Category Archives: health

Aftermath of the cyber attack – will ministers learn the wrong lessons?

By Tony Collins

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

Similarly the government-commissioned Wachter review “Making IT Work: Harnessing the Power of HealthInformation Technology to Improve Care in England made no mention of Windows XP or any operating system – perhaps because ministers were much more likely to welcome a review of NHS IT that focused on innovation and new technologies.

Cancer treatments postponed

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream –  when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter –  asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security.  He is a member of the GCHQ board and its senior information risk owner.  He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be  “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials  emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack.  He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

 “NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

  • Do not properly segment their networks
  • Allow workstations to openly and freely connect to each other in a trusted zone.
  • Do not have a proper patch / update management regime
  • Do not firewall legacy systems
  • Don’t have basic ACLs [access control lists)

Three lessons?

  • Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.
  • Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs –  and the upgrading of medical devices that rely on old operating systems.
  •  Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Patches are available for: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, and Windows 8 x64.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

Microsoft stockpiled patches – The Register

UK government, NHS and Windows XP support – what really happened – Computer Weekly

NHS letter on patches to counter cyber attack

Multiple sites hit by ransomware attack – Digital Health (31 comments)

Lessons from the WannaCrypt – Wannacry – cyber attack according to Microsoft

 

Advertisements

NHS “Wachter” digital review is delayed – but does it matter?

By Tony Collins

The Wachter review of NHS technology was due to be published in June but has been delayed. Would it matter if it were delayed indefinitely?

A “Yes Minister” programme about a new hospital in North London said it all, perhaps. An enthusiastic NHS official shows the minister round a hospital staffed with 500 administrators. It has the latest technology on the wards.

“It’s one of the best run hospitals in the country,” the NHS official tells the minister, adding that it’s up for the Florence Nightingale award for the standards of hygiene.

“But it has no patients,” says the minister.

Another health official tells the minister,

“First of all, you have to sort out the smooth running of the hospital. Having patients around would be no help at all.” They would just be in the way, adds Sir Humphrey.

In the Wachter’s review’s terms of reference (“Making IT work: harnessing the power of health IT to improve care in England“)  there is a final bullet point that refers, obliquely, to a need to consider patients. Could the Wachter terms of reference have been written by a satirist who wanted to show how it was possible to have a review of NHS IT for the benefit of suppliers, clinical administrators and officialdom but not patients?

The Wachter team will, according to the government,

• Review and articulate the factors impacting the successful adoption of health information systems in secondary and tertiary care in England, drawing relevant comparisons with the US experience;

• Provide a set of recommendations drawing on the key challenges, priorities and opportunities for the health and social care system in England. These recommendations will cover both the high levels features of implementations and the best ways in which to engage clinicians in the adoption and use of such systems.

In making recommendations, the board will consider the following points:

• The experiences of clinicians and Trust leadership teams in the planning, implementation and adoption of digital systems and standards;

• The current capacity and capability of Trusts in understanding and commissioning of health IT systems and workflow/process changes.

• The current experiences of a number of Trusts using different systems and at different points in the adoption lifecycle;

• The impact and potential of digital systems on clinical workflows and on the relationship between patients and their clinicians and carers.

Yes, there’s the mention of “patients” in the final bullet point.

Existing systems?

nhsSome major IT companies have, for decades, lobbied – often successfully – for much more public investment in NHS technology. Arguably that is not the priority, which is to get existing systems to talk to each other – which would be for the direct benefit of patients whose records do not follow them wherever they are looked at or treated within the NHS.

Unless care and treatment is at a single hospital, the chances of medical records following a patient around different sites, even within the same locality, are slim.

Should a joining up of existing systems be the main single objective for NHS IT? One hospital consultant told me several years ago – and his comment is as relevant today –

“My daughter was under treatment from several consultants and I could never get a joined-up picture. I had to maintain a paper record myself just to get a joined-up picture of what was going on with her treatment.”

Typically one patient will have multiple sets of paper records. Within one hospital, different specialities will keep their own notes. Fall over and break your leg and you have a set of orthopaedic notes; have a baby and you will have a totally different set of notes. Those two sets are rarely joined up.

One clinician told me, “I have never heard a coroner say that a patient died because too much information was shared.”

And a technology specialist who has multiple health problems told me,

“I have different doctors in different places not knowing what each other is doing to me.”

As part of wider research into medical records, I asked a hospital consultant in a large city with three major hospitals whether records were shared at least locally.

“You must be joking. We have three acute hospitals. Three community intermediate teams are in the community. Their records are not joined. There is one private hospital provider. If you get admitted to [one] hospital and then get admitted to [another] the next week your electronic records cannot be seen by the first hospital.  Then if you get admitted to the third hospital the week after, again not under any circumstances will your record be able to be viewed.”

Blood tests have to be repeated, as are x-rays; but despite these sorts of stories of a disjointed NHS, senior health officials, in the countless NHS IT reviews there have been over 30 years, will, it seems, still put the simplest ideas last.

It would not cost much – some estimate less than £100m – to provide secure access to existing medical records from wherever they need to be accessed.

No need for a massive investment in new technology. No need for a central patient database, or a central health record. Information can stay at its present location.  Just bring local information together on local servers and provide secure access.

A locum GP said on the Pulse website recently,

“If you are a member of the Armed Forces, your MO can get access to your (EMIS-based) medical record from anywhere in the world. There is no technical reason why the NHS cannot do this. If need be, the patient could be given a password to permit a GP to see another Surgery’s record.”

New appointments

To avoid having patients clog up super-efficient hospitals, Sir Humphrey would have the Wachter review respond to concerns about a lack of joined up care in the NHS by announcing a set of committees and suggesting the Department of Health and NHS England appoint a new set of senior technologists.

Which is just what has happened.

Last week NHS England announced  “key appointments to help transform how the NHS uses technology and information”. [One of the NHS appointments is that of a Director of Digital Experience, which is not a fictional title, incidentally. Ironically it seems to be the most patient-facing of the new jobs.]

Said the announcement,

“The creation of these roles reflects recommendations in the forthcoming review on the future of NHS information systems by Dr Bob Wachter.

“Rather than appoint a single chief information and technology officer, consistent with the Wachter review the NHS is appointing a senior medical leader as NHS Chief Clinical Information Officer supported by an experienced health IT professional as NHS Chief Information Officer.

“The first NHS Chief Clinical Information Officer will be Professor Keith McNeil, a former transplant specialist who has also held many senior roles in healthcare management around the world, including Chief Executive Officer at Addenbrooke’s Hospital, Cambridge University Hospitals NHS Foundation Trust and Chief Executive Officer at the Royal Brisbane and Women’s Hospital in Australia.

