message is decrypted at the messaging server. However, permitting decryption within the public Internet domain significantly impacts security, which can be undesirable in many application contexts.

Embodiments of the invention seek to provide an electronic messaging system that addresses or ameliorates some of the above problems.

Accordingly, in a first aspect of the invention, there is provided a messaging system enabling exchange of messages between users and arranged to provide a virtual pager facility whereby messages sent to a virtual pager are delivered to one or more users having subscribed to the virtual pager. The system also comprises a group communication facility whereby a message sent to a messaging group is delivered to one or more (typically multiple) users associated with the group, the messaging group identified by a messaging group identifier. The system further includes: means for defining a virtual pager in the messaging system as a recipient of messages and associating a virtual pager identifier with the virtual pager; means for associating a set of subscribed users with the virtual pager, wherein the subscribed users are subscribers to the virtual pager, and wherein the set of subscribed users may change over time; means for receiving a message addressed to the virtual pager, the message specifying the virtual pager identifier and including message content; means for, subsequent to or in response to the message, creating a messaging group comprising a set of users, the set of users selected based on the current set of subscribed users associated with the virtual pager, and assigning a group identifier to the messaging group; and means for sending a further message including the message content to the created messaging group identified by the assigned group identifier.

Dynamically creating a messaging group following receipt of a message sent to the virtual pager enables communication between a relevant group of users who are current subscribers to the virtual pager, whilst at the same time separating the communication exchange from other such exchanges resulting from other messages to the virtual pager. This enables the subscribed set of users to change over time without affecting ongoing communication exchanges.

Note the term "set" may generally refer to zero, one or more elements. However, in typical use, the set of subscribed users preferably comprises at least one user having subscribed to the virtual pager. The set of users of the messaging group similarly typically comprises at least one user; however, subsequent communication in the group is typically only possible if the group includes two or more users. Thus, the term "messaging group" is used to indicate that the messaging functionality supports a message being sent to multiple users but does not require multiple users in the group.

The means for sending the message to the created messaging group preferably sends the message to all members of the group. However, when a message is sent within a group (by a user who is a group member, e.g. during a message exchange following the initial message), the message is typically delivered to all other users in the group except the sender.

The current set of subscribed users is preferably the set of subscribers to the virtual pager at the time of receipt of the message and/or at the time of creating the messaging group. Since the set of subscribers may vary over time, memberships of messaging groups created for different virtual pager messages may also vary.

The group identifier is preferably distinct and/or different from the virtual pager identifier. The messaging group thus exists independently of the virtual pager (e.g. as a separate logical entity in the system). The system may further comprise means for generating the group identifier based on the virtual pager identifier and a distinguishing identifier, the distinguishing identifier preferably comprising a date and/or time value corresponding to creation of the messaging group.

The virtual pager is preferably a logical entity, defined by data stored in the messaging system, that data preferably including the virtual pager identifier and information (e.g. user identifiers) identifying zero, one or more subscribers of the virtual pager. The data could also include authorisation information (e.g. indicating one or more users or user groups/roles that may subscribe to and/or send to the virtual pager), and/or any other information needed to manage and/or utilise the virtual pager.

The further message sent to the messaging group may be identical to the received message or may be a modified version of the received message (e.g. formatted or processed in some way). In a particular example, the further message includes the message content but not the virtual pager identifier. The system may be adapted to parse the received message to identify the virtual pager identifier, and format a remaining part of the received message not including the virtual pager identifier as the further message. Alternatively, the virtual pager identifier may be retained in the further message together with the message content.

Preferably, the messaging system further comprises: means for receiving a subscription request message for subscribing a user to a virtual pager; and means for adding the user to the set of subscribed users associated with the virtual pager. The system may comprise means for determining whether a user having sent the subscription request message is authorised to subscribe to the virtual pager, and adding the user to the set of subscribed users only if the user is authorised. For example, the determining means may be configured to compare a user identifier of the user to a list of authorised users for the virtual pager or to determine whether the user is a member of a user group authorised for the virtual pager.

Preferably, the messaging system further comprises: means for receiving an unsubscribe request message for unsubscribing a user from a virtual pager; and means for removing the user from a set of subscribed users of the virtual pager.

The system preferably further comprises means for facilitating message exchange within the messaging group (subsequent to the original message), preferably whereby messages sent to the messaging group are delivered to one or more users of the messaging group (e.g. all group members except the sender).

Preferably, the set of users in the messaging group is unaffected by users subsequently subscribing to and/or unsubscribing from the virtual pager. For example, messages sent to the messaging group are preferably not delivered to one or more users that subscribe to the virtual pager after receipt of the first message and/or after creation of the messaging group. Messages sent to the messaging group preferably continue to be delivered to a given user after the given user unsubscribes from the virtual pager. The messaging system may be configured, after a user unsubscribes from the virtual pager, to prevent the user from sending a message to the messaging group.

The means for creating a messaging group is preferably arranged to include in the messaging group all of the currently subscribed users of the virtual pager. This may involve including only the currently subscribed users in the messaging group, or alternatively, one or more further users may be added to the group that are not subscribers of the virtual pager, the one or more further users preferably comprising the user having sent the message to the virtual pager (e.g. the group may comprise all subscribers plus the message sender).

The system may be configured to create the messaging group as one of: an inclusive group type, including the virtual pager subscribers and the message sender, and an exclusive group type, including the virtual pager subscribers but not the message sender, preferably wherein the group type is independently configurable for the virtual pager and/or wherein the group type is dynamically selectable. The system preferably further comprises: means for receiving a second message addressed to the virtual pager; and means for, in response to the second message: creating a second messaging group comprising a second set of users, the second set of users selected based on the current subscribers to the virtual pager (e.g. the subscribers at the time of receipt of the second message and/or the time of creating the second messaging group), and assigning a second group identifier to the second messaging group, the second group identifier different from the group identifier; and means for sending the second message to the second messaging group identified by the second group identifier. The system then preferably comprises means for facilitating message exchange within the second messaging group, whereby messages sent to the second messaging group are delivered to one or more of the second set of users of the second messaging group (e.g. all users except the sender). Thus, a message exchange occurring in response to the second message is preferably separate from a message exchange occurring in response to the original message, with the system enabling the separation by creation of separate messaging groups (the messaging groups may thus also be considered as defining distinct message exchanges or conversations). The set of users (of the original messaging group) may differ from the second set of users (of the second messaging group). They may differ entirely (no overlap) or partially (some overlap). Alternatively the sets may be the same (e.g. if the subscriber set has not changed).

The messaging system may also comprise means, in response to a user input from a given user receiving the message, for creating a further messaging group comprising only the sender of the message and the given receiving user. This can enable one- to-one conversation between the sender and receiver of the virtual pager message.

Messages are preferably received from and/or sent to one or more user devices associated with users, the user devices preferably comprising a messaging application for interacting with the messaging system. User devices may include e.g. a smartphone or a tablet, laptop or desktop computer.

