IT and clinical risk in the NHS

Clinical risk can take many forms and when it comes to paper-based systems, it is often due to lost paperwork and illegible handwriting leading to, at best, delayed clinical decision making and, at worst, life-threatening decisions being taken. Reported sources of clinical risk include:

  • Password and account sharing
  • Loss of patient investigation/intervention request forms
  • Patient misidentification
  • Uncontactable staff
  • Misplacement of patient notes
  • Poor workforce planning

The impact of these types of errors is costly both for patients but also to the NHS financially. A recent summary report presented a number of interesting correlations about the consequences of adverse events for the NHS (with a particular focus on medication errors):

  • A study of 14 community pharmacists found a GP prescription error rate of 0.75 per cent with a serious potential adverse event rate of 5 to 32 per cent
  • In 2007, based on a National Patient Safety Agency (NPSA) calculator, admissions due to adverse drug events and inpatient medication adverse events cost the NHS £770m
  • The report correlated an upper limit annual cost of preventable adverse events at £2.5bn

Calculators and correlations must be considered carefully and treated as a guide to the issues at hand, as opposed to a definitive fact in every healthcare institution, but the scale of the challenge is readily apparent.

As NHS trusts become more digitally mature, they will be held to greater account when it comes to the secure management of their data. Under the directive of the Cabinet Office and the national Cybersecurity programme, NHS Digital (formerly known as the Health & Social Care Information Centre) recently launched the Care Computer Emergency Response Team (CareCERT), which will advise healthcare organisations about a range of data security threats while improving their risk mitigation strategies. Furthermore, NHS Digital has a clearly stated mandatory compliance standard (ISB0129) which vendors must adhere to demonstrate the implementation of clinical risk mitigation as a part of the deployment of IT systems. Given the NHS has topped the Information Commissioners Office (ICO) list of sources of serious data breaches this illustrates that the NHS, in the run-up to 2020, will be undergoing a period of scrutiny when it comes to clinical risk and IT.

The access challenge

One of the most intensely used resources in the NHS is the smartcard which has become a core part of trust digital strategies. Although smartcards in the primary care setting provide clinicians with access to a broad range of useful applications through the Spine, their benefits are limited to administrative purposes in the acute setting. Increasingly, the smartcard has been implemented as a ‘single point of entry’ means of authentication for clinicians to access electronic health records and associated clinical applications. This can be a powerful security strategy but only if executed in a manner that complements clinical workflow.

Our experience when auditing clinical workflows in the acute setting is that smartcards are often paired with keyboards with inbuilt smartcard slots. This is a mission critical point of failure from a governance perspective. Clinical IT systems often take some time to load which, particularly in an emergency setting, hinders clinical workflows. Clinicians will therefore ‘work around’ this process bottleneck by simply leaving their smartcards in place and so leaving an application session open. The clinical risks associated with this include:

  • Inappropriate account sharing
  • Visible, confidential patient information
  • Inappropriate clinical requests/transactions
  • The loss of an information audit trail
  • Smartcard loss

As electronic health record (EHR) systems become more widely adopted then the number of digital transactions will also increase through the implementation electronic prescribing and order communication modules. These systems often require multiple re-authentication steps in order for an end-user to complete a clinical workflow and so present a hampered user experience. These transactional workflows present further opportunities for workarounds and governance risks.

Communicating securely

The timely flow of information is often as important as access, and especially so in an increasingly mobile environment and with a generation of clinicians increasingly using smartphones and tablets in the clinical setting. Despite this, for the most part, bleeps (or pagers) continue to represent the only form of ‘official’ communication in the hospital. Underlying all of this is the increasing use of consumer applications to communicate and share patient information both between clinical staff and even patients themselves.

A recent study at Imperial College Healthcare NHS Trust of over 800 clinical staff found that 65 per cent of doctors used their smartphones to communicate patient information while 46 per cent used picture messaging. These systems and applications are not approved for clinical use and present a range of risks from a lack of appropriate security protocols, the risk of accidental sharing of data with non-clinical staff and the risk of device loss. Even consumer applications offering end to end encryption are yet to be approved for the transmission of healthcare data. With this in mind, whether it is the adoption of healthcare communication tools or creating in-house solutions, trusts and vendors need to implement clear clinical risk mitigation strategies to promote secure user behaviour without comprising clinical workflows. There are several ways this may be achieved through the adoption of NHS approved clinical communication applications or the implementation authentication systems optimised for virtualised and mobile environments.

The NHS compliance standard

The NHS has recognised for some time the importance of clinical risk as a part of its IT strategy. This is most clearly stated through its compliance standards ISB0160 and ISB0129 which are applicable to healthcare providers and vendors respectively. From a vendor perspective, there must be clearly demonstrated processes throughout the lifecycle of the deployment of an IT solution which identify, log, and mitigate against the fullest possible range of relevant clinical risks. These are resolved through the management of hazard logs, clinical risk workshops and the management of a clinical risk file which are all supervised by a nominated and certified Clinical Safety Officer (CSO) on the vendor side. This standard forms an essential part of Spine connectivity as it forms part of the requirement particularly as it pertains to receiving a Clinical Authority to Release but also as it is applicable at the local level as trusts seek to integrate clinical risk management as a part of their digital strategies.

A digital future

The NHS has an ambition to deliver interoperable, integrated, and paperless care and the adoption of clinical IT systems is an essential part of this. However, the transformation from paper to digital will disrupt clinical workflows for many as adjustments are made to new ways of working. The mitigation against clinical risk while enhancing clinical workflows will be a hallmark of successful vendors in years to come as they become trusted advisors to healthcare providers rather than just suppliers.

Dr. Saif Abed, EMEA Medical Director & Consultant at Impravata