The ongoing procurement course of for NHS England’s Outcomes and Registries Platform (ORP) continues to attract concerns over the state of the undertaking’s knowledge safety practices, amid claims that the entire enterprise could also be driving roughshod over compliance with public sector procurement laws.
The ORP undertaking is designed to convey collectively numerous, world-renowned medical units registries, established over a few years by medical specialists and technologists, that act as a repository of knowledge to assist the NHS within the nationwide operation and administration of medical companies. They allow the commissioning of companies, the introduction of latest remedies and higher identification of efficient (or ineffective) remedies, a wide range of high quality assurance processes, analysis and coverage growth, and assist to make sure affected person security.
Earlier this year, Computer Weekly reported how the undertaking’s login web page was accessible to anyone with an web connection, relatively than by way of the Health and Social Care Network (HSCN), and was not protected by multifactor authentication (MFA), which runs opposite to NHS England guidelines.
Responding on the time, NHS England stated that it was transferring to boost safety on the ORP platform and MFA has been carried out since that article was revealed.
This has gone slightly approach to assuaging a few of the worries beforehand highlighted by the Federation of Clinical Registries (FCR), a bunch of registry lead healthcare professionals and technologists who’re involved on the ORP programme’s course of journey, and say they’re being repeatedly sidelined by NHS England once they attempt to increase their doubts.
According to the FCR, different safety concerns are going unaddressed by NHS England, allegedly together with far deeper knowledge safety points which were ignored.
“Even although they’ve launched MFA, what have they accomplished about the truth that virtually anyone can register for that system? Things are being despatched round on spreadsheets and customers are being pre-registered in bulk with out even asking whether or not they wish to be on the system,” an FCR consultant stated, chatting with Computer Weekly on situation of anonymity. According to responses equipped to the FCR, there are no less than 6,000 registered customers, and solely 900 of these are classed as “energetic” customers.
“It’s [also still] sat on the web, which matches in opposition to the cloud security guidelines for Class Five data. The FCR has repeatedly chased the NHS England Cyber Security Department for clarification on these safety points.”
Class Five knowledge is outlined inside the NHS as cloud-hosted knowledge that carries the highest level of risk. Official steerage holds that working companies at this degree requires “board-level organisational dedication, following specialist recommendation and steerage”.
The FCR consultant stated that NHS England ought to pay attention to the dangers to the varied datasets as a result of one of many present registries, the National Major Trauma Registry (NMTR), beforehand often known as the Trauma Audit and Research Network (TARN), was compromised by a ransomware gang in a 2023 attack on the University of Manchester. The college not runs the registry in query.
Responding to questions over the continuing safety concerns, NHS England advised Computer Weekly that the system conformed to NHS cyber safety steerage and that there was no particular requirement for it to be a part of the HSCN.
Contract award
The FCR additionally stated that it has important concerns over the method of how the ORP contract was awarded within the first place. The genesis of the FCR was a perceived menace to established world-renowned registries following the difficulty of a brand new draft contract by NHS England, which the established registries say they noticed as “primarily a discover to stop”.
In the wake of this, the FCR stated it discovered many points, together with situations the place registry contract funds have been withheld, knowledge flows to key registries stopped, registry tasks stalled, and historic knowledge left unavailable or deleted as a result of authorized contracts had been allowed to run out. Subsequently, FCR contacts inside NHS England advised the group that Japanese provider NEC had been tapped to develop the broader ORP platform and the varied registries in scope, in mild of which the FCR got down to attempt to discover out extra about how that contract got here to be awarded.
What it uncovered was a contract value about £1m relationship to March 2023, described as “considerably imprecise” in its nature, that lined the preliminary growth of ORP together with integration of two of the medical registries, vascular illnesses and joint circumstances, into the platform. At the time of writing, this has not but been delivered.
However, the FCR was unable to determine some other particulars of the contract by way of the federal government contract finder service – which is the place they’d usually be revealed, albeit usually in redacted type.
