NHS England’s Priority on Digital - What Does it Mean for Information Governance?

With the NHS aiming to “exploit the full potential of digital technologies”, what is the implication on information governance? 

The NHS has committed to put data, digital and technology at the heart of its transformation. By March 2025 it aims to have met “a core level of digitisation”.  

Among other things, this will entail: 

• Consolidating purchasing and deployment of digital capabilities, such as electronic patient records and workforce management systems 

• Suppliers being able to comply with the interoperability standards, and 

• Plans to up-skill the workforce to “maximise the opportunities of digital solutions” 

These vital - yet challenging – ambitions are reliant on well-functioning Information Governance and substantial financial investment.

So, what will the road to 2025 look like?

Increased digitisation means collecting and storing more information than ever before. As is well known, data in the digital space is both a vital asset and huge vulnerability. With the growing uptake of cloud services comes increased security risks - making it vital for cybersecurity to be built into the NHS’s organisational structure.  

 A report by Imperial College - ‘Improving Cyber Security in the NHS’ highlights that many NHS organisations are failing to meet adequate digital security standards, despite the potentially disastrous consequences. The need for action is urgent and obvious.  

Cyber security is greatly enhanced when information governance includes a clear understanding of an organisation’s data storage, data backup, and data flow. Knowing which data is most important, and where it lives, enables prioritisation. This feeds into the need for.... 

 2. A more uniform IT structure 

Consolidation of digital capabilities, and interoperability across the system will be particularly challenging. The NHS has a complex structure, and its IT landscape reflects this.   

According to Imperial College, all 80 NHS organisations that were affected by WannaCry had failed to apply the Microsoft update patch that had been recommended by NHS Digital. NHSE/I have defined Data Security and Protection Requirements (DSPR), but detailed technical specifications are lacking.  

Given the myriad of differing hardware and software deployments across the NHS, it is difficult to gauge vulnerabilities precisely, or to assess how well cyber attacks could be resisted. What is very clear is that these vulnerabilities exist and counter-measures need to be strengthened.

The NHS can’t compete with commercial salaries, and so hiring trained cyber security staff can prove difficult. Imperial’s report states that,  

 “In December 2018, about 1.5 years after WannaCry...as much as 25% of NHS trusts had no employees with cyber security qualifications. It also highlighted that among trusts with 3000 to 4000 employees annual cyber security training expenditure may be as little as £500.” 

Employee behaviour is a crucial aspect of information governance in healthcare. All NHS staff are required to undergo Information Governance training and have an understanding of cyber security. We can be certain that few organisations will be 100% compliant. Given the potential for harm in any unsafe employee behaviour, complacency should not be an option.     

None of the above can happen without significant investment. Past data shows there is chronic underinvestment in NHS IT services. According to the BMJ, “Many NHS organisations spend as little as 1-2% of their annual budget on IT, compared with 4-10% in other sectors.”

These digital ambitions will be a great step forward to achieving increased digital access for both patients and clinicians, and ultimately  more optimised and consistent quality of care.