May 17, 2020

Technology solutions are the remedy for improving the NHS

healthcare services
Digital health
Peter Ford, Public Sector Indu...
7 min
Earlier this month the NHS reached its 70th anniversary, however with ongoing concern and ambiguity around the organisation’s future, how can those re...

Earlier this month the NHS reached its 70th anniversary, however with ongoing concern and ambiguity around the organisation’s future, how can those responsible for investment in the public health service ensure it lives on beyond another 70 years?

Peter Ford, Public Sector Industry Principal at Pegasystems, argues that the NHS still needs to improve efficiency, especially in relation to customer service, and build for change even with the additional government funding that has been made available. Practitioners should have more autonomy in how the technology in our health service is developed and deployed.

History and challenges

Today’s customers expect to interact with the National Health Service just as they would with their bank or online retailer. Citizens expect on-demand, high-quality service whether they are unfortunate enough to experience an accident or require elective treatment. The NHS is expected to deliver those services while meeting the expectations of an overwhelming digital customer base.

Addressing these scenarios with the right technology, process, and organisation should be achievable. However, the organic evolution of the NHS means it is now plagued with numerous challenges:

  • Manual processes, or only partially automated, lacking the orchestration of end-to-end case lifecycle management
  • High cost legacy, siloed systems that are difficult to both use and change
  • A complex IT estate that has multiple, fragile, integration dependencies that only give a partial view of the constituent
  • A total reliance on scarce IT staff
  • Commercial-off-the-shelf (COTS) and bespoke solutions implemented in a waterfall fashion that do not reflect the business need and cannot easily be re-used across geographies
  • Complex policy and regulations for healthcare eligibility and delivery
  • Lack of constituent online self-service and contextual guidance
  • Organisational structures, processes and systems set up to serve limited channels that existed 20 years ago

With the expansion of digital technology, the NHS is faced with responding to a more demanding constituent. Citizens are tech-savvy and want to be able to interact with the NHS on their mobile devices, on the telephone or face-to-face, without losing context. They want self-service that guides them through the complex online advice, rules or criteria they must fulfil. The NHS has to provide those services through whatever channel a citizen prefers.

Fundamental to providing a citizen-centric service on every channel is treating the interaction in the context of the user’s history and existing information held about them. This information typically exists but is held in disparate systems and is supported by a combination of both manual and automated processes. The citizen usually has to visit different parts of the NHS to get the care they need. The ability to use “any door” (access to any NHS service routed to the appropriate set of services) and receive the end-to-end service based on one visit, simply does not exist.

The ability to provide an end-to-end service is severely inhibited by the existence, or in some cases complete absence, of rudimentary work management solutions. Without automated management of a patient or citizen “case” (in this context case means any piece of work that needs to be completed) services will remain disconnected.

The NHS is under pressure to improve the way service is delivered, albeit with an additional recently awarded £23bn funding envelope. It must still pursue better ways of working and efficiencies to provide better service to an ever extending range of treatments and patients.

The traditional options - custom code and COTS

The NHS struggles to modernise legacy systems. It is these aging mission-critical applications that make the rapid delivery of citizen-focused service so inefficient and hard to measure. They are costly and risky to update as policies change.

The NHS and systems integrators working for them typically have had two choices for modernising operations, and neither of these has worked particularly well. Custom development costs too much and is usually obsolete by the time it is delivered.

Lower-cost, commercial-off-the-shelf (COTS) applications are inflexible and inadequate, forcing the NHS to wait for vendors to deliver what they need. Additionally, these solutions cannot be easily shared to cover both common and specialised delivery across NHS participants.

The old adage, “re-use before buy before build”, still rings true but re-use is dependent on the solutions you currently have in place and the extent of the new solutions required/funding available. To change solutions wholesale is neither practical, because of the extent of risk involved with system, process, and organisational change, nor affordable. There is an alternative incremental approach that makes this possible.

The better way - Enterprise Platforms

An enterprise platform is computer software used to satisfy the needs of an organisation rather than individual users and come in three types:

  1. Systems of record (e.g. SAP ERP)
  2. Development toolsets (e.g. Java Enterprise)
  3. Unified Enterprise Platforms (those that can spawn multiple different solutions using the same platform (re-using common software components), prebuilt applications, and underlying tools)

See also

Systems of record have their place in command and control situations but that’s not where the NHS is. Policy and treatments are constantly changing and Systems of Record are not the best option because needs are dynamic and likely to change.