“We then grew to become conscious that they [NEC] have been engaged on a number of different registries which didn’t get any point out in what we might see concerning the contract. All we had was the title, so it was very tough for us to know what it was protecting and what it was not,” stated the FCR consultant.
“Every time we requested them, they simply saved pointing again to the unique contract and saying it covers all this work on cochlear, breast implants, ligaments, the whole lot. But there was no reference to that within the title, so we thought this could’t be true.”
The FCR began to file freedom of knowledge (FoI) requests to attempt to set up the prices of the event of the person registries and their integration into ORP, however was advised there have been no additional particulars to share.
Undeterred, the group continued to escalate by the Information Commissioner’s Office (ICO), which over the summer time of 2024 discovered that NHS England had did not adjust to the group’s requests appropriately.
However, in keeping with the FCR’s model of occasions, its contacts inside NHS England subsequently discovered one other ORP contract for £1.24m, awarded to NEC on 23 February 2024 however officially unpublished until 11 July 2024, nearly three months after a query had been raised about it in the House of Commons.
“They didn’t disclose it in response to the MP in Parliament, they didn’t disclose it after we have been doing all of the FOIs, they didn’t disclose it on the general public web site the place all of the contracts are supposed to be revealed. It wasn’t on there and when the FCR requested the senior accountable proprietor [SRO] for that programme, they didn’t disclose it both. They saved pointing again to that unique contract.
“We couldn’t perceive how all these different registries have been being developed beneath that preliminary contract, they usually saved saying, it’s lined by that. Well, truly they’re all within the second contract,” stated the FCR consultant.
An additional declare made by the FCR is that each of the contracts have been immediately awarded to NEC with out following correct course of and with no correct market analysis. Responding to the FCR’s questions, the NHS England ORP SRO on the time stated {that a} market analysis was carried out, however subsequently the NHS England transformation director has modified tack on this, saying they weren’t. This state of affairs has led to resentment amongst FCR members who really feel it’s they – relatively than NEC – who’ve confirmed experience within the supply of medical registries.
NHS England stated that its response to the ICO associated to the contracts and expenditure in place on the time of the FCR’s preliminary request, and that it has now offered “additional particulars to the ICO’s satisfaction”.
Following the principles
Additionally, the FCR stated the publication of the second NEC contract some months after it was awarded means that these in control of the procurement are attempting to retroactively wave it by and provides the looks that the principles have been adopted.
The ORP contract timeline grew to become murkier nonetheless in August and September 2024, when a brand new procurement course of appeared to kick off, which this time took the type of a request for info (RFI), adopted by an illustration from suppliers after which the award of a contract, initially showing to chop out the tender course of fully.
“Suppliers requested, ‘What’s the specification for the system?’, and NHS England stated, ‘We’ll solely disclose the specification for the system to the profitable bidder’. How does that make any sense?” stated the FCR consultant.
Coupled with the publication of the second NEC contract some months after it was awarded, the convoluted processes concerned in what ought to have been a simple procurement has lent further weight to the FCR’s perception that the ORP undertaking is being retroactively given the inexperienced mild.
“They know they haven’t adopted the appropriate processes and now it’s only a case of attempting to guard themselves. All of those non-responses to FOIs, they’re attempting each trick within the ebook to keep away from touchdown themselves in it,” stated the FCR’s whistleblower.
NHS England stated that the contracts had been awarded beneath established framework agreements – particulars of each being accessible by way of Contracts Finder, situated here and here. However, responding to the FCR’s concerns over prices, it stated these have been withheld for industrial confidentiality causes beneath part 43(2) of the Freedom of Information Act 2000.
The organisation confirmed that it had issued a single RFI for the brand new contract, which is at the moment reside, and stated all respondents have been being saved knowledgeable of progress and timescales for engagement.
An NHS England spokesperson advised Computer Weekly: “The monitoring and monitoring of units and implants is essential for affected person security, and the Outcomes Registries Platform meets all applicable requirements in cyber safety and knowledge safety. We are operating an open and clear procurement course of for the following section of the programme.”