“The new NHS Chief Information Officer will be Will Smart, currently Chief Information Officer at the Royal Free London NHS Foundation Trust. Mr Smart has had an extensive career in IT across the NHS and in the private sector.

“The NHS CCIO and NHS CIO post-holders will act on behalf of the whole NHS to provide strategic leadership, also chairing the National Information Board, and acting as commissioning ‘client’ for the relevant programmes being delivered by NHS Digital (previously known as the Health and Social Care Information Centre).

“The roles will be based at NHS England and will report to Matthew Swindells, National Director: Operations and Information, but the post-holders will also be accountable to NHS Improvement, with responsibility for its technology work with NHS providers.

“In addition, Juliet Bauer has been appointed as Director of Digital Experience at NHS England. She will oversee the transformation of the NHS Choices website and the development and adoption of digital technology for patient ‘supported self-management’, including for people living with long term conditions such as diabetes or asthma. Ms Bauer has led delivery of similar technology programmes in many sectors, including leading the move to take Times Newspapers online…”

Surely a first step, instead of arranging new appointments and committees, and finding ways of spending money on new technology, would be to put in place data sharing agreements between hospitals?

A former trust chief executive told me,

“In primary care, GPs will say the record is theirs. Hospital teams will say it is our information and patient representative groups will say it is about patients and it is their nformation. In maternity services there are patient-held records because it is deemed good practice that mums-to-be should be fully knowledgeable and fully participating in what is happening to them.

“Then you get into complications of Data Protection Act. Some people get very sensitive about sharing information across boundaries: social workers and local authority workers. If you are into long-term continuous care you need primary care, hospital care and social care. Without those being connected you may do half a job or even less than that potentially. There are risks you run if you don’t know the full information.”

He added that the Summary Care Record – a central database of every patient’s allergies, medication and any adverse reactions to drugs, was a “waste of time”.

“You need someone selecting information to go into it [the Summary Care Record]so it is liable to omissions and errors. You need an electronic patient record that has everything available but is searchable. You get quickly to what you want to know. That is important for that particular clinical decision.”

Is it the job of civil servants to make the simple sound complicated?

Years ago, a health minister invited me for an informal meeting at the House of Commons to show me, in confidence, a one-page civil service briefing paper on why it was not possible to use the internet for making patient information accessible anywhere.

The minister was incredulous and wanted my view. The civil service paper said that nobody owned the internet so it couldn’t be used for the transfer of patient records.  If something went wrong, nobody could be blamed.

That banks around the world use the internet to provide secure access to individual bank accounts was not mentioned in the paper, nor the existence of the CHAPS network which, by July 2011, had processed one quadrillion (£1,000,000,000,000,000) pounds.

Did the briefing paper show that the civil service was frightened by the apparent simplicity of sharing patient information on a secure internet connection? If nothing else, the paper showed how health service officials will tend, instinctively, to shun the cheapest solutions. Which may help to explain how the (failed) £10n National Programe for IT came into being in 2002.

Jargon

Radiation_warning_symbolNobody will be surprised if the Wachter review team’s report is laden with  jargon about “delays between technology being introduced and a corresponding rise in output”. It may talk of how new technology could reduce the length of stay by 0.1528 of a bed day per patient, saving a typical hospital £1.8m annually or 7,648 bed days.

It may refer to visions, envisioning fundamental change, establishing best practice as the norm, and a need for adaptive change.

Would it not be better if the review team spoke plainly of the need for a patient with a fractured leg not having to carry a CD of his x-ray images to different NHS sites in a carrier bag?

Some may await the Wachter report with a weary apprehension that its delay – even indefinitely – will make not a jot of difference. Perhaps Professor Wachter will surprise them. We live in hope.

Wachter review terms of reference.

Review of IT in the NHS

https://ukcampaign4change.com/2016/02/09/another-npfit-it-scandal-in-the-making/

Hunt announces Wachter review

What can we learn from the US “hospitalist” model?

Another NPfIT IT scandal in the making?

By Tony Collins

Jeremy Hunt may have forgotten what he told the FT 2013, as reported in the paper on 2 June 2o13.

Referring to the failed National Programme for IT [NPfIT] in the NHS he said at that time,

“It was a huge disaster . . . It was a project that was so huge in its conception but it got more and more specified and over-specified and in the end became impossible to deliver, but we musn’t let that blind us to the opportunities of technology and I think one of my jobs as health secretary is to say, look, we must learn from that and move on but we must not be scared of technology as a result.”

He added, “I’m not signing any big contracts from behind [my] desk; I am encouraging hospitals and clinical commissioning groups and GP practices to make their own investments in technology at the grassroots level.”

Now the Department of Health (and perhaps some large IT suppliers) have encouraged Hunt to find £4bn for spending on technology that is (again) of questionable immediate need.

Says Computing, “A significant part of the paperless NHS plans will involve enabling patients to book services and order prescriptions online, as well as giving them the choice of speaking to their doctor online or via a video link.”

The £4bn, if that’s what it will cost, is much less than the cost of the NPfIT. But are millions to be wasted again?

[NPfIT was originally due to cost £2.3bn over three years from 2003 but is expected to cost £9.8bn over 21 years, to 2024.]

Yesterday (8 February 2016) the Department of Health announced a “review of information technology in the NHS”. Announcing it Hunt said.

“Improving the standard of care patients receive even further means embracing technology and moving towards a fully digital and paperless NHS.

NHS staff do incredible work every day and we must give them and patients the most up-to-date technology – this review will tell us where we need to go further.”

The NPfIT was supposed to give the NHS up-to-date technology – but is that what’s needed?

A more immediate need is for any new millions of central funding (for the cost would be in the tens of millions, not billions) to be spent on the seemingly mundane objective of getting existing systems to talk to each other, so that patients can be treated in different parts of the NHS and have their electronic records go with them.

This doesn’t need a new national programme for IT. Some technologists working in the NHS say it would cost no more than £150m, a small sum by NHS IT standards, to allow patient data to reside where it is but be accessed by secure links anywhere, much as secure links work on the web.

But the review’s terms of reference make only a passing reference to the need for interoperability.

Instead the review will have terms of reference that are arguably vague – just as the objectives for the NPfIT were.

The Department of Health has asked the review board, when making recommendations, to consider the following points:

  • The experiences of clinicians and Trust leadership teams in the planning, implementation and adoption of digital systems and standards;
  • The current capacity and capability of Trusts in understanding and commissioning of health IT systems and workflow/process changes.
  • The current experiences of a number of Trusts using different systems and at different points in the adoption lifecycle;
  • The impact and potential of digital systems on clinical workflows and on the relationship between patients and their clinicians and carers.

The head of the review board Professor Wachter will report his recommendations to the secretary of state for health and the National Information Board in June 2016.

