The NHS's NPfIT: Is it getting better?

An anonymous reader says, with clear conviction, that some journalism on the NHS’s National Programme for IT [NPfIT] is simply unhelpful. The reader is responding to an entry on this blog over the NHS’s relationship with Microsoft.

The reader also makes the controversial point that “clinical expediency will absolutely require lapses in that security”. The comments in full are below, as is my response.

“Of course the National Programme isn’t altogether a success. Yet. When a major requirement is fast, realtime connection between a number of very different systems, from different providers, and serving an absolutely vast number of users and services, there are inevitably going to be problems.

“However… it is in absolutely everybody’s interest that it’s done right. And, depending on who you are, your opinion of just what “right” means will vary, sometimes wildly, from that of the next guy.

“We want data security. We insist on it. But there are times when clinical expediency will absolutely require lapses in that security. Making decisions about how to implement this stuff where, effectively, both “rights” are wrong, is complicated and involves heated debate. Debates which allow journalists to pick an issue, reduce it to a headline, then stir in a heady mix of “what-ifs”…

“We should not be doing this behind closed doors? Perhaps. But if the difference is more delay while the discussions get interrupted by various concerned individuals and organisations insist on adding their two penn’orth to the crapstorm that’s already circling the project, then it’s dead in the water.

“There are successes. Some PACS [picture archiving and communications systems] implementations have been excellent. Early adopters of the Care Records Service are generally places where even a flawed system is better than what they had before. The national NHS email system is starting to look like a serious contender, and is already successful in places where mail servers weren’t already bedded in.

“There are a lot of people working on making this stuff work. Some of us have been involved in NHS IT for decades. Journalism of this type is, I’m afraid, simply unhelpful. You haven’t even mentioned any of the real problems — some of which are, I agree, not trivial, but few are unfixable given clear communication, consensus, calm discussion and careful resourcing.

“It’s all getting better. In fairness, it can’t not. There are a number of scabs you can pick at, and it might be helpful for you to do so — it can help keep people focussed on the correct goals — but this sort of reporting is too wide of the mark to be either use or ornament.”

My general comment on the criticisms of the reporting of problems on the NPfIT:

For many centuries some scientific communities have come to regard casualties as the price of Progress: innovative engineering projects have claimed, and will continue to claim, a number of lives.

Reporting of adverse events is a counter-balance, another reason for designers and practitioners to avoid rushing, to get it right. The reporting of the fatal aircraft crashes has given further incentives to aircraft manufacturers and airlines to make flying safer.

In the NHS, IT-based innovations could lead to genuine progress. PACS for example already has. But innovative systems that are poorly chosen, and improperly installed without adequate transparency, accountability and external scrutiny, could, in some cases, endanger life.

An over-reliance on e-prescribing systems that, at times, fail to provide an alert of an excessive prescription of strong drugs, could result in unnecessary deaths. Patients could be endangered by an over-reliance on systems on which some urgent appointments are left off. A hospital could lose track of patients who are suspected of having MRSA.

Some have in their sights only the benefits of NPfIT; they do not want the programme’s future jeopardized by the reporting of things that go wrong. They want us to collude in a fatalistic acquiescence of all that is happening, and not happening, on the NPfIT. Happy are those who don’t know what’s going wrong.

But the reporting of adverse events is positive coverage – possibly life-saving coverage – if it leads to lessons being learned.

We’re often criticised for not reporting all of the successes. But journalists rarely feel the need to applaud when they land safely in a new type of aircraft. Machines cleared to fly are expected to be safe. We expect new systems installed in the NHS to be safe. We expect them not to cause serious disruption, endanger lives or release information on the health and history of patients beyond those who need to know.

If there are failures, therefore, we will report them in the hope of disseminating the lessons. That’s when we know about them. And when we can unearth the facts. But we’re working against an increasingly secretive Department of Health, and an increasingly secretive government, a government that doesn’t want any counter-balancing publicity.

Leonard Woolf, the husband of the writer Virginia Woolf, said: “Once one begins to try to suppress some knowledge of some opinions, one loses all sense of proportion and relevance …in the end the only safe course for the worried, nervous …. cloistered censor, sitting aloof in his office with the blue pencil in his hand, is to try to suppress all knowledge and all thought.”


Smartcard sharing by an NHS trust – a breach of IT security or a practical way around slow access to the NHS Care Records Service

Junior doctors’ details exposed online

Secrecy over Microsoft’s UK government dealings

Government asks Trust chiefs to attend private NHS IT event held by Microsoft

Confidential NHS paper on the health of the National Programme for IT

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Very sorry, but the anonymous comments (the need for anonymity says a lot - all of it bad) are recognisable as coming from a project that needs more scrutiny not less.

The aspects of the system outlined in your first para (fast, realtime connection between a number of very different systems, from different providers, and serving an absolutely vast number of users and services,) were what set off alarm bells with so many people - and so far they have been justified. The committed costs mean they will stay that way.

"But there are times when clinical expediency will absolutely require lapses in that security. " is only true if the security does not match real operational needs. The statement is profoundly worrying, as it implies that the mismatch between real user requirements and system design may be irretrievable.