Alternatively, messages may be received from a computer system other than a user device with a messaging application. For example, the message addressed to the virtual pager may be received from a computer system, with the computer system having generated the message automatically (preferably without user interaction) e.g. in response to an event or condition identified by the computer system. The message content of such a computer-originated virtual pager message is preferably delivered to the subscribers of the virtual pager in the same manner as for a human-originated message.

Note that, regardless of the source of messages, virtual pager subscribers (message recipients) may similarly include one or more computer systems (other than user devices) which are arranged to process messages without human interaction.

The message is preferably received from a user device (or other source) in encrypted form and is decrypted by the virtual pager facility, preferably wherein the virtual pager facility encrypts the further message (e.g. by re-encrypting at least the message content) before sending the further message to the messaging group.

The messaging system preferably comprises at least one first server implementing the group communication facility, and at least one second server implementing the virtual pager facility, preferably wherein the first and second server are remote from each other (e.g. at distinct locations and/or connected to distinct networks). For example, the first server may be connected to the public Internet, and the second server may be connected to a secured private network, preferably wherein the secured private network is associated with a location, premises and/or organisation where users use the messaging system. The first server is preferably adapted to transmit messages between users, and/or between users and the virtual pager facility, without decrypting the messages.

The virtual pager facility may comprise (or be implemented by/at) an automated message processing subsystem, preferably comprising a messaging bot.

In a further aspect of the invention (which may be combined with the above aspect), there is provided a messaging system for enabling exchange of human-readable messages between users at a location and for enabling automated message processing functions, comprising: a messaging server outside the location and connected to the public Internet, the messaging server adapted to transmit encrypted human-readable messages between user devices located at the location that are connected to the public Internet; and a message handling system at a secure network location associated with, and/or located within, the location, the message handling system configured to execute one or more messaging bots, wherein a messaging bot is arranged to receive a human-readable message, parse the message to identify one or more actions, and perform the one or more actions in response to the message; wherein the messaging server is arranged to deliver a received message addressed to a selected messaging bot to the message handling system; wherein the messaging system implements end-to-end encryption of messages, whereby the messaging server is arranged to receive a human-readable message from a user device in encrypted form and deliver the message to a specified recipient without decrypting the message; and wherein the message handling system is arranged to decrypt an encrypted message received from the messaging server prior to parsing the message; whereby the message remains encrypted whilst traversing the public Internet and is decrypted only at the secure network location associated with and/or located within the location.

The message handling system is preferably connected to a secured private network associated with the location. The location may for example comprise a building or premises of an organisation. The secure network location may comprise a secure data centre associated with (and optionally located at or within) the location. Communication between the location and the message handling system (where remote) may be via a purely private network, or may use a secured connection over a public network.

The term "human-readable message" preferably refers to a message that (in its original form at least) is formatted so as to be intelligible to a human reader/viewer. Such a message may include text and/or image and/or audio information. However, such messages may include commands (e.g. command keywords) intended for consumption by an automated process (e.g. a message bot) but that are nevertheless viewable and understandable by a human user, and indeed are typically input by a human user (e.g. by keyboard or speech input). Furthermore, a human- readable message may be in encrypted form, it being understood that, whilst not readable in that form, the underlying message content is nevertheless human- readable since it can be restored to its original form by decryption. The term "human- readable message" as used herein thus also encompasses encrypted messages and messages including commands to be carried out by an automated process. The one or more actions may comprise one or more of: sending a reply message to the sender; retrieving information from a database and optionally sending the information to the sender formatted as a human-readable reply message; storing data received in the message in a database, the data optionally comprising an image or other message attachment. A messaging bot may be arranged to engage in a message exchange comprising a plurality of messages with the sender to obtain further information from the user in addition to information contained in the initial message.

The one or more messaging bots may comprise a data access bot configured for at least one of: retrieving one or more data records from a database, the messaging handling system arranged to interface with the database, the data access bot preferably arranged to identify a requested record based on the message, retrieve the requested record and transmit a human-readable response message to the message sender comprising data from the retrieved record; and store information received in one or more messages in a database. The data access bot may be arranged to identify a record to be retrieved, updated or stored based on a record identifier included in a message and/or based on an image included in a message, the image preferably comprising a visual encoding of a record identifier, preferably a bar code (such as one- or two-dimensional bar code or QR code).

The one or more messaging bots may alternatively or additionally comprise a schedule bot adapted to determine from the message a role indication, to identify an individual allocated to the role at the time of the message or at a time specified in the message, based on a stored work schedule, and to send a reply message to the sender specifying the identified individual.

The location may comprise a hospital or medical centre, in which case the one or more bots may include a referral bot arranged to record data for a patient referral in response to one or more messages.

The one or more messaging bots may alternatively/additionally comprise a virtual pager bot, preferably adapted to implement a virtual pager facility as set out in relation to the first aspect of the invention described above and as discussed in more detail below.

In a further aspect of the invention, there is provided a method of exchanging messages in a messaging system between users using a virtual pager facility of the messaging system, whereby messages sent to a virtual pager are delivered to one or more users having subscribed to the virtual pager, and wherein the messaging system provides a group communication facility whereby a message sent to a messaging group is delivered to one or more (typically multiple) users associated with the group, the messaging group identified by a messaging group identifier; wherein the method comprises: defining a virtual pager in the messaging system as a recipient of messages and associating a virtual pager identifier with the virtual pager; associating a set of subscribed users with the virtual pager, wherein the subscribed users are subscribers to the virtual pager, and wherein the set of subscribed users may change over time; receiving a message addressed to the virtual pager, the message specifying the virtual pager identifier and including message content; in response to the message, creating a messaging group comprising a set of users, the set of users selected based on the current set of subscribed users associated with the virtual pager; assigning a group identifier to the messaging group; and sending a further message including the message content to the created messaging group identified by the assigned group identifier.

The method preferably comprises the further steps or features as performed by a messaging system according to either of the aspects defined above.

The invention further provides one or more computer-readable media comprising software code adapted to provide a messaging system as set out above or adapted, when executed by a processing device, to perform a method as set out above. More generally, the invention provides a computer readable medium or computer program product comprising software code adapted, when executed on a data processing apparatus, to perform any method as set out herein.

Any feature in one aspect of the invention may be applied to other aspects of the invention, in any appropriate combination. In particular, method aspects may be applied to apparatus and computer program aspects, and vice versa. Furthermore, features implemented in hardware may generally be implemented in software, and vice versa. Any reference to software and hardware features herein should be construed accordingly. Preferred features of the present invention will now be described, purely by way of example, with reference to the accompanying drawings, in which:-

Figure 1 illustrates an electronic messaging system in overview;

Figure 2 illustrates a process for sending a message to a virtual pager;

Figure 3 illustrates dynamic messaging groups created for a virtual pager;

Figures 4A-4D illustrate a user interface of a messaging application; and Figure 5 illustrates a hardware/software architecture of the messaging system. Overview

A messaging system 100 is illustrated in overview in Figure 1 . In this embodiment, the system is principally aimed at supporting communication between users associated with (and, as a general rule, located at) a particular location, e.g. the premises of an organisation. Thus, the system is illustratively divided into elements 100a located on the premises (at the location) and elements 100b located off premises (outside/remote from the location). In the examples used herein, the location in question is a hospital. However, other embodiments may not be associated with any particular location.