Members of the National Advisory Group on health IT in England (the review board) are:

  • Robert Wachter, MD, (Chair) Professor and Interim Chairman, Department of Medicine,University of California, San Francisco
  • Julia Adler-Milstein, PhD, Associate Professor, Schools of Information and of Public Health, University of Michigan
  • David Brailer, MD, PhD, CEO, Health Evolution Partners (current); First U.S. National Coordinator for Health IT (2004-6)
  • Sir David Dalton, CEO, Salford Royal NHS Foundation Trust, UK
  • Dave deBronkart, Patient Advocate, known as “e-Patient Dave”
  • Mary Dixon-Woods, MSc, DPhil, Professor of Medical Sociology, University of Leicester, UK
  • Rollin (Terry) Fairbanks, MD, MS, Director, National Center for Human Factors in Healthcare; Emergency Physician, MedStar Health (U.S.)
  • John Halamka, MD, MS, Chief Information Officer, Beth Israel Deaconess Medical Center; Professor, Harvard Medical School
  • Crispin Hebron, Learning Disability Consultant Nurse, NHS Gloucestershire
  • Tim Kelsey, Advisor to UK Government on Health IT
  • Richard Lilford, PhD, MB, Director, Centre for Applied Health Research and Delivery, University of Warwick, UK
  • Christian Nohr, MSc, PhD, Professor, Aalborg University (Denmark)
  • Aziz Sheikh, MD, MSc, Professor of Primary Care Research and Development, University of Edinburgh
  • Christine Sinsky, MD, Vice-President of Professional Satisfaction, AMA; Primary care internist, Dubuque, Iowa
  • Ann Slee, MSc, MRPharmS, ePrescribing Lead for Integrated Digital Care Record and Digital Medicines Strategy, NHS England
  • Lynda Thomas, CEO, MacMillan Cancer Support, UK
  • Wai Keong Wong, MD, PhD, Consultant Haematologist, University College London Hospitals; Inaugural chair, CCIO Leaders Network Advisory Panel
  • Harpreet Sood, MBBS, MPH, Senior Fellow to the Chair and CEO, NHS England and GP Trainee

Comment

Perhaps egged on by one or two major suppliers in behind-the-scenes lobbying, Hunt has apparently found billions to spend on improving NHS IT.

Nobody doubts that NHS IT needs improving.  But nearly all GPs have impressive systems, as do many hospitals.  But the systems don’t talk to each other.

The missing word  from the review board’s terms of reference is interoperability. True, it’s difficult to achieve. And it’s not politically aggrandizing to find money for making existing systems interoperable.

But at present you can have a blood test at the GP, then a separate blood test at the local hospital and the full results won’t go on your electronic record because the GP and hospital are on different systems with no interoperability between them.

If you’re treated at a specialist hospital for one ailment, and at a different hospital 10 to 20 (or say 100) miles away for something else, it may take weeks for your electronic record to reflect your latest treatment.

Separate NHS sites don’t always know what each other is doing to a patient, unless information is faxed or posted between them.

The fax is still one of the NHS’s main modes of cross-county communication. The DoH wants to be rid of the fax machine but it’s indispensable to the smooth running of the NHS, largely because new and existing systems don’t talk to each other.

The trouble with interoperability – apart from the ugliness of the word – is that it is an unattractive concept to some of the major suppliers, and to DoH executives, because it’s cheap, not leading edge and may involve agreements on data sharing.

Getting agreements on anything is not the DoH’s forte. [Unless it’s an agreement to spend more money on new technology, for the sake of having up-to-date technology.]

Last year I broke my ankle in Sussex and went to stay in the West Midlands at a house with a large ground floor and no need to use stairs. There was no communication between my local GP and the NHS in the West Midlands other than  by phone, post or fax, and even then only a summary of healthcare information went on my electronic record.

I had to carry my x-rays on a CD. Then doctors at my local orthopaedic department in Sussex found it difficult to see the PACS images because the hospital’s PCs didn’t have CD players.

A government employee told me this week of a hospital that gave medication to a patient in the hope she would not have an adverse reaction. The hospital did not have access to the patient’s GP records, and the patient was unsure of the name of the medication she’d previously had an allergic reaction to.

Much of the feedback I have had from those who have enjoyed NHS services is that their care and treatment has been impeded by their electronic records not moving with them across different NHS sites.

Mark Leaning, visiting professor, at University College, London, in a paper for health software supplier EMIS, says the NHS is “not doing very well when it comes to delivering a truly connected health system in 2016. That’s bad for patient outcomes.”

That GPs and their local hospital often cannot communicate electronically  is a disgrace given the billions various governments have spent on NHS IT.  It is on interoperability that any new DoH IT money needs to be spent.

Instead,  it seems huge sums will be wasted on the pie-in-the-sky objective of a paperless NHS by 2020. The review board document released today refers to the “ambition of a paper- free health and care system by 2020”.

What’s the point of a paperless NHS if a kaleidoscope of new or existing systems don’t properly communicate?

Congratulations, incidentally, to GP software suppliers TPP and EMIS. They last year announced direct interoperability between their core clinical systems.

Their SystmOne and EMIS Web systems hold the primary care medical records for most of the UK population.

And this month EMIS announced that it has become the first UK clinical systems provider to implement new open standards for interoperability in the NHS.

It says this will enable clinicians using its systems to securely share data with any third party supplier whose systems comply with a published set of open application programme interfaces.

The Department of Health and ministers need to stop announcing things that will never happen such as a paperless NHS and instead focus their attention – and any new IT money – on initiatives that are not subconsciously aimed at either political or commercial gain.

It would be ideal if they, before announcing any new IT initiative, weighed up diligently whether it is any more important, and any more of a priority, than getting existing systems to talk to each other.

Review of information technology in the NHS

EMIS implements open standards

 

What do Ben Bradshaw, Caroline Flint and Andy Burnham have in common?

By Tony Collins

Ben Bradshaw, Caroline Flint and Andy Burnham have in common in their political past something they probably wouldn’t care to draw attention to as they battle for roles in the Labour leadership.

Few people will remember that Bradshaw, Flint and Burnham were advocates – indeed staunch defenders – of what’s arguably the biggest IT-related failure of all time – the £10bn National Programme for IT [NPfIT.

Perhaps it’s unfair to mention their support for such a massive failure at the time of the leadership election.

A counter argument is that politicians should be held to account at some point for public statements they have made in Parliament in defence of a major project – in this case the largest non-military IT-related programme in the world – that many inside and outside the NHS recognised was fundamentally flawed from its outset in 2003.

Bradshaw, Flint and Burnham did concede in their NPfIT-related statements to the House of Commons that the national programme for IT had its flaws, but still they gave it their strong support and continued to attack the programme’s critics.

