Digital health technology companies that want to become NHS suppliers need to complete the NHS Digital Technology Assessment Criteria (DTAC) for health & social care and self-certify that any product(s) meets this criteria.
The DTAC assessment can be challenging for businesses to navigate alone. There’s no formal certification process, and no external, accredited body to assess the product(s) and offer any stamp of approval. This can make it difficult for digital health tech companies to navigate the DTAC and feel 100% confident about their compliance status.
With NHS England increasingly placing more and more emphasis on the need for digital health companies to be DTAC compliant, KiActiv® approached 8foldGovernance, seeking support to demonstrate their compliance, namely with regards to penetration testing and DCB0129 (clinical risk management).
KiActiv® is a digital behaviour change service that remotely supports patients to build physical activity into their everyday routines in a sustainable way, helping to manage and reduce the risk of long-term health conditions.
Operational in the NHS since 2017, KiActiv® collaborated on a research programme with the University of Bath in 2013, which demonstrated that the KiActiv® approach was effective in changing and optimising behaviour to sustainably improve health outcomes over a period of time.
The digital service has since been used across primary, secondary and community care settings to support older patients with multimorbidities, including diabetes, COPD, hypertension, rehabilitation, and more recently, long-covid.
The digital service integrates minute-by-minute physical activity data from a validated wearable device. The online dashboard provides a personalised picture of this information, using proven visualisations that enable people to consider other ways they can optimise their everyday physical activity i.e. through a planned commute, housework, or even having a meal delivered vs cooking at home. This is supplemented by twelve weeks of motivational mentoring to support people to get the best out of the technology, while also teaching vital self-management skills that prove to be effective for their health in the long term.
The digital service is currently active across 10 Integrated Care Boards (ICBs) and systems (ICS) and is free for patients at the point of use.
The Problem
As a digital health company that values patient safety and compliance, it was important for KiActiv® to find the right advice and guidance from trusted experts in the field of NHS compliance. Tommy Parker, CEO of KiActiv®, approached 8foldGovernance to ensure the highest standards of clinical safety and become DTAC compliant.
“Up until that point it had been a very murky picture in terms of what we needed to do”, said CEO, Tommy Parker. “Whilst there are nice spreadsheets that you can download from NHS England and other companies saying, ‘for X amount of money we’ll tell you whether you’re compliant or not’, it simply wasn’t clear.
“We knew it was going to come so we wanted to get ahead of it – and that’s exactly what 8fold and the DTAC portal has allowed us to do”.
To assess the ‘technical security criteria’ of the KiActiv® product, an Owasp Top 10 penetration test was carried out to ensure compliance with section C of the Digital Technology Assessment Criteria. This helps the NHS to establish if the product meets industry best practice security standards and that the data being collected and processed in the application is secure. The Owasp test seeks to identify any vulnerabilities that could be exploited to attack the system or its users, bypass controls, escalate privileges, or extract sensitive data.
To ensure that clinical safety and clinical risk management was considered and integrated into every part of the business; from product development, operations to user experience, Karen Whitton, Director of Clinical Risk at 8foldGovernance, supported the team to demonstrate their compliance with DTAC and DCB0129.
“Karen was able to get her head into the detail of what we do – focussing on clinical risks and pulling together all the required documentation. It was pretty seamless,” said Tommy.
He adds: “It’s valuable to have that external look at what we do, both from a clinical risk point of view, but also from a process perspective because she pushed us to do more internally, sharing ideas on how we could implement that thinking into our architecture. That’s been extremely valuable.”
As risks and processes vary from business to business, it’s important to ensure that a clinical risk management system is tailored and appropriate to the individual organisation and its products. To provide the greatest value to KiActiv® for the long term, we established a usable clinical risk management system rather than create a generic and unworkable ‘tick box exercise’ for compliance. To do so involved getting under the bonnet of KiActiv® as an organisation and product by following the user journeys for both service users and mentors. This process helped to uncover any potential pitfalls which may result in clinical harm.
In close collaboration with the KiActiv® team, we worked through all potentially hazardous scenarios to ensure risks were identified and mitigations introduced. Furthermore, we identified any gaps in the internal documentation and the supporting procedures and assisted the team to implement these new recommendations. The KiActiv® team have been extremely positive throughout the process and Karen continues to be regularly involved in the risk management of their product as the designated Clinical Safety Officer.
Karen said: “Ensuring that patients and users receive the highest quality of care is the driving factor behind creating a functional clinical risk management system. This ensures a systematic approach is taken to identify risk in advance of an update or the release of new functionality. It also avoids any potential clinical incidents and the need to roll back features or updates which can be very costly.“
Since working with 8fold, KiActiv® has been able to demonstrate compliance in all areas of DTAC including; clinical safety, data protection, technical security, interoperability, usability and accessibility.
As well as being assured by a team of registered clinical risk and compliance specialists, the 8fold DTAC Portal allowed KiActiv® to easily share their full DTAC documentation and supporting evidence with their NHS clients, including the information governance team responsible for monitoring compliance. This has made the process of signing up new customers even more seamless. “The Information Governance team typically turns around and says, ‘yes that looks good’ and they sign it off”, says Tommy.
He adds: “Once we ticked everything off, it also enabled us to have more structured conversations with the 8fold team about how to operationalise changes in future and demonstrate our compliance more widely. That was useful to help tie everything up in a neat package, to share and sit behind as something we knew we could rely on.
“Getting that initial sense-check of where we were was really good, and with Karen focussed on how we can mature some of our processes, that builds even better foundations as we scale.”
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