Custom solutions also have their place when the need is esoteric; however, as previously stated, these are not best placed to suit multiple changing needs in a cost effective way.

Fortunately, there is a clear “best option” to build and manage healthcare applications: a Unified Enterprise Platform. Not all application platforms are built the same and one must consider the time to value and the ability to change as policy evolves.

There are key considerations when choosing a unified enterprise platform as defined above. The platform will need to meet the needs that exist today but also have an underlying architecture that is able to flex and meet those that emerge in government and societal environments that are ever changing. The platform needs to be ‘built for change’.

By implementing a unified platform based on the same core engine, not a collection of stitched together applications that will increase total cost of ownership, the NHS can scale to meet the needs of hundreds of thousands of customers at the same time.

Furthermore, it allows healthcare practitioners to turn information into insight by using inherent artificial intelligence to convert information held in multiple silos as well as within the enterprise platform to deliver a predictive service to citizens. Without a unified platform, decisions will require multiple manual interventions to obtain a complete picture of the case and deliver the next best action.

Another benefit is that a unified platform can be easily localised, meeting the needs of multiple business units, channels, products, geographies, and customer segments. This reduces cost of implementation, ongoing change and support. Deprived of a unified platform, agencies will not be able to use their single application to seamlessly serve full the range of their citizens.

By engaging more citizens through more channels ensuring a consistent user experience across all channels—desktop, mobile, interactive voice response (IVR), social— means applications can be designed once and used anywhere with zero additional work required.

It might seem obvious but, it is also important that the user experience on any platform is easy to use. Facilitating a user interface that presents easy to understand, intuitive screens that are designed to suit the purpose they are being used for means NHS staff and citizens will be more likely to use the system and will be more efficient when they do.

A unified platform should have pre-built integration capabilities to allow for it to be used across multiple systems that may hold existing information. In this way it should provide a 360-degree view of the citizen, their family, and their treatment history. It should connect citizen-facing solutions, such as customer relationship management (CRM), to those in the back office that support processes such as treatments and lifestyle advice for health promotion. This will help prevent having “swivel chair” workers inefficiently pivoting from one system to the other as they serve the customer.

Case Management is another aspect which will see improvement. Being able to simplify and automate work through digital process automation and case management can help quickly build business applications that deliver the outcomes and experiences that citizens demand.


The NHS faces some real challenges to serve the public as they expect and deserve. The key is to implement change incrementally using unified enterprise platforms that can provide single solutions to meet multiple similar, but not identical, needs.

These platforms exist but care must be taken to select one that is built using the latest IT capabilities available and that can easily adjust to future change. These capabilities will deliver efficiencies though self-service and case management and an application that can keep pace with policy changes. By doing this the NHS can become proactive to citizen needs, offering “any door” to the services that they are entitled and making suggestions on preventative health care rather than just delivering treatments.

Ultimately, it will improve the efficiency of the service to provide a higher quality of service to a wider population and customer base and make best use of the additional £23bn it has been awarded.

Share article

Jun 13, 2021

How healthcare can safeguard itself against cyberthreats

Jonathan Miles
6 min
Jonathan Miles, Head of Strategic Intelligence and Security Research at Mimecast, tells us how the healthcare sector can protect itself from attacks

One of the most fundamental lessons from the COVID crisis is that health should always be a priority.  In a similar fashion to the human body that frequently fights off viruses and foreign invaders that intend to cause it harm, the sector itself is now a prime target for another type of external threat: cyberattacks.

The figures speak for themselves: between December and January this year, hospitals in the UK were at 89% capacity, with 7,000 fewer available beds than there usually are. As the pandemic increased pressure on hospitals, clinics, and research facilities to create a treatment for patients globally, it has left the sector exposed to hackers who, like a virus, have been targeting it relentlessly and evolving their tactics. 

From patient records being held ransom, to fake emails claiming to originate from the UN WHO, the NHS, or vaccine centres, through to attacks on the cold supply chain to find out the secret formula of the COVID vaccine, the healthcare industry is facing constant cyberattacks and struggling to cope. This threat is unlikely to go away anytime soon – and as such, the industry needs to take a proactive, preventative stance to stay safe in a dynamic digital world. 