The following are examples of statements made by Bradshaw, Flint and Burnham in the House of Commons in support of the NPfIT, which was later abandoned.

Bradshaw, then health minister in charge of the NPfIT,  told the House of Commons in February 2008:

“We accept that there have been delays, not only in the roll-out of summary care records, but in the whole NHS IT programme.

“It is important to put on record that those delays were not because of problems with supply, delivery or systems, but pretty much entirely because we took extra time to consult on and try to address record safety and patient confidentiality, and we were absolutely right to do so…

“The health service is moving from being an organisation with fragmented or incomplete information systems to a position where national systems are integrated, record keeping is digital, patients have unprecedented access to their personal health records and health professionals will have the right information at the right time about the right patient.

“As the Health Committee has recognised in its report, the roll-out of new IT systems will save time and money for the NHS and staff, save lives and improve patient care.”

[Even today, 12 years after the launch of the National Programme for IT, the NHS does not have integrated digital records.]

Caroline Flint, then health minister in charge of the NPfIT,  told the House of Commons on 6 June 2007:

“… it is lamentable that a programme that is focused on the delivery of safer and more efficient health care in the NHS in England has been politicised and attacked for short-term partisan gain when, in fact, it is to the benefit of everyone using the NHS in England that the programme is provided with the necessary resources and support to achieve the aims that Conservative Members have acknowledged that they agree with…

“Owing to delays in some areas of the programme, far from it being overspent, there is an underspend, which is perhaps unique for a large IT programme.

“The contracts that were ably put in place in 2003 mean that committed payments are not made to suppliers until delivery has been accepted 45 days after “go live” by end-users.

“We have made advance payments to a number of suppliers to provide efficient financing mechanisms for their work in progress. However, it should be noted that the financing risk has remained with the suppliers and that guarantees for any advance payments have been made by the suppliers to the Government…

“The national programme for IT in the NHS has successfully transferred the financing and completion risk to its suppliers…”

Andy Burnham, then Health Secretary, told the House of Commons on 7 December 2009:

“He [Andrew Lansley] seems to reject the benefits of a national system across the NHS, but we do not. We believe that there are significant benefits from a national health service having a programme of IT that can link up clinicians across the system. We further believe that it is safer for patients if their records can be accessed across the system…” [which hasn’t happened].

Abandoned NHS IT plan has cost £10bn so far

Why was NHS e-Referral service launched with 9 pages of known problems?

By Tony Collins

Were GPs guinea pigs for live testing of the new national NHS e-Referral Service?

Between 2004 and 2010 the Department of Health marked as confidential its lists of problems with national NPfIT systems, in particular Choose and Book.

So the Health and Social Care Information Centre deserves praise for publishing a list of problems when it launched the national “e-Referrals” system on Monday. But that list was 9 pages long.

The launch brought unsurprised groans from GPs who are used to new national systems going live with dozens of known problems.

The e-Referral Service, built on agile “techniques” and based on open source technology, went live early on Monday to replace “Choose and Book” for referring GP patients to hospitals and to other parts of the NHS.

Some GPs found they could not log on.

“As expected – cannot refer anything electronically this morning. Surprise surprise,” said one GP in a comment to “Pulse” on its article headlined “Patient referrals being delayed as GPs unable to access e-Referrals system on launch day.”

A GP practice manager said: “Cannot access in south London. HSCIC debacle…GPs pick up the pieces. Changing something that wasn’t broken.”

Another GP said: “I was proud never to have used Choose and Book once. Looks like this is even better!”

Other GPs said they avoided using technology to refer patients.

“Why delay referral? Just send a letter. (Some of us never stopped).”

Another commented: “I still send paper referrals – no messing, you know it has gone, no time wasted.”

Dr Faisal Bhutta, a GP partner in Manchester, said his practice regularly used Choose and Book but on Monday morning he couldn’t log in. “You can’t make a referral,” he said.

The Health and Social Care Information Centre has apologised for the disruption. A statement on its website says:

“There are a number of known issues, which are currently being resolved. It is not anticipated that any of these issues will pose a clinical safety risk, cause any detriment to patient care or prevent users from carrying out essential tasks. We have published the list of known issues on our website along with details of how to provide feedback .”

But why did the Centre launch the e-Referral Service with 9 pages of known problems? Was it using GPs as guinea pigs to test the new system?

Comment

The Health and Social Care Information Centre is far more open, less defensive and a better communicator than the Department of Health ever was when its officials were implementing the NPfIT.

But is the HSCIC’s openness a good thing if it’s accompanied by a brazen and arrogant acceptance that IT can be introduced into the NHS without a care whether it works properly or not?

In parts of the NHS, IT works extraordinarily well. Those who design, test, implement and support such systems care deeply about patients. In many hospitals the IT reduces risks and helps to improve the chances of successful outcomes.

But in other parts of the NHS are some technology enthusiasts – at the most senior board level – who seem to believe that all major IT implementations will be flawed and will be improved by user feedback.

The result is that IT that’s inadequately designed, tested and implemented is foisted on doctors and nurses who are expected to get used to “teething” troubles.

This is dangerous thinking and it’s becoming more and more prevalent.

Many poorly-considered implementations of the Cerner Millennium electronic patient record system have gone live in hospitals across England with known problems.

In some cases, poor implementations – rather than any faults with the system itself – have affected the care of patients and might have contributed to unnecessary deaths when records needed urgently were not available, or hospitals lost track of urgent appointments.

A CQC report in March 2015 said IT was a possible factor in the death of a patient because NHS staff were unable to access electronically-held information.

In another incident a coroner criticised a patient administration system for being a factor in the death of three year-old Samuel Starr whose appointment for a vital scan got lost in the system.

Within NHS officialdom is a growing cultural acceptance that somehow a poor IT implementation is different to a faulty x-ray machine that delivers too high a dose of radiation.

NHS officials will always brush off IT problems as teething and irrelevant to the care and safety of patients. Just apologise and say no patient has come to any harm.

So little do IT-related problems matter in the NHS that unaccountable officials at the HSCIC have this week felt sufficiently detached from personal accountability to launch a national system knowing there are dozens of problems with the use of it.

Their attitude seems to be: “We can’t know everything wrong with the system until it’s live. So let’s launch the system and fix the problems as GPs give us their feedback.”

This is a little like the NHS having a template letter of regret to send to relatives and families of patients who die unexpectedly in the care of the NHS. Officials simply fill in the appropriate name and address. The NHS can then fix the problems as and when patients die.

It’s surely time that bad practice in NHS IT was eradicated.  Board members need to question more. When necessary directors must challenge the blind positivism of the chief executive.

Some managers can learn much about the culture of care at the hospitals that implement IT successfully.

