Key Takeaways

• Clinical safety officers warn that non-compliance with digital safety standards can jeopardize patient safety in healthcare organizations.
• A BBC investigation revealed 126 serious IT-related incidents, including three deaths, across NHS trusts.
• The CSO Council advises regular audits and risk management strategies to address “legacy debt” in digital systems.

Concerns Over Historical Non-Compliance

Clinical safety officers (CSOs) have raised alarms about the potential risks to patient safety caused by healthcare organizations’ longstanding failure to adhere to digital clinical safety standards. The Digital Health Networks CSO Council has issued a warning for NHS trusts and integrated care boards regarding the serious repercussions of neglecting vital tasks such as hazard logging and safety case reporting related to software systems.

This advisory comes on the heels of a BBC investigation conducted in May 2024, which uncovered 126 cases of significant harm linked to IT failures across 31 NHS trusts, culminating in three tragic patient deaths. Faye Clough, the lead clinical safety engineer and CSO at Northumbria Healthcare NHS Foundation Trust, emphasized the prevalent issue of “legacy debt” associated with outdated systems. Many trusts have not engaged manufacturers regarding essential compliance obligations outlined in the DCB 0129 and DCB 0160 regulations, nor have they completed necessary assessments internally.

Clough illustrated the dangers of insufficient oversight: “If a clinical safety officer is excluded from the procurement process for new software, and the manufacturer’s compliance with DCB 0129 is not verified, there is no assurance that all software risks have been adequately considered. It’s akin to purchasing a house without conducting a proper survey—you remain unaware of any underlying safety concerns.”

The problem of legacy debt is exacerbated by the NHS England’s ongoing review of digital clinical safety standards, initiated in December 2024 and expected to be reinforced in 2025. The absence of regulatory oversight for software used in the NHS is particularly alarming, as medical devices must go through stringent reviews by the Medicines and Healthcare products Regulatory Agency. Despite the existence of digital safety standards since 2012, their enforcement has been inconsistent, largely due to many healthcare organizations operating without appointed CSOs.

The CSO Council stresses the importance of taking proactive measures to alleviate legacy debt, which can include performing routine audits and placing issues onto risk registers for high-level management review. Ben Jeeves, outgoing associate chief clinical information officer and CSO at Midlands Partnership NHS Foundation Trust, acknowledged that addressing legacy debt presents a formidable challenge, often necessitating extensive retrospective work. He noted that achieving full compliance with safety cases is unlikely in many scenarios where such debt exists.

Jeeves recommended a higher-level strategy to mitigate risks, which involves conducting a comprehensive review of each system and applying a risk scoring model to assess the overall threat level. Particularly concerning systems that would benefit from a retrospective safety case could then be integrated into existing pipelines and safety case programs.

For further insights, the CSO Council’s advisory statement is available for review.

The content above is a summary. For more details, see the source article.