Insource brings the power of unified data to healthcare organisations to help drive better patient outcomes, streamline operational efficiency, and extract essential insight by ensuring all foundational data is accessible for informed decision making – despite the legacy infrastructure. With over 20 years’ expertise, more than 60 trusts, health boards, and ICSs currently use their services for informed trust-wide management, elective recovery, and ICS insight and control.
The Problem
Over recent months, the NHS has been doubling down on digital health technology companies to ensure they meet the Digital Technology Assessment Criteria (DTAC). This is the national baseline criteria that digital technology companies must comply with to work in, or enter the NHS and social care.
Whilst Insource was already compliant with the information security standards (ISO27001) and has also been consecutively ‘exceeding standards’ for their Data Security Protection Toolkit (DSPT) for the last few years, Insource needed specialist support to navigate the DTAC. This is because some of its solutions, including Health Data Enterprise (HDE) – a suite of data management solutions that helps solve critical data accuracy, consolidation and automation issues, and Patient Pathway Plus, a data engine which supports fast and targeted elective recovery, did not naturally fit into the requirements of the DTAC.
The key issues related to ‘Section D: key principles for success’ under the usability and accessibility criteria which presented a practical challenge as very little of the Insource application is exposed via a user interface. With the elements in this section determining the ‘compliance rating’ for the overall product(s), it was extremely important for Insource to get this right to avoid any impact on current and future procurements.
“8fold’s substantial experience in assessing DTAC compliance for the NHS made them the obvious choice for Insource,” said Rob Davenport, Chief Technology Officer from Insource.
“They assessed our technology and answered the DTAC questions in a practical way, whilst also being available to represent the company when talking to our customers, including the information governance team, to ensure our position on DTAC compliance is clear and transparent.”
Our first step was to holistically assess the applications in all aspects of the DTAC, including:
We carried out a full DCB0129 Clinical Risk Management assessment and shared reports for both Health Data Enterprise and Patient Pathway Plus. DCB0129 is the mandatory clinical risk management standard that all manufacturers of health IT systems must comply with under the Health and Social care Act 2012. Following the assessment, clinical safety reports and hazard logs were shared with Insource which recommended some minor remedial actions to be taken.
We conducted penetration testing on the Insource infrastructure as part of section C of the DTAC to assess the technical security criteria. This is used to help the NHS to establish if the products meet industry best practice security standards and if the data being collected and processed in the application is secure. To do this, we completed an Owasp Top 10 penetration test which identifies potential vulnerabilities that could be exploited to attack the system, allow users to bypass controls, escalate privileges, or extract sensitive data.
We reviewed the information governance processes to ensure they continue to uphold the highest standards expected for data protection, and we also updated the Data Protection Impact Assessments (DPIA). DPIAs enable suppliers to systematically and comprehensively analyse the processing of personal information to help identify and minimise any data protection risks. They consider compliance risks but also broader risks to the rights and freedoms of individuals.
As a registered clinician, Haniyah Khanum is the Clinical Safety Officer for Insource. Haniyah strives to improve the safety and quality of services for everyone; whether that’s for patients, staff or citizens. She is also a registered midwife who has worked in the NHS for many years and is therefore uniquely placed to assess digital technologies from different standpoints. She said: “It’s a pleasure to support innovations like Patient Pathway Plus and Health Data Enterprise that are making a real difference to people’s everyday lives, by ensuring they are supported to uphold the highest standards in safety and security that we all expect from our health and care services. I’m pleased that 8fold has been able to play a key role in making that happen.”
The purpose of DTAC is to support the NHS to assess products quickly and consistently. DTAC is a live process incorporating many moving parts, making it challenging for digital technology companies to easily share their compliance status with NHS clients, causing delays in the implementation of new technologies. This communication is most often done through file sharing and email exchange which makes it hard to effectively manage documents, track changes and monitor compliance. However, since launching the UK’s first DTAC Portal, 8fold has revolutionised the way suppliers share their compliance status with the NHS.
The DTAC Portal allows those responsible for monitoring DTAC compliance to securely access real-time information in one place. Through 8fold, Insource has shared two live DTAC Portals; for Health Data Enterprise and Patient Pathway Plus. These portals are populated with all the information that governance and procurement teams in the NHS hospitals need. Live access to the portal has allowed NHS clients to systematically assess the DTAC documentation in a quick and convenient manner, helping to streamline any procurement, implementation and renewal processes.
Since completion, we have been instructed by Insource to act as their Data Protection Officer (DPO), Information Governance Officer (IGO) and Clinical Safety Officer (CSO). Transferring responsibility for these elements means that Insource benefits from specialist support which ensures that all requirements under DTAC including, clinical safety and technical security of the applications, remains up to date. This includes compliance with the DSPT, along with annual penetration testing.
Rob added: “Working with 8fold gives us enormous peace of mind that Insource is meeting the strictest of data conformance standards. Our customers can be confident that Insource is one of the first UK companies to meet this highest criteria for clinical risk, data security and information governance.”
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