Patients, nurses and doctors do not exist to tell hospital managers and IT suppliers when electronic records are wrong, incomplete, not available or are somebody else’s record with a similar name.

And GPs do not exist to be guinea pigs for testing and providing feedback on new national systems such as the e-Referral Service.

e-Referral Service “unavailable until further notice”

Hundreds of patients lost in NPfIT systems

Hospital has long-term NPfIT problems

An NPfIT success at Croydon? – Really?

Physicians’ views on electronic patient records

Patient record systems raise some concerns, says report

Electronic health records and safety concerns

Secrecy is one reason gov’t IT-based projects fail says MP

By Tony Collins

The BBC, in an article on its website about Fujitsu’s legal dispute with the Department of Health, quotes Richard Bacon MP who, as a member of the Public Accounts Committee, has asked countless civil servants about why their department’s IT-based change projects have not met expectations.

Bacon is co-author of a book on government failures, Conundrum, which has a chapter on the National Programme for IT [NPfIT] in the NHS.

In the BBC article Bacon is quoted as saying that the culture of secrecy surrounding IT-based projects is one of the main reasons they keep going so badly – and expensively – wrong.

He says it has been obvious to experts from an early stage that the NPfIT, which was launched by Tony Blair’s government, would be a “train wreck” because the contracts were signed “in an enormous hurry” and contained confidentiality clauses preventing contractors from speaking to the press.

He says the urge to cover things up means that “we never learn from our mistakes because there is learning curve, but when things go wrong with IT the response is to keep it quiet”.

Citing the example of air accident investigations, which are normally conducted in a spirit of openness so lessons can be learned, he says “It is the complete opposite in IT projects, where everyone keeps their heads down and goes hugger-mugger.”

Fujitsu versus Department of Health

Fujitsu sued the Department of Health for £700m after the company was ejected six years early [2008] from a 10-year £896m NPfIT contract signed in January 2004.  The case went to arbitration – and is still in arbitration, largely over the amount the government may be ordered to pay Fujitsu.  Bacon says the amount of the settlement will have to be disclosed.

“I don’t know how the government can honestly keep this number quiet. It simply cannot do it. It is not possible or sensible to keep it quiet when you are spending this much money,” says Bacon.

The BBC article quotes excerpts from a Campaign4Change blog

Government ‘loses £700m NHS IT dispute with Fujitsu’ – BBC News

 

Medication errors 6 months after “admin” system goes live

By Tony Collins

When Croydon Health Services NHS Trust went live with Cerner Millennium in October 2013 a spokesman told eHealth Insider:

“The new system will give everyone working at the trust better access to information and an accurate picture of what all of our services are doing. This will allow staff to make quicker, more informed decisions about the care patients need. It will improve the quality, safety and efficiency of care.”

The go-live has indeed brought some benefits. The trust says these include more efficient management of medicines, more detailed patient information being conveyed between shifts and departments, and better management of beds.

But earlier this week Campaign4Change reported on some of the problems associated with the go-live including 50,000 patients on the trust’s waiting list and a “serious incident” declared over diagnostic waits including extended waits for patients with suspected cancer.

Said the trust’s Audit Committee in March 2014 – 6 months after the go-live of the Cerner Millennium Care Records Service [CRS] :

“CRS Millennium Lessons Learned

“KB [COO and Deputy Chief Executive] outlined the context in which the implementation of CRS had taken place from the time the Business case had been approved in 2010 to the commencement of deployment in January 2011 and its subsequent implementation to date.

“She noted the 7 official “go live” dates which were reflected in the lessons learned report many of which fell during a period of organisational change.

“She noted that the deployment in CHS [Croydon Health Services NHS Trust] had been the most comprehensive deployment to take place nationally.

“It was noted that Programme Team had considered the lessons learned from other [NPfIT] Care Records Service deployments as part of the implementation programme at CHS and that there was no evidence of harm to patients despite the challenges around delivery of service.

” However significant operational challenges were experienced and a deep dive into the implementation of CRS was carried out and the findings submitted to the Finance & Performance Committee and the Trust Development Authority.

“In relation to ‘no harm to patients’ SC [Chairman] asked what empirical evidence there was to support the findings of the Deep Dive.

“KB explained from October 2013 to date there were 50,000 patients on the waiting list, but a patient validation exercise had taken place which had confirmed that no patients had come to any harm.

“The potential backlog would be cleared by the end of March but in the meantime those patients on waiting lists would be subject to a further clinical review to ensure that there was no harm.”

In fact the trust is still working through the backlogs; and long waiting times are not the only matters arising from the Cerner Millennium implementation. A medication safety report for the month of March 2004 highlights these lessons:

“The patient was prescribed Furosemide for acute pulmonary oedema on 12/03/2014. The drug was not administered and the reason not documented. On review of the incident, it was identified that there was a mis-communication between both nurses and the fact that they have started using a new computer system had caused confusion which led to the error. Once error identified the dose was given and ward sister has ensured that staff will go for further training if unsure on how to use the CRS Millennium system…

“Third incident was a failure to administer fluids (Normal Saline) in an acute kidney injury patient with an admission creatinine of greater than 700. Again there was confusion with the electronic prescribing system and the nurse thought that patient did not have a drug chart as the electronic prescribing system had gone live whereas in fact there was a paper drug chart for the fluid. The position of the venflon on the patient arm also contributed to the delay. Once error identified the fluids were given but were not running to time and patient improved. Ward sister has ensured that staff will go for further training if unsure on how to use the CRS Millennium system and staff were also briefed about poor documentation of the incident…

“Fourth incident occurred involved a patient prescribed ACS protocol for NSTEMI, Positive trop T. The aspirin 300mg, clopidogrel 300mg and fondaparinux 2.5mg were not administered and not signed for. Omission of medicines was discussed with doctor looking after the patient and the patient did not come to any harm. Omission occurred as agency staff did not know how to use CRS Millennium. On review of incident all staff were briefed on importance of patients being administered medicines on time and in particular a discussion took place between agency staff and for agency staff to have adequate CRS Millennium training. There are champion users nurses on wards who are able to train Agency staff.

NPfIT

Cerner Millennium is provided to the trust under a national contract hosted by the Department of Health and managed via a Local Service Provider (LSP) contract with BT. The contract covers trusts in London and the south of England.

The DH contract expires on 31st October 2015 after which point the DH will no longer fund any of the services currently hosted by them. This includes both the software and licencing costs for Cerner Millennium as well as the BT data storage facilities and other costs.

The DH requires all trusts with Cerner under the NPfIT to commit to an exit strategy before 31st October 2015.

Comment

Is Cerner Millennium merely an administrative system as officials at Croydon Health Services NHS Trust claim it is?  The implication is, with an administrative system, that it cannot be involved in any harm to patients. Officials at Connecting for Health when they ran the NPfIT used to describe Cerner Millennium as an administrative system.