The messaging system enables communication between client devices 1 10a, 1 10b, 1 10c etc. via a messaging server 102. The messaging server implements an instant messaging (IM) type service and in this example is located off-premises, connected to the public Internet 104. Client devices (e.g. 1 10b, 1 10c) are typically located on the premises but may in some embodiments also communicate from outside the given location (e.g. device 1 10a).

The messaging system is principally designed for exchange of human-readable messages (e.g. text input via a device keyboard, images captured using a device camera and/or audio data captured via a device microphone), though messages may be in encrypted form (as discussed below) and may include commands and/or information in human-readable form intended for automatic processing by message bots (as also described further below).

Client devices are typically portable devices, in particular smartphones, but any type of client device may be used, such as a tablet or laptop computer, fixed personal computer terminal, voice-controlled computer, or the like. Client devices may connect to the Internet and thus to the messaging server 102 via mobile telephone networks (e.g. network 106), via local wired and/or wireless networks (e.g. local area network 108) or in any other way. Users of client devices 1 10a-1 10c exchange messages via messaging server 102. The client devices include a messaging application or app (which can be downloaded and installed to the client device from an app store e.g. Google Play or Apple App Store). To ensure security and avoid secure information leaking outside the messaging service, the app preferably provides limited or no social media or other cloud service integration.

A given message sent from a client device is addressed to one or more specified recipients, with the messaging server 102 transmitting the message to the specified recipient(s). Additionally, the messaging server provides a group messaging facility, whereby users may define user groups and send a message to a defined group. The messaging server then identifies the members of the group and delivers a copy of the message to each group member (except the sender). Messages exchanged between a given sender and a given receiver, or within a particular group, are displayed on the user device as a single message conversation. Thus, the user interface on the client device maintains multiple simultaneous conversations, allowing the user to select and display a particular conversation, and send a message to the participant(s) of that conversation. Messages may comprise text, images, audio data, or a combination (optionally, other types of information, e.g. files, may be sent as message attachments). The messaging system employs end-to-end encryption. Thus, a message created at a client device is encrypted at that client device prior to transmission. The messaging server routes the message to its recipient(s) without decrypting the message. The message is then decrypted at each recipient device. This ensures that the message is never in clear-text form during transmission (in particular as it traverses the public networks 104, 106). The system also provides automated message handling functions in the form of message "bots". A message bot is an automatic messaging function that receives a message (formatted in a particular way, e.g. using command words or the like) and carries out one or more automated actions in response to the message. In this embodiment, message bots are implemented in a message handling system 1 12 located on the premises.

Examples of functions implemented by bots may include retrieving or updating information in a database. By way of example, a data access bot 1 16 is shown which allows retrieval of information and/or updating of information (e.g. patient records) in a database 124. For security the database 124 may be located behind a firewall 1 18 (e.g. in a hospital data centre), which may limit access to only authorised system components and/or users. As a further example, pager bot 1 14 is shown which implements a virtual pager function, allowing secure and controlled communication between users. The pager bot function is described in more detail below.

Access to particular bot functions may require user authentication and may be restricted to particular users. In the embodiment shown, the message processing system interacts with an authentication service 120 (having access to a user database 122 including authentication credentials). The authentication service may be specific to the messaging system or alternatively may support additional systems or services. In this example, authentication service 120 is in the form of an organisation-wide authentication service such as a Microsoft (TM) Active Directory service, a RADIUS server, or the like.

While message bots might in some implementations be implemented at the messaging server 102, this could affect security, since it is generally necessary to decrypt the message to identify the action required, process information contained in the message, etc. Thus, in such an approach, a message directed to a message bot would be encrypted at the source device (e.g. client device 1 10b) and then decrypted at messaging server 102. Not only is this potentially insecure, but it may contravene organisational polices (for example, in the field of medical services strict polices apply to confidentiality of patient data). Thus, conventional messaging architectures may not be suitable for application contexts with higher security requirements.

Preferred embodiments address this by separating the message bot implementation from the messaging server, with the message bots running on the message handling system 1 12 located on the premises of the organisation in question and within the organisation's secure private network. A message addressed to a messaging bot is thus still encrypted at the source device (e.g. client device 1 10b) and traverses the public Internet 104 and messaging server 102 in encrypted form, and is only decrypted at the message handling system 1 12, on the premises. As a result, the message is never decrypted outside the premises of the organisation. Furthermore, any data retrieved and sent back by a message bot (such as sensitive patient data) in a return message is similarly encrypted at message handling system 1 12 and traverses network 104/106 and messaging server 102 in encrypted form before being decrypted at recipient device 1 10b. Thus, confidential data need only be stored on the premises (e.g. database 124 in the hospital data centre), and all access to the data occurs locally. This separation of functionality thus allows the implementation of messaging bot functionality without compromising security. Note that some or all or the on premise components could be located off the premises but preferably connected in a secure manner. For example, the message handling system 1 12, databases 122 and 123 etc. could be located in a datacentre securely connected to the premises (e.g. a hospital data centre). In this case, the advantages discussed above are still retained since message decryption only occurs within the secure data centre associated with the premises/organisation - thus, decryption only occurs in a network domain under control of the organisation, not in the public Internet.

In these message exchanges, the message handling system 1 12 (or specifically a particular messaging bot) essentially acts as a client device, with the same end-to- end encryption between source device (1 10a-1 10c) and destination (message handling system 1 12).

Thus, the messaging server (and the operator of the service) has no visibility of the message content. As an additional security measure the information is stored at the messaging server only until the message has been delivered to its recipient at which point the message is deleted.

Since user devices are typically smartphones, user accounts for the messaging service may be tied to telephone numbers (i.e. user's telephone number may serve as a user identifier within the messaging service). In preferred embodiments, only whitelisted telephone numbers can use the service. Thus, users may be required to register their telephone numbers with a service administrator / operator, to be added to the whitelist, and can then register as service users and make use of the service after downloading and installing the messaging application on their device. Virtual pager

Preferred embodiments of the invention provide a virtual pager facility as part of the messaging system. The virtual pager facility can replace existing physical pagers as commonly used in hospital settings, and is implemented within the general-purpose messaging system. In the described embodiment, the virtual pager function is implemented as a messaging bot (see pager bot 1 14 in Figure 1 ). However, the virtual pager could instead be implemented in any other way, e.g. as a separate software module within message handling system 1 12. A virtual pager is defined in the system as a recipient of messages (thus it may be considered a form of message queue to which messages can be sent). Communication through a virtual pager is based on subscriptions. A user may subscribe to a virtual pager, after which any messages sent to the virtual pager are forwarded to the user by the messaging system. A user may also unsubscribe from a virtual pager to which they are subscribed, after which they no longer receive messages sent to the virtual pager.

