Cyber Security in Healthcare – a primer for the Board.

What should  CEOs and boards understand:

  •  Protection of key information assets is critical
  • How confident is the Board that the hospital’s most important information is being properly managed and is safe from cyber threats?
  • Are you clear that the Board members are likely to be key targets?
  • Does the Board have a full and accurate picture of:
    • The impact on the Hospitals reputation, if the existence of sensitive internal or patient information held by the Hospital were to be lost or stolen?
    • The impact on operational services if our online services were disrupted for a short or sustained period?

Exploring who might compromise information and why

  • Does the Board receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting hospital information and IT, their methods and their motivations?
  • Do the Board encourage the technical staff to enter into information-sharing exchanges with other organisations in the sector and across the economy to benchmark, learn from others and help identify emerging threats?

Pro-active management of the cyber risk at Board level is critical

  • The cyber security risk impacts public confidence, reputation, culture, staff, information, process control, brand, technology, and finance.  Is the Board confident that:
    • They have identified the key information assets and thoroughly assessed their vulnerability to attack?
    • Responsibility for the cyber risk has been allocated appropriately?
    • Is it on the risk register?
    • Does the Board have a written information security policy in place, which is championed by the Board and supported through regular staff training?
    • Is the Board confident the entire workforce understands and follows it?

Buidling the right thing

This week we will be focussing on understanding in more detail what our customers actually want.   Too many startups build stuff that no one wants.  It usually happens for one simple reason – they don’t get out of the office enough and speak to customers.   You can help us by filling out this short questionnaire. And there is a chance of winning an Amazon voucher.

There are two important hypotheses that startups need to test:

  • Their Growth Hypothesis-how are we going to attract customers and partners?
  • Their Value Hypothesis  – does what we build meet the minimum needs of our customer?

Last week we had the opportunity to talk to the CEO of AgeUK Lambeth, as an important partner of BriteLives we felt we needed to understand their challenges.   But we also wanted to discover if they can help us find local services for the BriteLives platform.   In doing so we were able of capture a little more understanding of the data to support our Growth Hypothesis.

 

Search curation delivers better results

Everything is on the Internet, and that’s the problem. Because everything is there, it makes the one thing you’re looking for hard to find.    It’s somewhat easier if you’re looking for a particular item that’s a paid for business service. Flights and hotels bookings are pretty straightforward and we could all find a flight from London to Paris. However, despite the simplicity of this search, there are numerous aggregators of services. Some show all of the flights, others all of the hotels. Some put both together.

But the sites that attract most views are those that curate the search experience. These sites ask for or understand our requirements. They answer questions like Winter Sun or Short City Breaks.

This is not a common approach in local government, perhaps this is the next area where curation might help the someone find the things they need. A citizen might need to view all the local government services for a family living in a house, or services for a single person living on their own in a flat. This curation should aim to make sure that citizens understand what is available to them.

For older people, this is even more important. Services should be simple to find and in one place, curated for need and provide access to health, social care, voluntary and commercial provision.   They need to be appropriately segmented to keep things simple.  There are plenty of designs for that.  “people that booked A also booked B.”

Should local government only choose to provide answers to citizens needs from their own resources they will fail to access the less costly and sometimes more effective voluntary and commercial services. At BriteLives that’s our mission, put all the services in one place and make them easy to find and book.

Just realised you’re a carer? Three things it’s good to know now.

Lesson 1  – Don’t be passive in any situation, I don’t care how senior they are or what specialist knowledge they have.

Right off the bat I realised I needed to be the decision maker; I felt that there were some occasions when I thought someone else was the decision maker?  This was never the case, at the bedside in a hospital ward, during some social care meeting or just choosing a hairdresser to come to the house; I realised I had to make all of the decisions. That does not mean I did not include my Mother in these decisions, but it became pretty clear all decisions would have to be made by me.