It is the deployment of this “admin” system at Croydon that is implicated in medication errors, a waiting list of 50,000 people, and long waits for diagnostic tests for people with suspected cancer.

If Whitehall and NHS officials cannot see the system as other than administrative, this is a mistake that may help to explain why a poor service for patients, which sometimes has serious potential clinical implications,  is so commonplace, even months after go-live.

50,000 on waiting list and cancer test delays after NPfIT go-live

50,000 on waiting list and cancer test delays after NPfIT go-live

By Tony Collins

Croydon hospitals have built up a waiting list of 50,000 patients since a Cerner electronic patient record system go-live last October, according the trust’s latest board papers.

And, since the go-live, more than 2,200 patients have waited at least 6 weeks for diagnostic tests, of which 160 have been identified as “urgent suspected cancer and urgent patients”.  This backlog may take until the end of August to clear, say the board papers of the Croydon Health Services NHS Trust which includes Croydon’s Mayday Hospital, now the University Hospital.

The trust has declared a “serious incident” as a result of the diagnostics backlog. An SI can be reported when there is possibility of unexpected or avoidable death or severe harm to one or more patients.

“No harm”

The trust concedes that its waiting times pose a “potential clinical risk” but the board papers say several times that there is no evidence any patient has come to harm.  This assurance has been questioned by some trust board members. The trust continues to investigate.

Croydon is the latest in a long line of trusts to have had serious disruption after a Cerner go-live under the NPfIT, with BT as the installation partner.

The trust has kept the implications for patients confidential. This may contravene the NHS’s “duty of candour” – to report publicly on things that go wrong. The duty has come about in the wake of the suffering of hundreds of people in the care of Mid Staffordshire NHS Trust.

Croydon Health Services NHS Trust has decided not to publish its “Cerner Deep Dive” or Cerner “Lessons Learnt” reports, and discussions on the reports have been in Part 2 confidential sections of board meetings.

The trust defended its “Part 2” approach in its statement (below).

Meanwhile the Health and Social Care Information Centre, which runs the NPfIT local service provider contracts, including BT’s agreement to supply Cerner to hospitals in London,  has commissioned Cerner to capture the benefits nationally of Cerner installations.

Q&A

My questions and points to the trust, and its responses are below.

From me to the trust:

Croydon had good reasons to go live with Cerner, and DH funding was a further incentive but the trust does not appear to have been in a position to go live – at any stage – with a Big Bang Cerner implementation. The 7 aborted official go-live dates might have been a sign of why.  It would have been a brave decision to cancel the implementation, especially as:

–  the trust had spent 2 years preparing for it

– DH, BT and Cerner had put a lot of work into it

– there was DH pressure to go live especially after all the missed go-live dates.

The latest board papers say 6 or more times in different places that there has been no harm to patients as a result of the delays and waits.  Some members have raised questions on this and there is the matter of whether the trust is commissioning its own assessments (marking its own work).

On this:

– 50,000 on waiting list

– Cerner deep dive not published

– Lessons Learnt not published (concealment of failures, against the spirit of duty of candour called for by Robert Francis QC and Jeremy Hunt?)

– Diagnostics – an SI reported. The trust has considered the contributing issues which related to Cerner implementation but has not published details of the discussion. Again a concealment of failures?

– An accumulation of over 2,200 patients that were waiting over 6 weeks for diagnostics. Out of that number 160 patients were identified as urgent suspected cancer (USC) and urgent patients.  Can the trust – and patients – be sure there has been no harm?

– “… external assurance through an external clinician will provide the assurance that no patients have suffered harm as a result of the length of the waiting times”. Bringing in an external clinician to provide an assurance no patients have been harmed seems to pre-judge the outcome.  The trust appears to be marking its own work, especially as the backlog of patients awaiting diagnostics may not be cleared until the end of August.

– Managing public and GP perceptions? “Members agreed that GP interactions should be held off until the investigations had produced definite findings. However the Communications Department are on standby to publish information to GPs if required, and the Trust is ready to react to other enquiries. The Trust will in any event publish the incident report after the investigation has been completed.”

– “… the implementation of Cerner in October 2013 had an impact on activity levels and the delivery of RTT standards”. Again no report on this published.

– “An independent assessor would re-check all patients to assure that no harm has resulted. The Committee noted the progress report and requested that this is referred to a Part 2 meeting of the Trust Board …” Concealment of failures again?

– In the past the DH has been prepared to treat patients as guinea pigs in Cerner Big Bang implementations. The philosophy appears to be that the implementations will inevitably be disruptive but it’s for the good of patients in the longer term. That this approach may be unfair on patients in the short term, however, seems not to trouble the NHS hierarchy.

It’s clear clinicians and IT staff are doing their best and working hard for the benefit of patients but the implementation was beyond their control. Meanwhile complaints are increasing, Croydon Health Services was one of the lowest rated trusts for overall patient experience and a sizeable minority of local residents don’t choose the local hospitals for care or treatment. That said some patients rate their care very highly on NHS Choices (although some don’t). The University hospital is rated 2.5 stars out of 5.

One of the most surprising statements in the board papers is this: “… despite the weaknesses in the programme, the overall success of the deployment had been recognised at a national level”. A success? Can the trust in essence say what it likes? Nobody knows for sure what the facts are, given that the trust decides on what to publish and not to publish.

The trust’s response to the above points and questions:

“Due to a temporary failure of our administrative systems, the Trust found in February 2014 that a number of patients who needed to be seen by the imaging service were in breach of the six week waiting standard.

“We have taken immediate action to correct this and are undertaking a thorough review to confirm that no patients were harmed as a result.  The Trust is now working hard to treat patients currently on our waiting lists.  This is referenced in our publicly available Board papers.

“CRS Millennium has delivered a number of improvements that support improving patient experience at the Trust, including more efficient management of medicines, more detailed patient information being conveyed between shifts and departments and better management of beds within the organisation.”

Lessons?

Below are some of the lessons from Croydon’s Cerner go-live. Although the trust hasn’t published its “Lessons Learnt” report, some of lessons are mentioned in its latest board papers:

  • Insufficient engagement from operational and clinical colleagues
  • Time pressures were felt when a full dress rehearsal stretched the capabilities of the information team.
  • Insufficient time and resources were allocated to completion of the outline business and full business cases, as well as to due diligence on the options and costs.  [Business cases for Cerner are still unpublished.]
  • Trust directors agreed that a business case for a project of the size and complexity of the CRS Millennium should have taken longer than 6 weeks to prepare.
  • A failure of senior managers to take stock of the project at its key stages.
  • Too strong a focus on technical aspects
  • Clinicians not always fully appreciating the impact of the changes the system would deliver
  • The hiring of an external change manager to lead the deployment who proved to be “less than wholly successful because of the resulting deficiency in previous experience or knowledge of the culture of the organisation”.
  • The individual left the organisation part way through deployment which led to further challenges.
  • The right people with the right skills mix were not in place at the outset to achieve the transformational change necessary to successfully deploy a new system such as CRS

Comment 

NHS trusts have good reason to modernise their IT using the widely-installed  Cerner electronic patient record system, especially  if it’s a go-live under the remnants of the NPfIT, in which case hospitals receive DH funding and gain from having BT as their installation partner.

