2020 Vision: Upgrading Key NHS IT Systems to Meet Government Guidelines - White Paper
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2020 Vision
White Paper
2020 Vision:
Upgrading Key NHS IT Systems
to Meet Government Guidelines
February 2016
2020 Vision 1
Overview
The NHS is changing, and technology is playing a fundamental role in driving this change. An ageing
population and growing health problems associated with modern sedentary lifestyles are putting
tremendous strain on our health service. When combined with the austerity challenge imposed by
the government, it’s clear that digital transformation is the only way to equip the NHS for the 21st
Century.
The government’s Five Year Forward View promises to “exploit the information revolution” in a bid
to deliver this transformation. An expanded set of accredited NHS health apps, a fully-integrated
electronic patient healthcare system, and online bookings for doctors’ appointments are just some
of the planned deliverables. It’s all informed by three core goals: prevention, better communication
and better use of funding.
Technology alone can’t solve all of the NHS’ challenges, but it is an important part of the solution.
Big data analytics using patient information can help better detect and prevent illness; cloud
computing and comms tools can improve access to patient data and communication between
healthcare professionals, and doctor and patient; paperless ways of working can cut costs and drive
efficiencies.
This won’t be easy. The sheer volume of patient data involved and the size of the NHS – which
covers 155 Trusts and 8,000 GP practices in England alone – will put tremendous pressure on IT
leaders and NHS managers. Advances in technology platforms and newly mandated requirements
only add to the challenge.
As a trusted IT provider to the NHS with over 27 years’ experience in the sector, Trustmarque
understands these challenges. That’s why we put together this white paper. We hope it will help
C-level executives in the health service make informed decisions on two key elements of the
technology backbone of the NHS – email, and accessing and storing patient data.
With modern, fit-for-purpose technology in place we can begin to realise the government’s vision for
2020 and create the fighting fit, 21st Century NHS.
“CIOs and IT leaders must take a leadership role in building
a more social, mobile, accessible and information-driven
work environment.”
Gartner,
The Top 10 Strategic Technology Trends for Government in 20152 2020 Vision NHSmail – What Next? The first iteration of the health service’s email system – NHSmail – was based on Microsoft Exchange 2007. Its replacement NHSmail 2 is based on Exchange 2013 and will provide a secure platform to communicate with organisations inside and outside the NHS. In addition to email, NHSmail 2 will also offer IMP (Instant Messaging and Presence) through Skype for Business. The Department of Health (DoH) wants to introduce the secure email standard ISB 1596. Although the timelines for ISB 1596 remain unclear, once introduced, only accredited email systems will be allowed to connect to the rest of the NHS securely. Any email solution could potentially be accredited for ISB 1596, but both NHSmail and Office 365 are already accredited meaning they are the obvious options. The cost of achieving ISB 1596 on other platforms (e.g. an on-premise Exchange implementation) should not be underestimated, and is an annual commitment. Key questions NHS professionals will want answered: Is there any clarity on costs? It has recently been announced that the core email and IMP functionality of NHSmail 2 will be funded by the DoH through to the end of the contract in 2021. However, add-on collaboration services, such as Team Sites, ‘My Document’ storage, Office online and conferencing, are being offered at a cost per user and will need to be funded by each organisation. Based on the recent letter titled ‘NHSmail and Office 365’ by Dr Simon Eccles, dated 20 January 2016, these add-on services will be offered through special Office 365 plans without email. At this point there is no clarity on what the cost will be for the core NHSmail 2 functionality of email and IMP after the DoH funding ends. This will leave organisations with a challenge of estimating and forecasting their future budgets. The actual cost for an organisation will depend on the combination of features to be consumed, both from the outset and over time. Why not carry on using what I have? If there is a compelling reason to have an on-premise solution, it will need to be ISB 1596 compliant. With the uncertainty over when ISB 1596 will be enforced and the effort required to meet the standard, it is advisable to start this as soon as possible. This accreditation would need to be done annually and it is similar to ISO 27001, so not a cheap undertaking. At this point the exact date for the mandating of ISB 1596 is not clear, for organisations running on-premise email platforms, failure to gain accreditation could leave them unable to connect to the rest of the NHS securely.
2020 Vision 3
NHSmail – What Next?
Should I switch to Office 365?
Some organisations might be reluctant to choose SaaS (Software as a Service) platforms to run
their email because of fears over losing control of systems. But the reality is that SaaS – which
is effectively what Office 365 provides – is the perfect choice for organisations looking to reduce
operational costs.