This is particularly the case in healthcare situations. During my Mother’s last stay in Hospital, which should have been a short one, I quickly realised that the ward staff were unable to make any decisions about my Mother. She was not well enough to go home without a care package and no one could decide how big that would be or who should provide it.  So we kept going round and round in circles with me asking their advice.  I found I had to guard against being passive and learnt how to challenge decisions that were or were not being taken.

Lesson 2-  When someone tells you something check both you and they understand what they are saying.

People called me out to the blue and started chatting about my Mother and her needs. This initially seemed like good news.  On at least two occasions I realised that they were not talking about my Mother, some transposition of phone numbers on a list perhaps.  So when I  got one of these calls I did the following:

  • Asked them to identify themselves
  • Got their contact details –  I always did this first. Get their general contact details to and their specific job title.
  • I recorded all of these interactions into an Evernote Notebook; you can, of course, use a paper notebook
  • I confirmed who they thought they were talking about –  I did this through active questions like; “ You wish to discuss Mavis Coulthard with me who’s on Ward XX at the Royal Surrey Hospital?  Is that correct?
  • I would then confirm who they thought they are talking to.
  • Then and only then would I have the conversation
  • Finally, I would confirm the agreed actions back to the caller.

Lesson 3 – Write it all down and keep your eyes and ears open

Don’t rely on your memory, write everything down how ever trivial it might be.  A mobile phone camera is really good at capturing complex meds and forms.   I found that I was often the only person that had all of the information.  The last hospital discharge letter, a list of the latest meds, the name of the intravenous antibiotic Mum was on.  I found that no one seemed to have the right information at the right time.  More of this in another Post.

Once my Mother was discharged from the Royal Surrey Hospital without any medication.  At the time, she was on about 13 different pills.  Fortunately, I had a photo of her medications and the schedule associated with them.  I was able to send this to a local pharmacy and they were able to sort out the mess with some help from my Mother’s GP. Without that intervention, I guess Mum would have been back in Hospital that night.  The healthcare ombudsman has recently published a report into the discharge of older people from hospital.  It does not make good reading.

I found I needed to be aware of the conversations around me and my Mother, I read all of her medical notes, I asked open-ended questions and listened hard to the answers.  I found it easier and easier to challenge the jargon. The NHS loves jargon, three and four letter acronyms abound and I just asked what they meant.  Sometimes not even the user knew what they stood for.

 

Too many unchecked assumptions in NHS Information Technology.

How many assumptions do we make when setting out a plan to change or build something?  It’s OK to make assumptions but it not OK if we don’t check that they’re correct.   Looking back on my time in NHS England I can now see that very few of the assumptions made were ever checked.   Here are some questions you might think about asking before you set out to do anything.   This one checks some assumptions about searching for such services.

This set checks some assumptions we might make about people  searching for services.

Do you look for local services?

  • How often do you look for local services?
  • Where do you look?
  • Why do you bother?
  • When did you last look for a service?
  • What service did you find?
  • Where did you find that service?
  • When you found a relevant service did you book or use  it?
  • When did you last book a service?
  • What are the implications to you personally of not finding services?
  • When was the last time you failed or ran out of time to find a service
  • Where or what else have you used to find services?
  • Who else shall I talk to and is there anything else I should have asked?

What to avoid

  • Talking about your idea and getting compliments about it
  • Don’t get caught up in their ideas for your product/service or change idea
  • Generic Claims, “I always/never…
  • Future Claims – “I could/would…
  • Hypothetical feedback – “I might/could…

 

The bottom line of this one, if people aren’t looking for services don’t build a service that provides a look-up service.

So, three things for any Senior Responsible Officer (SRO) in the NHS  to do before a Project kicked off:

  1. Make sure the assumptions of the Project are identified.
  2. Test those assumptions with a number of audiences, users old and young,  organisations and specialists etc.
  3. Make sure you have validated any learning from tests you make.

If you can’t do these three things; then don’t start.

Quick thought:  Did anyone test the assumptions made before the Electronic Prescription Service was built?