However, a virtual pager differs from a simple messaging group, and subscribing/unsubscribing differs from joining or leaving a messaging group. A virtual pager is associated with a set of subscribed users (which may change over time as users subscribe/unsubscribe). However, communication using a virtual pager occurs in dynamically created messaging groups, which are created at the time a message is sent to the virtual pager. The process of sending a message to a virtual pager is summarised in Figure 2. In step 200, a message is received. The message is sent from a client device (e.g. client device 1 10c in Figure 1 ) and addressed to the pager bot 1 14. The messaging server 102 thus receives the message and routes it to the message handling system 1 12, which forwards it to the pager bot 1 14.

The message includes message content (e.g. text/image data) and identifies a virtual pager (out of a number of virtual pagers defined for the system or for the specific pager bot). The virtual pager may be identified, for example, by any suitable identifier appearing in the body of the message (e.g. as the first word/token in the message), such as a numerical pager code (e.g. "123") or a text identifier ("e.g. @doc_on_call"). For example, such a message sent to the pager bot could read "@doc_on_call you are needed on ward 7!"). Note that the message itself is addressed (in terms of the internal addressing used by the messaging system) to the pager bot (specifically a user identity used by the system to identify the pager bot), whilst the virtual pager is identified in the body of the message. In step 202, the pager bot retrieves the list of users currently subscribed to the identified virtual pager. If there are no current subscribers (204), this may represent an error condition and error handling may be performed in step 206. In one example, a warning message is sent to the message sender to indicate that there are currently no subscribers and thus the message will not be delivered. Similar error processing is performed if the identified virtual pager does not exist or is inactive (e.g. if the pager identifier is undefined).

Assuming the virtual pager exists and has at least one subscriber, the pager bot creates a dynamic messaging group in step 208 comprising a set of users associated with the virtual pager. The set of users preferably includes all the current subscribers to the virtual pager (i.e. the set of users identified in step 202). Additionally, the set of users may include the sender of the message (who may but does not have to be a subscriber to the pager - preferably any user can send a message to a virtual pager without having to be subscribed themselves). Where the sender is included in the dynamic messaging group, this is referred to as inclusive mode, or an inclusive group. Alternatively, the sender may not be included in the dynamic messaging group, which is referred to as exclusive mode, or an exclusive group.

Whether the dynamic messaging group is created in inclusive mode or exclusive mode is preferably configurable. In one example, this is configured independently for each virtual pager (e.g. by a system administrator). In another example, a default mode is used (e.g. exclusive), but a group member (i.e. a recipient of the pager message) may dynamically change the group to inclusive mode (e.g. by way of a user interface button), whereupon the sender is added to the group. Alternatively, the system may simply be configured to use either the inclusive mode or the exclusive mode for all virtual pagers. As a further variation, the pager bot may add one or more additional users even if the users are not actively subscribed (e.g. a manager/supervisor user, or a user identity used for message logging purposes).

The dynamic messaging group may be created, for example, by the pager bot signalling the messaging server with the user identifiers for the users to be added to the group. The pager bot then forwards the original message content (preferably with the pager identifier removed) to the newly defined dynamic message group. The messaging server then forwards the message to the group members using normal message distribution behaviour in step 210.

The dynamic messaging group is assigned a name or identifier allowing the group to be identified. In one example, the group identifier / name comprises the virtual pager identifier and a timestamp (e.g. specifying date and/or time) indicating the time of creation (to allow different conversations relating to the same virtual pager to be distinguished). Instead of the timestamp a sequence number or other unique element could be used. Thus, for example, for pager "@doc_on_call" a temporary group may be created as "@doc_on_call <23:55 15.Mar.2017>" (see the example dynamic messaging group 405 displayed in the Figure 4A user interface discussed below). This display name may be used as an internal group identifier by the messaging system or alternatively a separate internal identifier may be created that is associated with the display name. The messaging server maintains a group table (or other data structure) listing the messaging groups with internal identifiers and/or display names, and group members, to enable messages sent to an identified group to be routed correctly.

After the message has been sent to the dynamic messaging group, the pager bot sends a confirmation response to the sender indicating that the pager message has been sent (e.g. "Your message to @doc_on_call has been sent") and optionally indicating the number of subscribers to the virtual pager at that time.

As described previously, the system preferably employs end-to-end encryption. The pager identifier is part of the body of the message, and thus to enable processing of the message, the pager bot first decrypts the received message, before extracting the virtual pager ID. Subsequently, the new message (e.g. the original message content minus the virtual pager ID) is re-encrypted at the pager bot before sending the new message to the dynamic messaging group created in step 208. In step 212, subsequent messages sent by group members as part of the conversation (i.e. messages sent in reply to the original message or in reply to a subsequent group message) are distributed to the users within the dynamic messaging group. This messaging occurs using the standard group messaging facility of the messaging system, and is thus performed under control of the messaging server (102) without further involvement of the pager bot.

Subsequently, if the pager bot receives another message the process repeats from step 200. The subsequent message may be addressed to the same virtual pager ID or a different virtual pager ID. However, even if addressed to the same virtual pager ID, the previously created dynamic messaging group is not re-used. Instead, steps 202-212 are repeated independently. Thus, the subscribers are again identified and a new dynamic messaging group is created (step 208) with responses to the pager message and follow-up conversation occurring within the new messaging group.

If the set of subscribers has not changed since the first pager message, this means that there may now be two distinct dynamic user groups with the same group members, but each group is dedicated to the conversation responsive to the original pager message that spawned that group. This ensures that the messaging interface at the user devices maintains these message exchanges as separate conversations, which the user can view and interact with independently.

Furthermore, it is possible that the subscribers to the virtual pager have changed since the first pager message. In that case, the group membership of the new dynamic user group will differ from the group membership of the first dynamic user group. This is illustrated in Figure 3

Here, at time T1 , a message is sent to virtual pager V1. At time T1 (the time the message is received at the pager bot), the pager has three subscribers U1 , U2 and U3. Thus, a dynamic messaging group G1 is created including users U1 , U2 and U3 and messages are then exchanged in the group.

Between time T1 and time T2, users U1 and U3 unsubscribe from virtual pager V1 and user U5 subscribes to virtual pager V1 . At time T2, a second message is sent to the same virtual pager V1. At this point, the pager has two subscribers, U2 and U5. Thus, in response to the second message, a new dynamic messaging group G2 is created including users U2 and U5 and messages can then be exchanged within that group.

It should be noted that, once created, the dynamic messaging groups (e.g. G1 , G2) exist independently of the virtual pager. Thus, after time T2, both dynamic messaging groups G1 and G2 exist in the messaging system and can continue to exchange messages. Dynamic groups may persist indefinitely, though users may delete the relevant conversations from their messaging applications. Dynamic groups may also be deleted after a time (e.g. after a period of inactivity, or after all users have deleted the conversation from their device). As a further example, groups may be closed/deleted after users un-subscribe from the associated virtual pager (e.g. after all group users have unsubscribed). Messages may be deleted from the user device after a defined period (e.g. after X days) but are preferably retained at the server for audit purposes.

