27 December 2016
For years, networked IT systems in the NHS have had to deal with a range of contending technological compulsions and political pressures.
At the strategy level, there’s the obligation to engage with top-down prestige projects which can prove a source of all-round reputational damage when they go awry. These projects proceed on the centralised, directorial belief that a mega-organisation of the NHS’ size requires big (again centralised) IT. That’s despite the fact that smaller-scale initiatives founded on progressive principles of localised requirements, funding and accountability, still win through.
Meanwhile, at a grassroots tactical level, there’s the need to manage emerging technology usage trends over which frontline techies have limited command. The NHS’ ground-level resources have traditionally been geared toward operational medical applications and services, running alongside administrative and other key support applications. Some industry insiders say this model is being radically remade due to the infiltration
of personalised mobile technologies.
While the NHS’ travails with big IT programmes have been much reported, those regional ICT implementations that meet a range of requirements from critical medical applications to vital administrative support functions do not otherwise get the wider recognition they deserve. And the contribution of other branches of wide-scale IT infrastructure – such as the N3 national broadband IP network that securely connects 1.3 million of the service’s employees in England – should not be overlooked.
“Network downtime for a corporation might result in lost revenue, but in hospitals it can be the difference between life and death,” says Andrew Graley, Polycom’s director of healthcare, government and education. “The urgency of communications means that network resilience needs to be better than it is in the private [business] sector.”
Extraordinary IT environment
The heightened demands placed on ICT in the NHS are bound to carry across onto the networked IT teams tasked with both maintaining business-as-usual and optimising the IT estate, while also extending its reach.
Innopsis is a not-for-profit trade association representing firms providing communication, network or application products and services to the public sector. According to its information governance director, Des Ward, the NHS’ extraordinary working environment calls for an exceptional range of technological competences and interpersonal skills.
“It is hard to think of another organisation that [is under] the obligation to work with so many other departments, and that has the same level of multi-touch that is standard within healthcare. Similarly, [it’s hard to think of] one that has to face the consequences of not getting it right – which, at worst, equates to harm to patients.”
Ward adds that the dilemma for healthcare providers is that by their very nature they have to be both risk averse and innovative in their use of new technologies to improve patient care.
Matt Lovell, CTO at Pulsant, agrees: “Just consider the huge number of integrated and disparate systems across different interfaces and regions that’s involved in delivering a consistent healthcare experience. This complexity introduces further demands that other vertical sectors don’t have to worry about. Nor do they have to negotiate through the differences in financial budgets and pressures that individual units inside the NHS have to prioritise.”
Compared to sectors like banking, manufacturing, or retail, the other main difference in the NHS is the different speed of change. Healthcare is experiencing – and driving – more rapid change than ever before, notes Graley. But he points out that implementation tends to be “hindered” by the sheer scale of the organisation: “The NHS is the UK’s single biggest employer and it takes a while for a ship that large to change course.”
These constraints are key to understanding why technological redevelopment seems to play-out at a different pace in the NHS. Private sector organisations can recognise a business benefit of a technology, implement it at a faster rate, then pay for it at a slower rate, according to Graley.
“Commercial verticals are willing to use different kinds of finance options than the public healthcare sector which makes it easier to get network project budgets signed-off. The private sector is more likely to opt for subscription- or leasing-based ownership models, compared with the [upfront] capital expenditure model that a lot of healthcare organisations still use.”
Even if the NHS’ ability to both buy-in and buy-into IT change might proceed at a more moderate rate compared to other verticals, at the same time, the day-to-day mission-critical issues it has to deal with are ones that most other sectors would be hard-pressed to maintain control of.
Lovell reckons there are two principal issues here. “First, healthcare workflows and priorities can change significantly and rapidly, added to which network managers in this sector may not have as much visibility or notification of these changes as [their counterparts in] other vertical sectors receive.
“The other challenge is increased use of third-party health and well-being technologies, such as wearable devices, [because unfortunately] not all of this has been done in partnership or co-operation with the healthcare sector itself.”
In other vertical sectors, application and usage tends to have more defined projects, targets and outcomes. Here, data collected is used to enhance a proposition and increase sales growth to a specific outcome. But in the UK public health sector, the challenge for IT personnel lies in what Lovell describes as the “prioritisation of the here-and-now”.
