Digital transformation is a huge opportunity for trusts, but when technology goes wrong it can have a major impact on your ability to operate. Trust leaders have a duty to understand technology risks, and make sure the trust has a credible plan to address them.


Understand your risk appetite

Boards need to have explicit conversations about risk appetite. Perhaps the trust carries scars from previous technology failures that are driving you to choose the least risky option. Or perhaps there is a pressure to take a risk – for example, a 'big bang' rollout of a new system – due to budget constraints. For important technology decisions, boards should have the opportunity to discuss these trade offs.

The board needs to have explicit conversations about their level of risk appetite, and an understanding of the source of any aversion, including past scars. Proper risk analyses must be done to gain assurance in the same way you get assurance from clinical experts. A mature approach to risk will mean you don’t blame experts for not foreseeing something. Review the risk register properly as a live resource.

Paul Devlin    Chair Nottinghamshire Healthcare NHS Foundation Trust

Make it safe to fail

When it comes to technology, it's best to plan for something going wrong. Many modern technologies are designed to be fault tolerant, the system will keep working – to some extent – even if some parts of the system are repeatedly failing. The question for trusts is, how can we make our organisation fault tolerant, as well as our technology systems?

This is undoubtedly more difficult in health and care where, as the Academy of Medical Royal Colleges has pointed out, the tech mantra of "move fast and break things" does not fit well when applied to patient care. But there are ways NHS leaders can begin to address this. For example, boards can look to support the professionalisation of CIOs which will help with safer transformation.

Promote a learning culture

Much like in patient safety, technology failures are far less likely to happen in the future if there is a just culture where people can talk openly about them without fear of blame. Many digital teams hold regular retrospectives where participants are reassured that:

"Regardless of what we discover, we understand and truly believe that everyone did the best job they could, given what they knew at the time, their skills and abilities, the resources available, and the situation at hand." Norm Kerth, Project Retrospectives: A Handbook for Team Review

Once lessons have been identified, a learning culture also means making sure teams have the time and resources to take action. For example, after a major outage boards should be asking whether the teams responsible have what they need to address the root causes and reduce the chance of it happening again.

Implement systems incrementally

Modern technology makes it cheaper and easier to try something new – in a way that wasn’t possible with the big, expensive systems of the past. Starting small, testing and then scaling up is one of the best ways to reduce the risk of a new system not working as intended, or not meeting the needs of patients and staff. The Great North Care Record programme's vision statement is clear about the expected pace: "these changes will not be achieved in a single leap. Our ambition is to build maturity over time".

Your biggest challenge as a leader is holding people’s attention for a three year programme which doesn’t immediately deliver significant outputs. Therefore, it’s important you don’t over promise. Instead, be honest about the limitations and explain to people that the change will take time.

Dr John Byrne    Executive Medical Director, Humber Teaching NHS Foundation Trust

Keep your options open

Sometimes large technology projects can be ‘too big to fail’. Too much actual and political capital has been spent. Contracts have been signed that are near impossible to break. However, beware the sunk cost fallacy: in these situations it can be worthwhile considering your options.

Boards – and in particular non-executives – can play a role in opening up this conversation, especially when senior leaders are closely tied to a particular project. Use these situations as a learning opportunity: smaller technology projects delivered incrementally with more flexible commercial terms is one of the best safeguards against this happening again.

 

Manage risks, don't just document them

Sometimes risk management can become an industry in logging theoretical risks on a spreadsheet, rather than taking action. Be clear on the difference between risks and live issues that are already in play. Boards should push to actively test risks where possible, for example through incident simulations. Leaders should look out for technology issues that arise when rehearsing major incidents. This will help you better understand what actually might happen, or how certain risks will play out differently than anticipated.

There's no shortcut to a mature risk management approach, promoting a learning culture will help, as will opening up regular, open channels of communications between delivery teams, senior leaders and boards. As board members, assurance will be sought through what you hear, what you read and what you see (the triangulation of evidence).


The risk of doing nothing

Implementing new technology can introduce risk, but so can standing still. As technology ages, trusts can be exposed to layers of risk they’re not fully aware of. Systems can be running normally for years, but break when they’re overloaded with more data than they were ever designed to cope with. Or perhaps a system that was implemented many years ago is now so old that none of the current staff know how it works, or how to fix it if it breaks.

