This website is intended for healthcare professionals only.

Hospital Healthcare Europe
Hospital Healthcare Europe

IT and clinical risk in the NHS

Dr Saif Abed
31 May, 2016  

The problem
Clinical risk can take many forms and when it comes to paper-based systems it is often due to lost paperwork and illegible handwriting leading to at best delayed clinical decision making and, at worst, life-threatening decisions being taken.

Reported sources of clinical risk include:

  • Password and account sharing
  • Loss of patient investigation/intervention request forms
  • Patient misidentification
  • Uncontactable staff
  • Misplacement of patient notes
  • Poor workforce planning

The impact of these types of errors is costly both for patients but also to the NHS financially. A recent summary report presented a number of interesting correlations about the consequences of adverse events for the NHS (with a particular focus on medication errors):

  • A study of 14 community pharmacists found a GP prescription error rate of 0.75% with a serious potential adverse event rate of 5–32%
  • In 2007, based on a National Patient Safety Agency (NPSA) calculator, admissions due to adverse drug events and inpatient medication adverse events cost the NHS £770m
  • The report correlated an upper limit annual cost of preventable adverse events at £2.5bn

Calculators and correlations must be considered carefully and treated as a guide to the issues at hand as opposed to a definitive fact in every healthcare institution but the scale of the challenge is readily apparent.
As NHS trusts become more digitally mature they will be held to greater account when it comes to the secure management of their data. Under the directive of the Cabinet Office and the national Cybersecurity programme, NHS Digital (formerly known as the Health & Social Care Information Centre) recently launched the Care Computer Emergency Response Team (CareCERT), which will advise healthcare organisations about a range of data security threats while improving their risk mitigation strategies. Furthermore, NHS Digital has a clearly stated mandatory compliance standard (ISB0129) which vendors must adhere to demonstrate the implementation of clinical risk mitigation as a part of the deployment of IT systems. Given the NHS has topped the Information Commissioners Office (ICO) list of sources of serious data breaches this illustrates that the NHS, in the run-up to 2020, will be undergoing a period of scrutiny when it comes to clinical risk and IT.

The access challenge
One of the most intensely used resources in the NHS is the smartcard, which has become a core part of trust digital strategies. Although smartcards in the primary care setting provide clinicians with access to a broad range of useful applications through the Spine, their benefits are limited to administrative purposes in the acute setting. Increasingly, the smartcard has been implemented as a ‘single point of entry’ means of authentication for clinicians to access electronic health records and associated clinical applications. This can be a powerful security strategy but only if executed in a manner that complements clinical workflow. Our experience when auditing clinical workflows in the acute setting is that smartcards are often paired with keyboards with inbuilt smartcard slots. This is a mission critical point of failure from a governance perspective. Clinical IT systems often take some time to load, which, particularly in an emergency setting, hinders clinical workflows. Clinicians will therefore ‘work around’ this process bottleneck by simply leaving their smartcards in place and so leaving an application session open. The clinical risks associated with this include:

  • Inappropriate account sharing
  • Visible, confidential patient information
  • Inappropriate clinical requests/transactions
  • The loss of an information audit trail
  • Smartcard loss

As electronic health record (EHR) systems become more widely adopted then the number of digital transactions will also increase through the implementation electronic prescribing and order communication modules. These systems often require multiple re-authentication steps in order for an end-user to complete a clinical workflow and so present a hampered user experience. These transactional workflows present further opportunities for work-arounds and governance risks.

Communicating securely
The timely flow of information is often as important as access and especially so in an increasingly mobile environment and with a generation of clinicians increasingly using smartphones and tablets in the clinical setting. Despite this, for the most part, bleeps (or pagers) continue to represent the only form of ‘official’ communication in the hospital. Underlying all of this is the increasing use of consumer applications to communicate and share patient information both between clinical staff and even patients themselves. A recent study at Imperial College Healthcare NHS Trust of over 800 clinical staff found that 65% of doctors used their smartphones to communicate patient information while 46% used picture messaging. These systems and applications are not approved for clinical use and present a range of risks from a lack of appropriate security protocols, the risk of accidental sharing of data with non-clinical staff and the risk of device loss. Even consumer applications offering end-to-end encryption are yet to be approved for the transmission of healthcare data. With this in mind, whether it is the adoption of healthcare communication tools or creating in-house solutions, trusts and vendors need to implement clear clinical risk mitigation strategies to promote secure user behaviour without comprising clinical workflows. There are several ways this may be achieved through the adoption of NHS approved clinical communication applications or the implementation authentication systems optimised for virtualised and mobile environments.

The NHS compliance standard
The NHS has recognised for some time the importance of clinical risk as a part of its IT strategy. This is most clearly stated through its compliance standards ISB0160 and ISB0129, which are applicable to healthcare providers and vendors respectively. From a vendor perspective, there must be clearly demonstrated processes throughout the lifecycle of the deployment of an IT solution which identify, log and mitigate against the fullest possible range of relevant clinical risks. These are resolved through the management of hazard logs, clinical risk workshops and the management of a clinical risk file which are all supervised by a nominated and certified Clinical Safety Officer (CSO) on the vendor side. This standard forms an essential part of Spine connectivity as it forms part of the requirement particularly as it pertains to receiving a Clinical Authority to Release but also as it is applicable at the local level as trusts seek to integrate clinical risk management as a part of their digital strategies.
A digital future
The NHS has an ambition to deliver interoperable, integrated and paperless care and the adoption of clinical IT systems is an essential part of this. However, the transformation from paper to digital will disrupt clinical workflows for many as adjustments are made to new ways of working. The mitigation against clinical risk while enhancing clinical workflows will be a hallmark of successful vendors in years to come as they become trusted advisors to healthcare providers rather than just suppliers.
Case Study – Southend University Hospital NHS Foundation Trust (SUHFT)
SUHFT is a healthcare system serving a population of over 300,000 people in Southern Essex. Like many acute trusts in England, a broad range of clinical applications and slow login times incentivised clinical end-user behaviour, which was suboptimal from governance and risk perspectives. These are areas which are subject to increasing scrutiny when it comes to regulation of the health service and specific examples included patient information being left unattended on computer screens, generically logged in terminals and account sharing. By implementing an authentication workflow solution, many of these challenges were eliminated through features which automated the authentication process for accessing applications, introduced customised time-out periods to protect patient information, provided an audit trail of end-users accessing clinical systems all within a streamlined environment which reduced the need for multiple workflow steps. Subsequently the overall efficiency was improved as access to relevant clinical workflows was accelerated significantly.