Even for an organisation going down the NHSmail 2 route for email, there is significant benefit to be
gained by taking the add-on collaboration services being offered through Office 365. This incudes
Team Sites, ‘My Document’ storage, Office online and conferencing especially at the pricing levels
negotiated.
However, the situation on mailbox migration from NHSmail to any platform other than NHSmail 2 is
not clear. This is not unsurmountable, but does pose a slightly more challenging migration for those
organisations sitting on NHSmail and wanting to adopt Office 365.
Here are some more reasons to switch to Office 365:
• It offers features that will not be available in the current NHSmail 2 scope even with Office
365, such as eDiscovery on email, Data Loss Prevention (DLP), etc.
• If your current on-premise email platform is approaching the end of its support lifecycle (i.e.
Exchange 2007 or earlier) and you are not on NHSmail then you should consider Office 365.
It is ISB 1596 compliant and provides a future-proof strategy as it updates automatically as
part of the subscription. It’s also unclear when NHSmail will be switched off and ISB 1596
will be enforced.
• If an organisation goes down the Office 365 route without NHSmail 2, they have greater
control as it will be their own email and IMP instance, rather than a multi-tenanted solution
• Clarity on costs now and in the future.
• Microsoft has announced a UK region will be introduced in 2016 for Office 365 (Azure and
CRM Online) meaning data will be stored in this country, so data sovereignty is no longer a
valid excuse to rule out the platform4 2020 Vision
NHSmail – What Next?
Should I be worried about data governance with Office 365?
As mentioned, Microsoft has achieved accreditation for the English Health and Social Care (HSIC)
secure email standard ISB 1596. This means it meets a set of independently audited baseline
controls that adhere to a range of information governance policies and principles1. Microsoft was
also the first cloud provider to achieve ISO 27018, a code of practice for protection of Personally
Identifiable Information (PII) in public clouds acting as PII processors2.
If you’re still worried about information governance, the following might help alleviate your
concerns:
• The Data Protection Act (DPA) does NOT prohibit a data controller from holding any
personal data outside the EEA, it prohibits holding data anywhere that does not comply with
the principles; the data controller can choose to store data anywhere it wants, provided that
this can be done in compliance with the eight principles of the DPA3
• The EU Model Clauses allow customers to comply with the EU’s Data Protection Directive
relating to cross-border transfers of personal data to restrict the export of personal data
from the European Economic Area4
• The Information Commissioners Office (ICO) which regulates the DPA offers advice on
holding data outside the EEA5
• There are 14 cloud security principles defined by CESG6, they provide good guidance on the
things to consider and Microsoft have provided further guidance7
• For further information please see the Office 365 Trust Center8
1
http://systems.hscic.gov.uk/nhsmail/secure/isb_1596may14.pdf
2
http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/
3
https://www.bls-ltd.co.uk/
4
https://products.office.com/en-us/business/office-365-trust-center-eu-model-clauses-faq
5
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/
6
https://www.gov.uk/government/publications/cloud-service-security-principles/cloud-service-security-principles
7
http://enterprise.microsoft.com/en-gb/roles/it-leader/meeting-governments-14-cloud-security-principles/
8
https://products.office.com/en-gb/business/office-365-trust-center-cloud-computing-security/2020 Vision 5
Patient Identifiable Data (PID):
What Do I Do Next?
A key part of the digital transformation needed to realise the goals of the government’s Five Year
Forward View involves the storage of, and access to, patient data. PID is currently stored in private
data centres, either directly owned or via expensive outsourcing/colocation contracts. But while
cloud technologies offer opportunities to provide more efficient healthcare services and better value
for money while cutting base costs, there are concerns around using cloud to store and manage
PID.
In fact, a combination of fear and misunderstanding about the nature of cloud services and strict
rules governing the handling, processing and storage of PID, has proved a major barrier to adoption.
Yet patients are increasingly demanding more online services to make their lives easier. Being able to
access health records and test results, or book appointments and order repeat prescriptions online,
is where patients want to see the NHS headed. And emerging technologies such as the Internet of
Things and wearable connected devices offer new opportunities to improve healthcare, as well as
generating a huge trove of sensitive data which needs to be stored.
In Trustmarque’s recent Digital NHS Healthcheck report, over 60% of UK adults said they’d prefer to
communicate with healthcare professionals online or via email, outside of formal appointments; 81%
said they’d like to see connected wearable devices used in healthcare. Tellingly, two-thirds (66%)
said they currently don’t have access to all their health records online.