This approach thus allows different message conversations to proceed independently in response to different messages sent to a virtual pager at different times. In the hospital example, a doctor may subscribe to a virtual pager associated with a particular on-call duty when the doctor starts his or her shift, and may unsubscribe from the pager at the end of the shift (at which point another doctor may subscribe and thus "take over" the virtual pager). Nevertheless, the first doctor may still participate in conversations initiated in response to pager messages sent whilst subscribed after the end of their shift (e.g. in cases where follow-up is required), but does not receive new pager messages sent to the virtual pager after their shift has ended, at which point the new matter will be another doctor's responsibility.

A virtual pager may be viewed as providing a message queue. However, unlike a conventional message queue, messages sent to a pager spawn a dynamic messaging group specific to the subscribers at the time, and while the set of users subscribed to a pager may change over time, a dynamic group once created is independent of the current pager subscriptions and persists without regard to subscription changes. A virtual pager thus in effect provides a handle that represents a group of subscribed users at a particular point in time. Figures 4A-4D illustrate the user interface of the messaging application provided on user devices 1 10a-1 10c. Figure 4A shows the basic messaging interface, listing a number of existing conversations in area 404 (including conventional direct conversations, and dynamic messaging groups created by the Figure 2 process, such as group conversation 405), and providing a search button 402 for searching for users and messaging bots. In Figure 4B a user has selected the search function and typed "Pager", with the search result being displayed in the form of "Pager UHS" messaging bot 406. The system may provide multiple pager bots (e.g. each responsible for a different set of virtual pagers).

Figure 4C illustrates interaction with a virtual pager. A first message 408 is sent by the user to the pager bot for subscribing to the virtual pager. The message bot parses the message to determine the required action - here the "subscribe" command keyword indicates a subscription request, the "pager" keyword precedes the virtual pager ID "123" of the required virtual pager. The pager bot thus subscribes the user to virtual pager 123 and sends a confirmation message 410 to the user. Subsequently, a message is sent to virtual pager 123 and is delivered to the subscribed user as message 412. At a later time, the user sends an unsubscribe command 414 as a message to the pager bot. The unsubscribe command is similar to the subscribe command except for the command keyword "unsubscribe". The pager bot removes the user from the set of subscribers of virtual pager 123 and sends a confirmation message 416 to the user.

In this example, the interface shows the conversation between the pager bot and the user; any subsequent conversation in response to the pager message would appear as a separate conversation in conversation list 404 (Figure 4A), associated with the relevant group members of the dynamic messaging group created for the pager message. In this example, the original pager message is displayed in the pager bot conversation, but the pager message could additionally (or alternatively) appear in the dynamic group conversation. In another example, the pager message appears in the pager bot conversation and the dynamic group is only spawned once a user responds to the pager message.

Figure 4D illustrates the interface with the pager bot 418 displayed as a fixed entry at the top of the conversation area. The entry additionally include a status area, e.g. indicating a most recent event for the pager bot (e.g. a most recent message sent to a pager to which the user has subscribed, or in this case the unsubscribe confirmation). The interface may also allow direct messaging between users in a group or in response to a pager message. For example, the user may tap and hold message 412 to create a new temporary group with only this user and the original sender of the pager message; the user interface then takes the user to the message conversation interface for the new temporary group to enable direct communication between those users.

After unsubscribing, this user no longer receives new pager messages sent to pager 123, but may continue to participate in conversations in dynamic messaging groups spawned in response to earlier pager messages (e.g. group 405 in Figure 4A). In an alternative example, a current conversation in a dynamic group could be locked in a read-only mode when the user unsubscribes from the virtual pager that spawned the dynamic group, preventing the user from sending further messages to the group. In read-only mode the original sender of the pager message may also be prevented from contacting the user (the receiver of the pager message) directly.

In one example, if a user unsubscribes from a pager after a conversation has been initiated in a dynamic group between the user and the pager message sender (and/or other users), the sender may no longer be able to contact the unsubscribed user. Further messages to the group may be prevented (read-only mode) or alternatively, the message could be escalated / redirected to the current pager holder automatically; alternatively, the pager bot can send a message advising the sender to contact an alternative person or current subscriber to the pager. Example message flows

The above has described basic message flows and usage scenarios. The system may be expanded to support additional/alternative message flows. Some specific examples of message exchanges that may be supported (including those described above and some alternative message flows) are set out below (these examples are in the context of a hospital setting):

• Direct Message: User "NurseA" sends message to virtual pager "@doc_on_caH". Bot sends direct message to user "Doctorl " (currently subscribed to the virtual pager).

• Direct Message Response: Same as 'Direct Message' with addition that message includes an inline key response allowing Doctorl to respond to NurseA via the bot. This allows Doctorl to communicate with NurseA but remain removed from direct communication with Nursel .

• Exclusive Group: NurseA sends message to @doc_on_call. Bot creates a new group @doc_on_call <timestamp>, adds all the subscribed doctors to the group and sends NurseAs message to the group.

• Exclusive Group Response: Same as Exclusive group with addition that message includes an inline key response allowing Doctorl to respond to NurseA via the bot. This allows Doctorl to communicate with NurseA but remain removed from direct communication with Nursel .

· Inclusive Group: NurseA sends message to @doc_on_call. Bot creates a new group @doc_on_call <timestamp>, adds all the subscribed doctors AND NurseA to the group and sends the message to the group.

User Management

In a preferred embodiment, the system restricts how users interact with the pager bot.

In one example, users may require specific authorisation before being able to subscribe to a virtual pager. The authorisation may be general for all virtual pagers but is preferably specific to individual pagers. As such, a system administrator may authorise a given user, or a given user group / role, to subscribe to a particular virtual pager. In one embodiment this is implemented via an interface to an organisation-wide authentication service such as service 120 in Figure 1 . In a preferred example this is a Microsoft Active Directory (AD) service, but alternative systems and technologies may be substituted. The message handling system 1 12 interfaces with the AD service. Pager authorisations are group based, such that only users in a predefined AD group can subscribe to a given virtual pager (with the authorisations defined separately for each virtual pager, e.g. when the administrator sets up the pager). Thus, a pager associated with a particular hospital department may only have users associated with that department (and/or users of a given seniority level) as subscribers. Message senders may similarly be restricted. In one example, a sender must belong to a specified AD group (or one of a number of specified AD groups, or alternatively to any AD group, of the hospital) to be allowed to send messages to a virtual pager. The restrictions are enforced by the message handling system 1 12 (and/or by the pager bot 1 14 itself).

Additional virtual pager functionality The virtual pager functionality described herein can act in a similar way to a traditional physical pager and allow communication with a particular holder of a role (at a given time) without needing to know who the current holder of the role is. A user can send a message to the virtual pager which is delivered to the current role holder(s), i.e. the subscriber(s) to the virtual pager. As the role holder(s) and hence the subscriber(s) change over time, new pager messages spawn distinct conversations in dedicated dynamically created messaging groups.

