The Insource product suite now meets stringent DTAC compliance targets in all areas including Clinical Safety, Data and Technical Security, and Information Governance with the help of DTAC experts 8fold Governance.
The Problem
Over recent months, the NHS has been doubling down on digital health technology companies to ensure they meet the Digital Technology Assessment Criteria (DTAC). This is the national baseline criteria that digital technology companies must comply with to work in, or enter the NHS and social care.
Whilst Insource was already compliant with the information security standards (ISO27001) and has also been consecutively ‘exceeding standards’ for their Data Security Protection Toolkit (DSPT) for the last few years, they needed specialist support to navigate the DTAC. This is because some of its solutions, including Health Data Enterprise (HDE) – a suite of data management solutions that helps solve critical data accuracy, consolidation and automation issues, and Patient Pathway Plus, a data engine which supports fast and targeted elective recovery, did not naturally fit into the requirements of the DTAC.
The key issues related to ‘Section D: key principles for success under the usability and accessibility criteria which presented a practical challenge as very little of the Insource application is exposed via a user interface. With the elements in this section determining the ‘compliance rating’ for the overall product(s), it was extremely important for Insource to get this right to avoid any impact on current and future procurements.
“8fold’s substantial experience in assessing DTAC compliance for the NHS made them the obvious choice for Insource,” said Rob Davenport, CTO. “They assessed our technology and answered the DTAC questions in a practical way, whilst also being available to represent the company when talking to our customers, including the information governance team, to ensure our position on DTAC compliance is clear and transparent.”
The Strategy
8fold’s first step was to holistically assess the applications in all aspects of the DTAC, including:
● Clinical Risk Management (DCB0129)
8fold carried out a full DCB0129 Clinical Risk Management assessment and shared reports for both Health Data Enterprise and Patient Pathway Plus. DCB0129 is the mandatory clinical risk management standard that all manufacturers of health IT systems must comply with under the Health and Social care Act 2012. Following the assessment, clinical safety reports and hazard logs were shared with Insource which recommended some minor remedial actions to be taken.
● Technical security
8fold conducted penetration testing on the Insource infrastructure as part of section C of the DTAC to assess the technical security criteria. This is used to help the NHS to establish if the products meet industry best practice security standards and if the data being collected and processed in the application is secure. To do this, 8fold completed an Owasp Top 10 penetration test which identifies potential vulnerabilities that could be exploited to attack the system, allow users to bypass controls, escalate privileges, or extract sensitive data.
● Information Governance
8fold reviewed the information governance processes to ensure they continue to uphold the highest standards expected for data protection, and we also updated the Data Protection Impact Assessments (DPIA). DPIAs enable suppliers to systematically and comprehensively analyse the processing of personal information to help identify and minimise any data protection risks. They consider compliance risks but also broader risks to the rights and freedoms of individuals.
As a registered clinician, Haniyah Khanum is the Clinical Safety Officer for Insource. She strives to improve the safety and quality of services for everyone; whether that’s for patients, staff or citizens. She is also a registered midwife who has worked in the NHS for many years and is therefore uniquely placed to assess digital technologies from different standpoints.
Haniyah said: “It’s a pleasure to support innovations like Patient Pathway Plus and Health Data Enterprise that are making a real difference to people’s everyday lives, by ensuring they are supported to uphold the highest standards in safety and security that we all expect from our health and care services. I’m pleased that 8fold has been able to play a key role in making that happen.”
The Results
The purpose of DTAC is to support the NHS to assess products quickly and consistently. DTAC is a live process incorporating many moving parts, making it challenging for digital technology companies to easily share their compliance status with NHS clients, causing delays in the implementation of new technologies. This communication is most often done through file sharing and email exchange which makes it hard to effectively manage documents, track changes and monitor compliance. However, since launching the UK’s first DTAC Portal, 8fold has revolutionised the way suppliers share their compliance status with the NHS. The DTAC Portal allows those responsible for monitoring DTAC compliance to securely access real-time information in one place.
Through 8fold, Insource has shared two live DTAC Portals; for Health Data Enterprise and Patient Pathway Plus. These portals are populated with all the information that governance and procurement teams in the NHS hospitals need. Live access to the portal has allowed NHS clients to systematically assess the DTAC documentation in a quick and convenient manner, helping to streamline any procurement, implementation and renewal processes.
Since completion, 8fold have been instructed by Insource to act as their Data Protection Officer (DPO), Information Governance Officer (IGO) and Clinical Safety Officer (CSO). Transferring responsibility for these elements means that Insource benefits from specialist support which ensures that all requirements under DTAC including, clinical safety and technical security of the applications, remains up to date. This includes compliance with the DSPT, along with annual penetration testing.
Rob Davenport added: “Working with 8fold gives us enormous peace of mind that Insource is meeting the strictest of data conformance standards. Our customers can be confident that Insource is one of the first UK companies to meet this highest criteria for clinical risk, data security and information governance.”
About 8foldGovernance
8foldGovernance provides DTAC compliance services for digital health technologies. 8fold is the path to DTAC, governance, compliance, clinical safety and data protection success. Having a great product is one thing. Getting it adopted by the NHS requires the most scrupulous approach to information governance and compliance.
8fold helps global companies, start-ups, innovators and entrepreneurs to bring their innovations to market with practical, responsive and professional services in information governance, compliance, software development, security, marketing and more. With a range of support including governance, data protection, clinical safety, compliance, regulatory, cyber essentials, and software development, 8foldGovernance is the partner of choice for the UK health industry.
For more information – https://8foldgovernance.com/