Due to public sector resourcing models, this can detract from longer-term planning of the kind that’s standard practice for commercial enterprises.
Like other sectors both private and public, NHS ICT strategies are being steered by the ‘online access expectation syndrome’: an implacable assumption on the part of those working in the service as well as those using it that not only should their personal communications technology be fully functional within NHS premises but, increasingly, that some baseline tech support should be provided for it.
“The challenge facing network managers in public healthcare is that the demand for mobility has rocketed in hospitals,” says Rob Orford, director of healthcare at Azzurri Communications. “Hospitals now want clinical access to systems at the bedside or ‘point of care’. This means that network provisioning is having to move from fixed- to mobile access via Wi-Fi.”
One basic challenge lies in ensuring Wi-Fi signal coverage around campuses that often have many more enclosed spaces, access-controlled areas, restricted zones, lengthy corridors, and sensitive electronic apparatuses than open-plan offices, retail premises or public places.
For instance, Bedford NHS has more than 2,000 staff members, and contracted Xirrus to deploy its first enterprise Wi-Fi network to help enable a BYOD strategy throughout the 400-bed Bedford Hospital. The deployment enables clinicians and staff to use their own devices from anywhere within the hospital site.
“We realised that wireless networking would make it possible for clinicians and administrative staff to have access to the clinical data they need to be able to work more effectively,” says Mark Austin, assistant director of clinical information and business intelligence, and one of the project leads. “Doctors now access patient pathology test results, use electronic prescribing and medicines management, or check X-rays, while doing ward rounds.”
However, some of Bedford Hospital’s older wards date from the Victorian era and have listed building status, so there is little that can be done to the walls, floors, or ceilings to accommodate major IT infrastructure changes.
“The paradox of wireless is for each wireless access point, you need a wire,” says Austin. “Each time you deploy an extra one there is more disruption, more cabling, taking down ceiling tiles, cleaning-up afterwards… and in these old Victorian buildings there is even the question of planning. So the fewer wireless points are needed, the less cabling and wiring is required throughout the hospital.”
Innopsis believes that the ‘right’ assumed by staff and patients to use connected devices within a hospital is one of the thorniest dilemmas faced by NHS managers. While it’s easy to see why medical professionals are likely to want to use consumer devices to manage their workload, share data and access health applications, Ward says this introduces further friction for NHS networking specialists who may not necessarily agree that this is the best way forward: “For instance, how do they then take advantage of the specialist health sensors that are becoming available for the IoT?”
Polycom warns of further dangers: “The size of an NHS trust is probably equivalent to small corporate enterprise,” says Graley. “One hospital can employ 12,000 people or more, with a ratio of five devices per employee. In those kinds of environments, bandwidth is often restricted. Traffic priority is also complex and critical, as patient data and urgent communications need to take precedent compared to other protocols. The urgency of communications means that network resilience needs to be even better than in the private sector.”
All change – mind the platform
According to Graley, one of the more complicating factors now facing public-sector healthcare IT managers is the diverse nature of data passing over their networks. “Healthcare runs on content. There’s a lot more collaboration happening [between healthcare practitioners], and an increasing percentage of this is video. Simultaneously, real-time content sharing is also increasing. This includes patient data or medical modalities such as CT scans or test results.”
He goes on to point out that for medical professionals to work effectively over networks, there has to be sufficient bandwidth availability so that the quality of these modalities are not compromised. “The data shouldn’t be changed in any way that impacts how they present at the remote end, so that medical errors do not occur in the interpretation between point of store and point of viewing.”
Storage of medical modalities – or methods of therapeutic diagnosis and/or treatment – is important because there is more demand for repeat access to information. In a healthcare context, information can be a recording of a team meeting, which can serve as a more accurate record than written notes, and also means communications between healthcare professionals and patients are accessible at a later date. “This will include audio and video conversations. And if patients themselves need to be able to access these recordings, then there’s a real challenge for network managers in terms of securing that data when accessed externally,” says Graley.
He adds that providing patients with healthcare information for their own personal educational needs is shifting to digital, especially for chronic disease management.
