Rob Shaw: Working with staff to harness the power of digital technology

This content relates to the following topics:

Article information

  • Posted:Tuesday 11 July 2017

Rob Shaw, Interim Chief Executive at NHS Digital, discusses NHS Digital's work to improve health care through harnessing the power of digital technology.

This presentation was recorded at our Digital Health and Care Congress 2017 on 11 July 2017.


What we’re here to do is provide better care and that’s better care for patients and for the citizen because part of what we need to do is try and take some of the people out of the system in order for us to be able to alleviate some of the pressures that are on the system.  We’ve got to deliver services that not only that the care providers want to use but also that the citizen wants to engage with.  

Patient engagement, self-care and prevention this is all about giving access to the patients their care and to their records.  So we’ve talked about this for years but now we’re starting to make it a reality.  This is all about how can we give them trusted information and trusted apps so that they can then provide care for themselves?  

Urgent emergency care we’ve got to be able to take some of the pressure and some of the increasing numbers out of the system and what we’ve found is that people that ring up onto our pathway system if you put an automated recording on that says, “Actually you can log on and you can do this yourself now,” we’ve got over a 10% channel shift in people moving on towards technology.  

Then we start talking about integrated care and social care.  We’ve got to stop seeing this as two separate issues.  We’ve got to start making it so that standards get adopted and that suppliers work to standards that will enable interoperability between different systems because unless these systems are actually built secure by design, they’re resilient and they’re scalable then we won’t be able to keep the public trust.  

If a clinician can save 29 minutes by just looking at a patient summary care record rather than having to go through a load of notes that’s got to be meaningful.

It took us roundabout eight to ten years to get a really meaningful number of people that are on a summary care record so now we should be moving to the next stage.  We shouldn’t wait another ten years to get to enhance summary care records, let’s make a system where people can get an enhanced record but we do it through consent.  So we do it where the patient and the clinician have agreed that that’s what they want to be stored about that.  

11% of 999 calls don’t end up with an ambulance being sent.  Now if you think about adding that 11% back in what would that do in terms of the time it will take to actually get the ambulances to where they need to be?  That 11% to me needs to be better but we need to work out where’s the risk appetite?  In referrals we’ve halved the number of missed appointments.  

Now that’s a really good thing because if you’ve got a load of people that don’t turn up and you get the fail to attends then you end up with a 50% reduction in that then all of a sudden you’ve got 50% more appointments that you can then give out because you’re not have to do the re-appointments.  

We’ve also … if secondary care start to take up fully e-referrals we’ll end up where we’ll save over £50 million a year and then electronic prescriptions we’ve got a number of providers that provide both in a prescribe and dispensing manner for electronic prescriptions that when you speak to some of the pharmacists that are out there and some of the GPs they cannot believe just how much time and effort that they save when they look back to what they used to be doing when they had the FP10s.  

So all of these things are real but none of them are cutting edge.  These are all things that we’ve had for a while and we’re now starting to get the full adoption and take up and what I want to drive is we need to get that adoption and take up far faster.  

So we do all of this and why wouldn’t you do technology?  When I was younger in the days of The Sweeney what you used to be able to do is you’d see the guy with the mask on and you knew who the criminals were.  These days it’s a little bit harder because we’ve now got the idea of cybercrime.  We can’t expect we’re going to have a security expert in all organisations.  We’ve got so many different providers of care some of them that are so small it’s the receptionist that’s responsible for IT in their organisation.  They’re not cyber experts.  

If you had to write down now the ten things that you’ve got to do what would you do in terms of the priority?  And none of these are rocket science.  So when did you rehearse your incident plan?  Are people doing what they should be doing?  Are they patching?  Have you got a paper copy of your incident plan?  I got a phone call from somebody and I felt so sorry for them, they’d put everything  ... they were trying to go paperless so they put their incident plan on the system that had got the ransomware attack.  Does everyone know what your roles and responsibilities are because when you get into a crisis people just tend to either act like headless chickens or go missing?  What are your escalation points?  So have you got a gold, silver and bronze command if you need that sort of thing and you’re an organisation that’s big enough to do it?  Do you know what the contact details are of your partners?  So if you’ve got suppliers and a lot of suppliers are in the room, do you have their named contact so you can pick the phone up and ring them if you get something like this to make sure you understand what the impact is on your services?  How often are you going to meet face to face?  You need to understand things like that so is it three hours?  Is it every hour or do you just not need to come back together again for a twelve hour period because you need to allow the people that are doing the work to go and do the work?  You don’t want to keep bringing them back in again to actually come in and just have a face to face meeting to say they’re doing the work.  

How do you communicate with staff and the media and other agencies?  Do you know National Cyber Security Centre?  Do you know what our details are if you’re a care provider?  

Patching and cyber hygiene, you make sure that your firewalls … you get future state firewalls you make sure they’re protected, you make sure you’ve got resilience built in, but you’ve also got to make sure your AV is up to date, you’ve got to make sure your operating system is patched.  If you get one of those wrong the others might save you on certain attacks but they won’t save you on all of them.  So you’ve got to make sure that you’ve got layered protection in place. 

So National Data Guardian, don’t say this is the guy sat in the corner on technology and if you do think it’s about them who’s watching the guy in the corner that does technology?  Who’s watching the watchers?  Staff are responsible for data security.

We’ve got to give them the training.  If we don’t train staff on what they should be doing with information assurance you can’t blame the staff if they don’t do it.  

The processes.  Don’t give people elevated rights forever.  If they move job they probably don’t need it.  Don’t get them access to everything.  Just give them access to what they need access to and then technology.  I want to get to a position where actually we treat security in the same way we treat safety, so if there’s a near miss we report it, we encourage people to report it.  So if I can leave you with one thing I would say don’t blame the IG guys and don’t blame the ITT guys because everything that I’ve talked about so far needs leaders in the organisations and it needs suppliers to be able to help support the organisation be able to do more but do it safely.  

Thank you.