But why does a disruption that borders on chaos so often follow NPfIT Cerner implementations? Perhaps it’s partly because the benefits of Cerner, and the extra work required by nurses and doctors and clerical staff to harvest the benefits, is underestimated.

It is in any case difficult to convey to busy NHS staff that the new technology will, in the short-term, require an increase in their workload. Staff and clinicians will need to capture more data than they did on the old system, and with precision. The new technology will change how they work, so doctors may resent it initially, especially as there may be shortcomings in the way it has been implemented which will take time to identify and solve.

The problem with NPfIT go-lives is that they take place in an accountability void. Nobody is held responsible when things go badly wrong, and it’s easy for trusts to play down what has gone wrong. They have no fear of authoritative contradiction because they keep their implementation assessments confidential.

What a difference it would make if trusts had an unequivocal duty of candour over electronic health record – EHR – deployments. They would not be able to go live until they were ready.

The disruption that has followed NPfIT Cerner go-lives has been serious. Appointments and tests for suspected cancer have been lost in the administrative confusion that follows go-live. There have been backlogs of appointments for tens of thousands of patients. Operating theatres have gone under-used because of mis-scheduled appointments.

Now and again a patient may die unnecessarily but the problems have been regarded by the NHS centrally as collateral damage, the price society pays for the technological modernisation of the NHS.

Richard Granger, when head of the NPfIT, said he was ashamed of some Cerner installations. He described some of them as “appalling” but since he made his comments in 2007, some of the Cerner installations have been more disruptive than those he was referring to.

Provided each time there is no incontrovertible evidence of harm to patients as a result of a go-live, officials give the go ahead for more NPfIT Cerner installations.

Guinea pigs?

Disruption after go-live is too often treated as an administrative problem. Croydon’s statement refers to a “temporary problem with our administrative systems”. But new patient record systems can harm patients, as the inquest on 3-year-old Samuel Starr heard.

It’s time officials stopped regarding patients as guinea pigs in IT go-lives. It compounds the lack of accountability when trusts such as Croydon keep the reports from the go-live secret.

Trusts need better technological support but not at the cost of treating any harm to patients as collateral damage.

A tragic outcome for Cerner implementation at Bath?

Openness and honesty is a rarity after health IT problems

Mishandled electronic health record transition

A botched Cerner EHR implementation?

Trinity Medical Center reaches Cerner settlement

If an insurer wants your medical records should your GP say no?

By Tony Collins

Pulse reports that the Information Commissioner’s Office is to put questions to Aviva after learning that it has been requesting patients’ full GP records to underwrite some insurance policies.

An ICO spokesperson told Pulse it would be contacting insurer Aviva to ‘understand more’ about their use ‘subject access requests’ for collecting medical information on patients and ‘how these accord with the [Data Protection] Act’.

Aviva confirmed to Pulse that it has been using the method – with customer consent – for almost 12 months.

In a response to the article, an anonymous GP publishes his practice’s standard reply to such questions from insurers:

“Thank you for your medical records subject access request.  We formally decline to undertake this.

“We draw your attention to paragraph “2.12 Access to patient records from insurers and mortgage providers” on page 112 of the ‘Information Governance Review: To Share or Not to Share’ published in March 2013.

“The Panel also heard concerns that insurers and mortgage lenders may seek to use their influence to request whole records from GPs, as a condition of supplying insurance or a mortgage.

“The General Medical Council has issued specific guidance for GPs112 and the British Medical Association and the Association of British Insurers (ABI) have produced joint guidelines 113 to allow relevant data about patients to be shared appropriately with insurers on a basis of explicit, written consent.

“In addition, principle 3 of the Data Protection Act 114 offers further safeguards as it allows organisations to hold only ‘adequate, relevant and not excessive’ personal data about an individual.

“This means insurers and mortgage lenders cannot hold more information about an individual than they need. The act also requires organisations to identify in advance and then request only the minimum amount of data needed for a particular purpose.

“The Review Panel concluded that these guidelines, combined with the safeguards offered by the Data Protection Act offer sufficient to prevent inappropriate sharing of whole records with insurers and mortgage lenders.

“We suggest that you apply for a PMA report in the normal way.  Alternatively the patient may apply for a copy of their records having made a pre payment of £50 to the practice and is at liberty to send you any or all of their medical records.

“We cannot guarantee that the patient may withhold part of their medical record. You have a duty not to hold any more information than you require.

“I would like to advise that I believe you to be in breach of the DPA, in particular paras 112, 113 and 114 of the Information Governance Review. If we receive another similar request from your company we will be compelled to report the matter to the Information Commissioner.”

 

A tragic outcome for Cerner Millennium implementation at Bath?

By Tony Collins

Three year-old Samuel Starr died in the arms of his parents as his they read him his favourite stories at the local hospital. 

At an inquest this week his parents, and specialists, raised questions about whether long delays in arranging appointments on a new Cerner Millennium system at Bath’s Royal United Hospital, which replaced an old “TDS” patient administration system, was a factor in his death.

Ben Peregrine, the speciality manager for paediatrics at the RUH in Bath,  told the inquest:

“Samuel’s appointment request must have fallen through the cracks between the old and new system.”

After successful heart surgery at 9 months, Samuel should have had regular scans to see if his condition had worsened. But he didn’t have any scans for 20 months, in part because of difficulties in organising the appropriate appointments on Bath’s new Millennium systems.

Though there is no certainty, Samuel may be alive today if he’d had the scans.

In a review of Samuel’s death, which took place in November 2012, the details of which have only just been made public, Bristol Children’s Hospital concluded that appointment delays might have played a part.

It said: “Death was felt to be possibly modifiable if [there had been] earlier surgery before cardiac function deteriorated.”

Samuel had his first surgical procedure, open heart surgery at Bristol Royal Hospital for Children, on 3 March 2010. He was discharged six days later, and referred to the Paediatric Cardiac Clinic at the Royal United Hospital in Bath for check-ups.

This week’s inquest heard that the first check-up took place in Bristol in October 2010, when an echocardiogram, also known as an ‘echo’, was carried out. Samuel’s parents, Paul Starr and Catherine Holley, expected a follow-up appointment in January 2012 but by March they’d not received one.