However, by implementing the virtual pager facility in the context of a mobile instant messaging system, various advanced functionality can be provided.

One feature of the system is that it improves privacy, since the virtual pager facility provides a level of indirection. For example, one user (e.g. a nurse in a hospital) may send a message to the virtual pager to which another user subscribes (e.g. a consultant). This spawns a dynamic messaging group enabling direct conversation between the users - but only within that group. The messaging interface preferably does not provide access to user identities (even if user names are displayed) in a way that would allow the first user to contact the second user directly (or vice versa) outside this particular conversation (e.g. there is no "add to address book" option or the like). If one user (e.g. the consultant) deletes the conversation/group, the other user will no longer be able to message that user (unless they have acquired the user identity details e.g. a user ID, separately).

The system may provide push notifications for messages on user devices. In one example, a different type of push notification may be provided for the initial message to the virtual pager. For example, the initial pager message may be visually distinguished from ordinary messages exchanged through the messaging system (and could include different inline options within the push notification; for example buttons could be provided for replying and/or for indicating whether the messaging group spawned for the conversation following the initial message should be configured as an inclusive or exclusive group). The user interface may additionally provide functionality to show that the subscriber (or a subscriber) of the virtual pager has received and/or read the initial pager message. This could be displayed within the messaging user interface, as a further push notification and/or via a sound effect or haptic feedback. An interface may additionally be provided for displaying the current subscriber(s) to a pager. This could be available within the messaging application and/or could be provided via a separate application or web service. In one example, a pager dashboard interface is provided, showing subscribers for various virtual pagers and possibly other information, such as past subscribers, subscribe/unsubscribe events, recent messaging activity etc. Only some users (e.g. administrators or senior users) may have access to the pager dashboard.

The system may store some or all messages (e.g. for auditing purposes). In one implementation, the original message to the virtual pager is stored (and may e.g. be available to view via the pager dashboard interface) but subsequent messages exchanged in the dynamic messaging group are considered private and are not stored or made available. Alternatively, all messages to a virtual pager and all group message content (messages exchanged in a message group) may be stored. In one example, system administrators may manage the virtual pager (e.g. activating/deactivating, subscribing/unsubscribing users etc.) but cannot see the content of messages sent to the pager or exchanged in the group.

The above examples generally describe use of the virtual pager functionality in a 'Human to Human' communication scenario. However, preferred embodiments additionally implement a messaging API (application programming interface) for use with the system permitting 'Machine to Human' communication scenarios, allowing a computer system to initiate transmission of messages to virtual pagers (or other messaging bots as described below) using the API. In the case of the virtual pager facility, this enables a computer system to initiate a message to a given virtual pager, for example in response to some predetermined event or condition detected by the computer system. Such computer systems could e.g. include application or database servers, medical or other monitoring or alarm systems, etc. The following provides a concrete example in a hospital setting:

1 . A doctor subscribes to a virtual pager '@diabetic_admissions'

2. An existing hospital interface engine is configured to search for diabetic patients on admission and send a message to the messaging API

3. The pager bot receives the message and sends it to current subscribers of the '@diabetic_admissions' virtual pager - for example "You have a new diabetic patient Jack Ryan 12345 in ED"

4. The user can also tap accept or add text and this is then sent via the interface back to the hospital system.

Thus the relevant individuals (current subscribers to the virtual pager) can be automatically informed of conditions or events identified by some other computer system, without that other system having to be aware of the identities of the virtual pager subscribers at any given time.

Virtual pager subscribers - i.e. message recipients - may similarly include computer systems that process the messages automatically, without user interaction (i.e. computers that are not smartphones or similar running the messaging app).

Additional message processing functions

In addition to the pager bot, other message processing functions may be implemented in the form of further messaging bots at the message handling system 1 12.

Administrators may control what commands the bot accepts and from whom. Commands submitted to messaging bots (e.g. as natural language or formatted command statements, using command keywords) are translated into calls on internal or external systems (e.g. in the example hospital setting, commands are translated into calls on the internal hospital systems).

Examples of use cases in the hospital setting may include:

• Retrieving patient data from an EMR (electronic medical record)

· Updating data in an EMR or inserting images into an EMR

• Interacting with a media manager (storing / retrieving media) • Querying roster data

• Business Intelligence

• Remote access The following lists some specific examples of other bots that may be implemented in a hospital setting:

• A Schedule bot, able to interface with a scheduling system to identify staff members that are on duty as specified by a staff schedule. For example, the schedule bot may be able to respond to queries such as "whois cardiology SHO on call?" with name and/or contact details of the relevant on-duty individual.

• Tissue bot, for recording images (taking using the user's smartphone) of patient conditions (e.g. wounds). For example, the user may send a command such as "/addphoto 107195" to the bot. The bot retrieves patient data (e.g. name, data of birth etc.) for the patient with identifier "107195" and sends it in a message to the sender. Upon confirming the record is correct, the doctor takes a picture of the patient's wound and sends it to the bot. The bot stores in in the patient database and returns a confirmation message (e.g. "Ok it's saved.")

· A pharma bot, used for capturing prescription errors, e.g. by submitting and saving an image as described above.

• A statistics bot, for delivering business information statistics in a message to the end user - for example, Emergency Department stats such as "There are 3 ambulances in the ED, 22 patients in the waiting room and 4 admissions in the last hour"

• A Referral Bot, for recording data for a patient referral.

• IT Helpdesk Bot - for use when a user has an issue with a computer (e.g. blue screen). The user opens the messaging app and finds the IT bot, takes a picture of the blue screen error message using the smartphone, adds a note and sends it to the bot. The bot stores image and text to an onsite server (e.g. an incident ticketing system) and notifies IT staff of the incident.

• Hospital Cleaning Bot - for example, a user discovers an area requiring cleaning, takes a picture and sends it to the cleaning bot. The bot may ask the user to scan a location code or enter location details. For example, location codes may be displayed as bar codes / QR codes on the wall around the hospital. The user scans the location code near the location, and the image and location are added to the onsite cleaning database, and cleaning staff is notified of the cleaning task.

A bot may implement necessary data gathering as a conversation with the user. For example, a bot such as the referral bot may take the place of a conventional paper or web form, with the bot sending questions to the user and receiving messages with answers from the user. Where form entries are multiple- choice the message interface may present the alternative options in the form of an inline keyboard. For example, a query "Please select how urgent the referral is" is displayed with an inline keyboard (in place of the usual QWERTY input keyboard) having only the input options "Routine", "Within 24 hours" and "Between 24-48 hrs". The selected option is then sent as the response message from the user device to the message bot. The message bot gathers the responses and stores these as a data record.