Boards should be aware of the biggest incumbent technology risks faced by the trust, and understand the plan to address them. It is also worth reflecting on the need to balance short term and long term risk: failing to innovate now can leave organisations behind as technology moves forward.

 

Case Study

Introducing new systems incrementally at North West Ambulance Service NHS Foundation Trust

The success of the SafeCheck work was driven by a clear sense of purpose, the leadership of an authentic clinician, the incubation of ideas, rigorous testing, rapid modification and a clear understanding of ‘why?’.

Maxine Power    Director of Quality, Innovation and Improvement, North West Ambulance NHS Foundation Trust

Context

Vehicle, equipment and medicine checks are required before an ambulance can be taken on the road. These checks were previously recorded on paper which meant records were difficult to update, monitor, track and effectively respond to. It made it almost impossible for the trust’s leadership to identify trends, and the board struggled to gain assurance on non-compliance.

 

Approach

A small team, led by senior paramedics, was empowered to design and develop a new digital quality assurance platform for recording these checks. The trust’s leaders permitted the team to run a six week testing cycle, using a Plan Do Study Act (PDSA) approach to test and iterate a prototype system. A set of design principles were also developed to ensure the new system would meet both user and organisational needs. This included making the new system accessible on all vehicle types, ensuring real time audit and reporting functionality, and ensuring it could be accessed on all mobile phones and devices. A notice board was placed inside the ambulance station where the new system was tested, so all staff on different shifts could see the changes being implemented. Detailed user feedback was captured throughout the testing as the SafeCheck system was developed and then scaled across the trust.

 

 

Cyber security risks

Given how much we now rely on technology, cyber security is critical to the resilience of NHS trusts. Responsibility for making sure trusts have good cyber security sits firmly with boards. The impact that the WannaCry ransomware attack had on the NHS underlined both the importance of this, and the weaknesses in some parts of NHS cyber security.

The threat of cyber attacks is real for all trusts, most attacks are opportunistic, using known techniques. The sensitive nature of patient data increases the stakes considerably. However, boards should beware of security 'myths' that could prevent them from adopting modern technologies or using data to improve care. It’s commonplace for people less familiar with modern technologies (i.e. Internet, web, open source, cloud, mobile) to worry that these are somehow less 'secure' than the technologies they are used to.

The truth is that no technology has a monopoly on security, it's down to how it is set up, the controls around it and – ultimately – how it is used by staff and patients. Cyber security shouldn't be a blocker to technology progress – in fact, good cyber security is critical to robust systems trusted by all. And ongoing investment is also key, sweating technology assets and just “keeping the lights on” can leave organisations exposed.

There is plenty of support available to help trusts improve their cyber security. NHS Digital has invested heavily in this area in recent years, and the UK's National Cyber Security Centre has published a Board Toolkit for organisations to encourage discussions between boards and technical experts. In 2018, the National Cyber Security Centre (NCSC) posed these five questions on cyber security for board agendas:

 

  1. How do we defend our organisation against phishing attacks?
  2. How does our organisation control the use of privileged IT accounts?
  3. How do we ensure that our software and devices are up to date?
  4. How do we make sure our partners and suppliers protect the information we share with them?
  5. What authentication methods are used to control access to systems and data?

    Given the recent attacks on NHS organisations, we would also add:

  6. What are we doing to reduce the potential impact of a successful attack (e.g. ransomware)?

There’s a tendency within the NHS to document risk and not actually do anything to manage and mitigate those identified. Instead, you need to have active engagement and a really clear plan which includes the costs of managing and mitigating.

Barry Thurston    Chief Information Officer, London Ambulance Service NHS Trust

Key considerations for boards

  • Don't be scared: Technology can be an intimidating topic for some board leaders, and many carry the scars of technology failures. But standing still isn’t a viable option – boards need to balance risks with the opportunities technology can provide.
  • Things will go wrong: Trusts should create a fault-tolerant environment where risks are acted on, changes can be safely tested and failures can be talked about openly without fear of blame.
  • Cyber threats are real: There are tried-and-tested ways to protect against cyber attacks, and boards should make sure this work is prioritised given how serious the consequences of a successful attack on the NHS can be.