Their community nurse rang the hospital five times in as many months for a follow-up appointment but could not arrange one. When another echo was eventually taken in June 2012 – 20 months after the first – it was found that Samuel needed urgent surgery which proved more complicated than expected. He died on 6 September 2012.

Paul Starr told the BBC that during the long delays in obtaining an appointment for a further scan Samuel’s heart function went from good to bad. He said: “It is not like he had bad care in that time. He had no care at all.”

Ben Peregrine, the speciality manager for paediatrics at the hospital, told the inquest:

“The new system is now up and running as best as it can be, but as long as there is still humans entering the information there will always be room for error.”

The BBC reported that the delay in Samuel’s treatment “came after a new computerised appointment booking system was introduced at the RUH in 2011. It was only after an appointment had been set that doctors discovered the three-year-old, from Frome in Somerset, needed open heart surgery.”

BBC West’s Inside Out obtained a hospital document “Issues for discussion including any action or learning to be taken as a result of the child’s death. Issues that require broader multi-agency discussion” that has as its first bullet point:

“Failure of the RUH Millennium computer software to organise appointments at the designated time leading to a delay of three months before Samuel was seen by (redacted) in Bath.

“Parents have since told me that Samuel had not had an ECHO for 20 months prior to June 2012. At his previous cardiac appointment (April 2011) [redacted] failed to carry out an ECHO because he was not expecting to see Samuel despite Samuel’s parents being sent an appointment for this day.”

It appears that events at Bath after the Cerner go-live have, in the main, followed a pattern at a dozen or so other trusts that have installed the Millennium system.

The pattern was outlined in a Campaign4change post in December 2012:

– go-live

– chaos

– a trust admission that potential problems, costs and risks were underestimated

– a public apology to patients

– a trust promise that the problems have been fixed

– trust board papers that show the problems haven’t been fixed or new ones have arisen

– ongoing difficulties producing statutory and regulatory reports

– provision in trust accounts for unforeseen costs

– continuing questions about the impact of the new system on patients

– a drying-up of information from the trust on the full consequences of the EPR implementation, other than public announcements on its successful aspects.

Catherine Holley, Samuel’s mother, believes the Millennium implementation at the Royal United Hospital at Bath might have followed the above cycle.

Bath went live with Cerner Millennium at the end of July 2011. An upbeat trust statement at the time to E-Health Insider said:

“We can confirm that the new Cerner Millennium IT system successfully went live on Friday 29 July – as planned – at Royal United Hospital Bath NHS Trust.

“BT and Cerner worked closely with the trust and the Southern Programme for IT on the implementation over the past year – a complex and major change management programme.”

As part of its investigation into Samuel’s death, the BBC asked the RUH how many appointments were overdue to delayed because of the new computer system. Said the BBC’s Inside Out West programme:

“They told us there were 63 overdue appointments some with delays of up to 2 years before they were discovered.”

Separately an FOI request to the trust on the Millennium installation brought the response that there have been 65 cardiac outpatients’ appointments “that have been identified as being were missed due to problems with the delayed and that occurred around implementation of Cerner Millennium… All of these appointments have been followed up and actioned as required.”

The RUH is not discussing Samuel Starr’s death. A spokesperson said the inquest is expected to give Samuel’s family and everyone involved in his care a clearer indication of the circumstances surrounding his death. “We have offered our sincere condolences to the family of Samuel Starr following his sad death.”

Contradictory

RUH Board reports on Millennium’s deployment have had a general “good news” tone. But some of the reports have mentioned potentially serious problems. This was in an RUH board report in 2011 on Millennium:

“… there were significant issues with clinic templates and data that had not been migrated. This affected encounters with long term follow up appointments. As a result this meant that there was unplanned downtime across Outpatients and backlogs developed in addition to those produced as a result of planned downtime”.

Comment:

What’s striking about the reports to the Bath board of directors on the Cerner Millennium implementation is their similarity, in tone and substance, to the “good news” reports of deployments of Millennium at other trusts.

The go lives are nearly always depicted as successes for clinicians that have had minor irritations for administrators.

Now we know from the RUH Bath’s implementation of Millennium that when appointments are delayed as a result of inadequate preparations for, and structural settlement of, a new patient administration system, it can be a matter of life and death.

Indeed the BBC, in its investigation into Samuel Starr’s short life, raises the question of whether delayed appointments have been a factor in other deaths.

But do trusts genuinely care about the bigger picture, or do they regard each case of harm or death as an individual, unique event, to be reviewed after the problems come to light?

At the RUH Bath, IT appears to be treated as a separate department, too little interweaved with care and treatment. Managers talked enthusiastically of smartcard use, the work of the service desk, the need for more printers, resolving BT outages, the benefits of the service security model, champion users and floorwalkers, completing the Readiness Workbook, and keeping the Deployment Hazard Document up to date – while the parents of Samuel Starr could not get an appointment on the new system for their son to have a vital heart scan.

In 2011 a senior executive at Bath told his trust staff: “Our partners BT and Cerner are describing it [the go-live of Cerner Millennium] as the smoothest deployment yet” and “we now have the foundation in place to meet the future needs of the Trust and the NHS”.

Will things improve?

The comment in my post of December 2012, which was about Royal Berkshire’s implementation of Cerner Millennium, seems apt so some it may be worth repeating (below).

“Some Cerner implementations go well and bring important benefits to hospitals and their patients. Some implementations go badly. One question the NHS doesn’t ask, but perhaps should, is: what level of problems is acceptable with a new electronic patient record system?

“It appears from some EPR implementations in the NHS that there is no such thing as a low point. No level of disruption or damage to healthcare is deemed unacceptable.

“Berkshire’s chief executive Edward Donald speaks the truth when he says that the trust’s implementation of Cerner was more successful than at other NHS sites. This is despite patients at his trust attending for clinics that did not exist, receiving multiple requests to attend clinics and not receiving follow-up appointments…

“The worrying thing for those who use the NHS is that, as far as new IT is concerned, it is like flying in a plane that has not been certified as safe – indeed a plane for which there has been no statutory requirement for safety tests. And if the plane crashes it’ll be easy for its operators and supplier to deny any responsibility. They can argue that their safety and risk ratings were at “green” or “amber-green”.

“The lack of interest in the NHS over the adverse effect on patients of patient record implementations means that trusts can continue to go ahead with high-risk electronic patient record system go-lives without independent challenge.”

This very thing seems to have happened at the RUH Bath – with possibly tragic consequences.

Thank you to openness campaigner Dave Orr for drawing my attention to the BBC’s investigation into Samuel Starr’s death.

RUH booking system might have contributed to boy’s death – BBC

Boy died after scan delay – BBC

Best Cerner Millennium implementation yet?