Where an identifier such as a patient identifier is required for accessing patient records (e.g. retrieving data from or updating data in a patient database or electronic medical record) the identifier may be included in a message in text form or may be in the form of a bar code, QR code or the like. For example, the user may acquire an image of such a one- or two-dimensional bar code encoding a patient identifier with a camera of the user device and send the image as a message (or message attachment) to the relevant bot. The bot / bot framework then decodes the bar code to extract the patient identifier (alternatively decoding could occur at the user device). This approach may be extended to any entity that needs to be identified, e.g. location identifiers, equipment identifiers, supply storage identifiers etc.

To enable interaction with hospital systems (e.g. capture and store date in the electronic medical record), the bots and message processing system 1 12 provide database integration (e.g. SQL integration to retrieve data from relational databases or update data, store images and the like). HL7 FHIR integration is provided to support interfacing with hospital systems.

Note that the various features relating to user access control described above in relation to the pager bot may be also be applied to the various other bots, e.g. to prevent unauthorised users from viewing / updating a patient's electronic medical record. Thus, the bots a user can utilise and/or the actions a user can perform via any of the bots are preferably determined by user authorisations, for example by a user's Active Directory group membership(s). System architecture

Figure 5 illustrates the hardware and software architecture of certain components of the messaging system in an example implementation, focussing on the end user device 1 10, and message handling system 1 12.

In this example, the end user device 1 10 is a smartphone or similar portable device and includes one or more processors 506 together with volatile / random access memory 502 and persistent storage 504.

Persistent storage 504 (e.g. in the form of FLASH memory or the like) persistently stores user data and software run on the user device, including a smartphone operating system 509 and messaging application 510 (the latter including local message encryption/decryption functionality). The persistent storage also includes other device software and data (not shown), such as additional applications, device drivers etc. Volatile / random access memory 502 stores temporary data and software code being executed on processor 506, including the aforementioned smartphone OS 509 and messaging application 510. A network interface 508 is provided for communication with other system components (including messaging server 102, message handling system 1 12 and other user devices). Communication occurs over one or more networks (e.g. Local or Wide Area Networks, including the Internet). In the present case, connection is via the public Internet 104 but the connection may include access networks such as mobile telephony networks, Wi-Fi networks and the like. For example, the network interface 508 may include a GSM or other mobile telephony interface and/or a Wi-Fi interface.

The user device will also include other conventional hardware and software components as known to those skilled in the art.

Message handling system 1 12 is preferably in the form of a computer server and similarly includes one or more processors 514, persistent storage 518 (e.g. including hard disk, optical, FLASH memory or any other storage technology) and volatile / random access memory 516. Software run at the message handling system includes a server operating system 519 and a bot framework 520. The bot framework supports encryption/decryption of messages and execution of messaging bots, including the pager bot 1 14 implementing the virtual pager facility and any other messaging bots 522. The server includes a network interface 512 for communication with other system components (including messaging server 102, and user device 1 10) over the network (here including the Internet 104). In this implementation, the pager bot 1 14 communicates with the messaging application 510 at the user device via the messaging server as intermediary, in the manner previously described.

The message handling system 1 12 will include other conventional hardware and software components as known to those skilled in the art. The messaging server 102 similarly includes conventional server hardware/software, including processors, storage, etc. and runs a messaging module for receiving and forwarding messages (not shown).

The message handling system 1 12 may additionally interface with other local and remote systems. For example, the system may support Microsoft Active Directory integration for authentication and authorisation, and may support database integration for data access (e.g. Microsoft SQL, PostgreSQL, MySQL and Oracle database integration may be provided). The system may further support FHIR (Fast Healthcare Interoperability Resources), Webhooks and Python for interfacing with other external components.

While a specific architecture is shown by way of example, any appropriate hardware/software architecture may be employed for the various components. Furthermore, functional components indicated as separate may be combined and vice versa. For example, in some embodiments, functions of the messaging server 102 and message handling system 1 12 could be combined in a single system/server. In practice, the messaging server 102 may comprise a single server or multiple separate server nodes. The functions of message handling system 1 12 may similarly be implemented in a single server or distributed over multiple devices. Individual functions may be distributed over any number of separate devices in any appropriate manner.

It will be understood that the present invention has been described above purely by way of example, and modification of detail can be made within the scope of the invention.

Claims

1 . A messaging system enabling exchange of messages between users and arranged to provide a virtual pager facility whereby messages sent to a virtual pager are delivered to one or more users having subscribed to the virtual pager, the system comprising:

a group communication facility whereby a message sent to a messaging group is delivered to one or more users associated with the group, the messaging group identified by a messaging group identifier;

means for defining a virtual pager in the messaging system as a recipient of messages and associating a virtual pager identifier with the virtual pager;

means for associating a set of subscribed users with the virtual pager, wherein the subscribed users are subscribers to the virtual pager, and wherein the set of subscribed users may change over time;

means for receiving a message addressed to the virtual pager, the message specifying the virtual pager identifier and including message content;

means for, in response to the message, creating a messaging group comprising a set of users, the set of users selected based on the current set of subscribed users associated with the virtual pager, and assigning a group identifier to the messaging group; and

means for sending a further message including the message content to the created messaging group identified by the assigned group identifier.

2. A messaging system according to claim 1 , wherein the current set of subscribed users is the set of subscribers to the virtual pager at the time of receipt of the message and/or at the time of creating the messaging group.

3. A messaging system according to claim 1 or 2, wherein the group identifier is distinct and preferably different from the virtual pager identifier.

4. A messaging system according to claim 3, comprising means for generating the group identifier based on the virtual pager identifier and a distinguishing identifier, the distinguishing identifier preferably comprising a date and/or time value

corresponding to creation of the messaging group.

5. A messaging system according to any of the preceding claims, further comprising: means for receiving a subscription request message for subscribing a user to a virtual pager; and

means for adding the user to the set of subscribed users associated with the virtual pager.

6. A messaging system according to claim 5, comprising means for determining whether a user having sent the subscription request message is authorised to subscribe to the virtual pager, and adding the user to the set of subscribed users only if the user is authorised.

7. A messaging system according to claim 6, wherein the determining means is configured to compare a user identifier of the user to a list of authorised users for the virtual pager or to determine whether the user is a member of a user group authorised for the virtual pager.

8. A messaging system according to any of the preceding claims, further comprising:

means for receiving an unsubscribe request message for unsubscribing a user from a virtual pager; and

means for removing the user from a set of subscribed users of the virtual pager.

9. A messaging system according to any of the preceding claims, the system comprising means for facilitating message exchange within the messaging group, preferably whereby messages sent to the messaging group are delivered to one or more users of the messaging group.

10. A messaging system according to any of the preceding claims, wherein the set of users in the messaging group is unaffected by users subsequently subscribing to and/or unsubscribing from the virtual pager.

1 1 . A messaging system according to any of the preceding claims, whereby messages sent to the messaging group are not delivered to one or more users that subscribe to the virtual pager after receipt of the first message and/or after creation of the messaging group.

12. A messaging system according to any of the preceding claims, whereby messages sent to the messaging group continue to be delivered to a given user after the given user unsubscribes from the virtual pager.