Before merging with the NHS South East Commissioning Support Unit (CSU), Sussex Health Informatics Service was the UK’s largest CSU in terms of its user base, supporting 40,000 staff across 11 NHS member organisations. Working with its partner organisations, it provides a suite of IT offerings as well as governance, project management, training, change management and strategy for NHS trusts in Sussex and the surrounding area.
Peter Ward, the unit’s senior security engineer, says a much larger number of mobile devices are now being used to deliver services. “Five years ago, users maybe brought in one mobile phone and therefore used two IP addresses – desktop and mobile device. That has certainly increased. In fact, people now will have a laptop or tablet, then a work mobile plus a personal one, and sometimes a desktop in addition. Combining all of that with the increase of tablet devices and community laptops being used to deliver clinical services, has created a challenge when costing and planning future capacity for the system.”
The proliferation of connecting mobile devices was one reason why the CSU replaced a legacy intrusion prevention system with the CounterACT NAC platform from security management tools provider ForeScout.
“We wanted real-time visibility of all IP devices on our Sussex Community of Interest Network, and the ability for deeper inspection into suspect users and potentially unwanted applications on connected devices,” Ward explains. “The platform is centrally managed across its distributed sites, and has adapted to a mixed operating environment. Any device on the network is identified and assessed against policy, providing the IT services team with instant intelligence and an automated means to address, mediate, or block any insecure IP device or person highlighted as a risk.”
Is it safe?
Some experts say personal medical information is worth ten times more than a person’s credit card details on the data black market. Criminal hackers will follow the money, and medical data captured and collated by end-users on ‘leaky apps’ and trafficked over unsecured networks presents an opportunity for the Black Hatters. Raj Samani, CTO EMEA at Intel Security, reckons they’re probably already onto it.
The ‘rush’ for personal health monitoring apps has resulted in concerns over information security. Last September, a study from Imperial College London claimed that nearly 90 per cent of the apps that had been checked and approved by the NHS Health Apps Library were not adhering to privacy guidelines, not properly secured, and liable to leak users’ personal data. Although NHS England quickly took steps to address the problems, the report raised the question of whether the health body’s ongoing vetting and accreditation of such software constitutes an added resource drain likely to result in further oversight lapses.
“As the value and volume of stolen healthcare data on the black market increases, hackers [are increasingly] turning their attention to the healthcare sector,” warns Samani. “The industry is crying out for a comprehensive set of security standards or best practices for healthcare apps to address underlying risks and ensure patients’ personal and sensitive data is not exposed to cyber criminals.”
NuData Security says beyond the apps arena, the industry simply isn’t doing enough to protect patient, client, agent, and other user data from known, much less emerging, security threats. NuData director Ryan Wilk says: “Healthcare is becoming a riper target because of the ability to buy and sell large batches of personal data for profit. Medical facilities often do not have systems in place to predict and prevent unusual activity.”
Innopsis’ Des Ward says most hospital campus environments have the public walking through them which breaks traditional security models. “From a physical aspect, the healthcare sector has to deal with almost complete access to the general public at a level that’s not tolerated in any other public sector organisation. In addition, they are obliged to share so much of their data that it is impossible to lock it down. Those are challenges that other organisations, whether corporate or public, don’t face.”
Ward argues that we have to stop worrying about the technology itself and start concerning ourselves with the governance behaviours surrounding information. “These behaviours rarely change despite increased regulation and technical requirements. The reality is that the broad spectrum of devices used within the hospital estate is only going to expand with the rise in applications – and you cannot expect patients to leave all of their devices at the door.”
Azzurri agrees and says that mobile device management in public healthcare can throw up “unique” challenges, particularly when it comes to security. “Network managers must ensure that mobile devices are secure, and that if a device is lost, data on the device is encrypted and can be removed remotely,” says Orford. “NHS security standards [must be] adhered to. What’s more, network managers must ensure an effective infection control regimen and that devices can be hygienically wiped so that they do not pass-on infections.”
Orford’s prescription is for remedial reinforcement of the existing rules: “Most trusts have the policies in place for what they can and can’t do, covering everything from phone cameras to patient confidentially and privacy. Are these policies operationally feasible? They have to be. A public healthcare system has to be able to enforce these policies because the challenges around these technological cost-efficiencies demand it.”