The government recently answered these concerns by pledging a massive £4.2 billion investment
into the NHS’ IT infrastructure; it is hoped the move towards a paperless, hi-tech health service will
help to make £22bn in savings and improve the quality of healthcare all round.
2
3 60%
of UK adults said they’d prefer to
communicate with healthcare
don’t have access to all professionals online or via email
their health records online.
*facts are taken from Trustmarque’s Digital NHS Healthcheck Report6 2020 Vision
Patient Identifiable Data (PID):
What Do I Do Next?
Cloud is the answer
Cloud computing infrastructure is at the heart of these plans. But NHS Local Health Authorities must
be able to use it in a safe and secure manner which protects critical patient data.
There is actually no direct prohibition on individual health authorities using cloud services to store
or process data. But there is an expectation that they understand, document and quantify the risk
before accepting any service change under the NHS Information Governance policies. Ultimately the
decision rests with the health authority board and the Caldicott Guardian*.
So what happens next?
There are multiple ways to move to the cloud in a safe manner – while at the same time boosting
innovation and reducing costs.
Public clouds such as Microsoft Azure However, public cloud is not the only answer.
have already been approved to handle data Private clouds or a hybrid of the two are
marked OFFICIAL, and the government has permissible and have already been used,
made it clear it is behind the move towards although they don’t offer the same flexibility or
economies of scale as the public cloud.
The drive for the digitisation of the NHS and for mobile, on-demand access to services from the
public cloud, is forcing a technological quantum shift in the how digital services should be provided
across government.
*(Senior person responsible for protecting the confidentiality of patient information. Each NHS
organisation is required to have a Caldicott Guardian)2020 Vision 7 How to Choose a Cloud Provider According to Gartner, “CIOs and IT leaders must take a leadership role in building a more social, mobile, accessible and information-driven work environment.” When it comes to the NHS, this means the cloud. But once you’ve decided that this is the way forward, next comes the challenge of how to choose between the myriad providers on offer. With cost savings high on the agenda, CIOs and IT leaders need to remain objective. The government’s G-Cloud offers only part of the answer. There are currently over 2,300 suppliers offering over 22,000 services on G-Cloud 7 alone, so preparation and planning are key. Here are a few pointers: 1) Understand your roadmap Planning up front and approaching business IT leaders for buy-in are key to ensuring the eventual solution meets a clearly defined requirement. There are many formal change management methodologies that can be applied here, but perhaps most important of all is to ensure a cross-section of the organisation is represented – including functions such as information security and finance. Make sure all are in support of what the perceived benefits are and understand the risks that must be addressed during the procurement stages. 2) Consider a hybrid cloud option Cloud computing can easily be segregated into IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service) and SaaS (Software-as-a-Service), but delivering a cloud-enabled workforce in a complex IT environment, with multiple vendors and contracts at play, will likely require a hybrid cloud solution. Your chosen provider should work with you to establish your exact requirements, taking into consideration application usage and licensing through to server infrastructure, before making any recommendations. 3) Due diligence is vital Finally, there are number of supplier checks to be carried out to ensure your prospective provider is able to deliver an end-to-end offering, is with you for all of the journey to the cloud, and can support you when you are in ‘business as usual’. Perhaps most important of all, is to choose a supplier that has delivered cloud computing offerings to its existing customers. A reference from your chosen suppliers will confirm this. The government’s vision for how it wants the NHS to look by 2020 will certainly put senior IT managers under pressure to deliver. But these changes are essential to support the £4.2 billion digital drive announced in February 2016 and to help deliver value, and improve patient care and operational efficiency. Although historically, the health service has been reluctant to embrace the cloud, these next generation services and platforms offer a fantastic opportunity to deliver in line with government expectations.
About Trustmarque Trustmarque is a leading provider of end-to-end IT services to the UK public and private sectors; including cloud, professional and managed services, and software solutions. At Trustmarque we give honest, simple and independent advice that helps customers navigate an increasingly complex world of IT. We simplify business, through a flexible and cost-effective approach that empowers organisations and their people. With over 25 years’ experience at the heart of the rapidly evolving IT market, Trustmarque has established a position as a leading technology provider to private sector, UK government and healthcare organisations. www.trustmarque.com info@trustmarque.com 0845 2101 500
You can also read
