By Stephen Roche (Dorset HealthCare) and Annie Ding (NHSmail COE)
Dorset HealthCare University NHS Foundation Trust started the rollout of Office 365 (O365) for adoption across the whole Trust in October 2020. A clinical safety team was established to evaluate the clinical safety and potential risks of the Microsoft Office applications.
We spoke to Stephen Roche, the Clinical Risk Process lead at Dorset HealthCare, about his experience of developing the clinical safety case for O365. Here is our conversation with Stephen:
A Clinical Safety Case is a piece of work that demonstrates compliance to the NHS Digital Clinical Safety standards. Any healthcare IT system has to be assured by the manufacturer and by the deploying organisation for clinical safety.
The way that you prove that is a Clinical Safety Case file. Within that file, you have a Hazard Log of clinical safety hazards and a Clinical Safety Case Report which summaries the work done, hazards and mitigations. At the end you make a recommendation on whether it is safe to deploy the system.
There were two of us initially. We are part of the IT Clinical Team – we are a team of clinicians who sit in the wider IT team.
We would liaise quite closely with lots of different people. The IT team helped us by demonstrating the functionality of O365, and we worked with the Information Governance manager for DPIA work as there is lots of data transfer. We also worked closely with the training team and the comms team because in order to mitigate some of the risks we identify during our work, we often have to create SOPs or training guidance.
Initially there was some debate as to whether O365 should be considered for clinical safety. However, according to the definition provided by NHS Digital, O365 is a Health IT system and therefore requires a Clinical Safety Case in line with the NHS Digital DCB0160 standard, mandated under the Health and Social Care Act (2012).
O365 adds so much more than just Word and PowerPoint. It has lots of collaboration tools, and it’s important to consider the clinical impact of these.
My role was to write the Clinical Safety Case, to carry out the investigation and produce the Hazard Log.
“My job is to think as a clinician and try and break the system.”
Normally, the first step would be to review the DCB0129 document from the supplier (Microsoft, in this case), which is the equivalent of the supplier’s version of the Clinical Safety Case. However, there wasn’t one available for O365 when we started. If you don’t have one, you have to do more background work, so that was a real challenge.
We initially developed a Clinical Safety Case Plan for the O365 rollout with what we intended to do. Once we decided on the scope of the project, we were guided by the project team, and started Discovery work.
As well as writing the plan we also started testing. We were playing a little bit of catch-up because of COVID. To test, we had to learn about the system, then try to break it, and figure out what it can and cannot do. We use a “Structured What If” model for our testing approach. We then analysed the risk and evaluated it to see what the clinical impact would be.
Everything we do is focused on clinical risk, i.e. the harm that could come to the patient. Once we analysed the risk, we then looked at what we could do to control it. What are the existing controls that are available? We then calculated a risk or hazard score from a matrix – this is determined by the likelihood and severity of the harm.
Once this was done, we identified ways of mitigating and reducing the risk, and what steps should be taken to overcome them, and what we would recommend. We made recommendations on which apps should be made available for use. Our recommendations were then presented to the board who decided which recommendations to take forward.
We evaluated almost 30 applications in the O365 environment and determined which apps it would be safe to release to the Trust.
One year is probably realistic. We had two colleagues working on it for one-two days a week over the last year. It takes considerable time because it is such a big system.
The team developed a Hazard Log to track clinical safety hazards and the accompanying Clinical Safety Case Report. The report documents ways to mitigate the hazards and a summary of the work carried out by the clinical safety lead.
As O365 was still being rolled out, the team recommended to withhold certain apps from release to the Trust. The team also developed guidance and best practices, Standard Operating Procedures and supported the development of the training team’s guides in listing out how best to use each tool.
As Microsoft continuously updates its environment, the team will update the Hazard Log and Clinical Safety Case Report along with it, to ensure that risks are identified and actions for risk mitigation are defined appropriately.
Having subject matter experts (SMEs) working closely with the clinical safety team was key. We had some really good SMEs in our IT team, who know the system well. This was extremely helpful when it came to testing the system, and we worked collaboratively with them.
“Trying to do this work on your own would be incredibly difficult. You need the support of SMEs and other colleagues, even just to test the system.”
It’s important to have links into all the different relevant areas, and that worked well for us.
The main challenge was the lack of the DCB0129 document from the supplier. There may be things that the supplier is aware of that we would not know about, and without the DCB0129 we were unable to see whether this was the case.
Another key challenge is that O365 was not originally designed to be a health IT system. O365 is all about collaboration and sharing, and health IT systems typically are not. Health IT systems are also updated in six-month or 12-month cycles, whereas O365 is updated all the time. This means any guidance and SOPs we develop need to be updated regularly. We also have to then review new functionality regularly because this could impact the clinical safety assessments.
As we were one of the first Trusts to complete the Clinical Safety Case, we couldn’t compare it to other Trusts. Normally, we would reach out to other organisations to ask them about their experience. Safety cases are individual to each Trust but there is commonality, so it is good to get help and advice from elsewhere when possible.
- Start now – it’s going to take longer than you think, because there is a lot to consider
- Don’t underestimate the depth you have to go into to really understand how the various apps work
- Be prepared to do a lot of testing
- Work closely with your training team because you will need to provide a lot of guidance andthis will need to be tailored for your organisation
- Remember that privacy and patient confidentiality are key
“It is undoubtedly a great system and it will change the way we do things, so it’s worth investing the time.”