13. A messaging system according to any of the preceding claims, configured, after a user unsubscribes from the virtual pager, to prevent the user from sending a message to the messaging group.

14. A messaging system according to any of the preceding claims, wherein the means for creating a messaging group is arranged to include in the messaging group all of the currently subscribed users of the virtual pager.

15. A messaging system according to claim 14, wherein the means for creating a messaging group is arranged to include only the currently subscribed users in the messaging group.

16. A messaging system according to any of claims 1 to 14, comprising means for adding one or more further users to the group that are not subscribers of the virtual pager, the one or more further users preferably comprising the user having sent the message to the virtual pager.

17. A messaging system according to any of the preceding claims, configured to create the messaging group as one of: an inclusive group type, including the virtual pager subscribers and the message sender, and an exclusive group type, including the virtual pager subscribers but not the message sender, preferably wherein the group type is independently configurable for the virtual pager and/or wherein the group type is dynamically selectable.

18. A messaging system according to any of the preceding claims, further comprising:

means for receiving a second message addressed to the virtual pager, the second message specifying the virtual pager identifier and including second message content;

means for, in response to the second message:

creating a second messaging group comprising a second set of users, the second set of users selected based on the current subscribers to the virtual pager (preferably at the time of receipt of the second message and/or the time of creating the second messaging group), and

assigning a second group identifier to the second messaging group, the second group identifier different from the group identifier; and

means for sending a message including the second message content to the second messaging group identified by the second group identifier.

19. A messaging system according to claim 18, comprising means for facilitating message exchange within the second messaging group, whereby messages sent to the second messaging group are delivered to one or more of the second set of users of the second messaging group.

20. A messaging system according to claim 18 or 19 wherein the set of users differs from the second set of users.

21 . A messaging system according to any of the preceding claims, comprising means, in response to a user input from a given user receiving the further message, for creating a further messaging group comprising only the sender of the message and the given receiving user.

22. A messaging system according to any of the preceding claims, wherein messages are received from and/or sent to one or more user devices associated with users, the user devices preferably comprising a messaging application for interacting with the messaging system.

23. A messaging system according to any of the preceding claims, wherein the message is received from a user device in encrypted form and is decrypted by the virtual pager facility, preferably wherein the virtual pager facility encrypts the further message (e.g. by re-encrypting at least the message content) before sending the further message to the messaging group.

24. A messaging system according to any of the preceding claims, comprising at least one first server implementing the group communication facility, and at least one second server implementing the virtual pager facility, preferably wherein the first and second server are remote from each other.

25. A messaging system according to claim 24, wherein the first server is connected to the public Internet, and wherein the second server is connected to a secured private network, preferably wherein the secured private network is associated with a location, premises and/or organisation where users use the messaging system.

26. A messaging system according to claim 24 or 25, wherein the first server is adapted to transmit messages between users, and/or between users and the virtual pager facility, without decrypting the messages.

27. A messaging system according to any of the preceding claims, wherein the virtual pager facility comprises an automated message processing subsystem, preferably comprising a messaging bot.

28. A messaging system for enabling exchange of human-readable messages between users at a location and for enabling automated message processing functions, comprising:

a messaging server outside the location and connected to the public Internet, the messaging server adapted to transmit encrypted human-readable messages between user devices located at the location that are connected to the public Internet; and

a message handling system at a secure network location associated with, and/or located within, the location, the message handling system configured to execute one or more messaging bots, wherein a messaging bot is arranged to receive a human-readable message, parse the message to identify one or more actions, and perform the one or more actions in response to the message;

wherein the messaging server is arranged to deliver a received message addressed to a selected messaging bot to the message handling system;

wherein the messaging system implements end-to-end encryption of messages, whereby the messaging server is arranged to receive a human-readable message from a user device in encrypted form and deliver the message to a specified recipient without decrypting the message;

and wherein the message handling system is arranged to decrypt an encrypted message received from the messaging server prior to parsing the message; whereby the message remains encrypted whilst traversing the public Internet and is decrypted only at the secure network location associated with and/or located within the location.

29. A system according to claim 28, wherein the one or more actions comprise one or more of:

sending a reply message to the sender;

retrieving information from a database and optionally sending the information to the sender formatted as a human-readable reply message;

storing data received in the message in a database, the data optionally comprising an image or other message attachment.

30. A system according to claim 28 or 29, wherein a messaging bot is arranged to engage in a message exchange comprising a plurality of messages with the sender to obtain further information from the user in addition to information contained in the initial message.

31 . A system according to any of claims 28 to 30, wherein the one or more messaging bots comprise a data access bot configured for at least one of:

retrieving one or more data records from a database, the messaging handling system arranged to interface with the database, the data access bot preferably arranged to identify a requested record based on the message, retrieve the requested record and transmit a human-readable response message to the message sender comprising data from the retrieved record; and

store information received in one or more messages in a database.

32. A system according to claim 31 , wherein the data access bot is arranged to identify a record to be retrieved, updated or stored based on a record identifier included in a message and/or based on an image included in a message, the image preferably comprising a visual encoding of a record identifier, preferably a bar code (such as one- or two-dimensional bar code or QR code).

33. A system according to any of claims 28 to 32, wherein the one or more messaging bots comprise a schedule bot adapted to determine from the message a role indication, to identify an individual allocated to the role at the time of the message or at a time specified in the message, based on a stored work schedule, and to send a reply message to the sender specifying the identified individual.

34. A system according to any of claims 28 to 32, wherein the location comprises a hospital or medical centre.

35. A system according to claim 34, wherein the one or more bots comprise a referral bot arranged to record data for a patient referral in response to one or more messages.

36. A system according to any of claims 28 to 35, wherein the one or more messaging bots comprise a virtual pager bot, preferably adapted to implement a virtual pager facility as set out in any of claims 1 to 27.

37. A method of exchanging messages in a messaging system between users using a virtual pager facility of the messaging system, whereby messages sent to a virtual pager are delivered to one or more users having subscribed to the virtual pager, and wherein the messaging system provides a group communication facility whereby a message sent to a messaging group is delivered to one or more users associated with the group, the messaging group identified by a messaging group identifier; wherein the method comprises:

defining a virtual pager in the messaging system as a recipient of messages and associating a virtual pager identifier with the virtual pager;

associating a set of subscribed users with the virtual pager, wherein the subscribed users are subscribers to the virtual pager, and wherein the set of subscribed users may change over time;

receiving a message addressed to the virtual pager, the message specifying the virtual pager identifier and including message content;

in response to the message, creating a messaging group comprising a set of users, the set of users selected based on the current set of subscribed users associated with the virtual pager;

assigning a group identifier to the messaging group; and

sending a further message including the message content to the created messaging group identified by the assigned group identifier.

38. A method according to claim 37, further comprising the further steps or features as performed by a messaging system as claimed in any of claims 1 to 36.

39. A computer-readable medium comprising software code adapted to provide a system as set out in any of claims 1 to 36 or adapted, when executed by a processing device, to perform a method as set out in claim 37 or 38.