Going digital 

The responsive nature of healthcare – particularly of hospitals – means that efficiency is crucial to the industry’s standard operations. To support this, the sector has been embracing technological advancements that can improve the quality of work, enabling staff to meet pressing deadlines, and enhancing patient care. For example, the industry has been digitising records and improving its ways of working through digital means over the past few years. 

This shift is critical to offer high quality patient care; yet, it also means the sector has become more dependent on IT, which can come with a risk if cybersecurity processes employed are deemed as inadequate. 

Without the correct security measures in place, the desired efficiency gains realised, can be easily lost in a heartbeat. Simply put, an elementary glitch in the system can have a tremendous ripple effect on many areas, from accessing patient records and conducting scans, to maintaining physical security and protecting the intellectual property of experimental treatment development.

To prevent this, healthcare organisations need to ensure they’re considering cybersecurity as part of their overall digital transformation strategy – and setting the right foundations to create a culture where safety goes hand in hand with patient care. 

Strengthening defences

Before implementing cybersecurity process, healthcare organisations need to assess the potential risks they face. Depending on how much confidential data the trust has, where it is stored, who has access to it and via which means, the cybersecurity strategy and associated solutions will change. 

It’s fair to say that a medical device start-up where all employees have a corporate-sanctioned laptop and access data via a VPN will have radically different needs to a large hospital with hundreds of frontline workers connecting to the hospital’s Wi-Fi using their personal device. 

These requirements will pale by comparison to a global pharmaceutical giant with offices in multiple locations, a large R&D department researching new treatments for complex diseases and a fully integrated supply chain. Considering the existing setup and what the organisations is looking to achieve with its digital transformation strategy will therefore have an immediate impact on the cybersecurity strategy.

Despite this, there are fundamentals that any organisation should implement: 
Review and test your back-up policy to ensure it is thorough and sufficient – By checking that the organisation’s back-up is running smoothly, IT teams can limit any risks of disruption in the midst of an incident and of losing data permanently.

In our recent State of Email Security report, we found that six out of ten organisations have been victims of ransomware in 2020. As a result, afflicted organisations have lost an average of six days to downtime. One third of organisations even admitted that they failed to get their data back, despite paying the ransom. In the healthcare industry, this could mean losing valuable patient records or data related to new treatments – two areas the sector cannot afford to be cavalier about.

Conduct due diligence across the organisation’s supply chain – Healthcare organisations should review their ways of working with partners, providers and regulatory institutions they work with in order to prevent any weak link in their cybersecurity chain. Without this due diligence, organisations leave themselves exposed to the risks of third party-led incidents. 

Roll out mandatory cybersecurity awareness training - Healthcare organisations shouldn’t neglect the training and awareness of their entire staff – including frontline workers who may not access the corporate network on a regular basis. According to our State of Email Security report, only one fifth of organisations carry out ongoing cyber awareness training.

This suggests it is not widely considered as a fundamental part of most organisations cyber-resilience strategy, despite the fact many employees rely on their organisation’s corporate network to work. By providing systematic training, healthcare organisations can help workers at all levels better understand the current cyberthreats they face, how they could impact their organisation, the role they play in defending the networks, and develop consistent, good cybersecurity hygiene habits to limit the risks of incidents. 
Consider a degree of separation – Information and Operational Technology (IT and OT) networks should be separated.

Although mutually supported and reliance on each other, employees shouldn’t be accessing one via the other. This should be complemented by a considered tried and tested contingency and resiliency plan that allows crucial services to function unabated should there be a compromise. Similarly, admin terminals should not have internet access to afford a degree of hardening and protection for these critical accounts.

As the sector becomes a common target for fraudulent and malicious activity, putting cybersecurity at the core of the organisation’s operations is critical. It will help limit the risks of disruption due to cyberattacks, reduce time spent by the cybersecurity team to resolve easily avoidable errors, and ensure that institutions can deliver patient care, safe in the knowledge that their networks are safe.  

Fighting future threats

With technology continuing to change the face of healthcare, the surface area and vectors available for attacks by malicious actors is constantly increasing. With the introduction of apps, networked monitoring devices, and a need for communication, the attack vector is ever expanding, a trend that needs to be monitored and secured against.

To prevent any damage to patients, staff, or the organisation they are responsible for, healthcare leaders must put security front and centre of their digital transformation strategy. Only then can the sector harness the full benefits of technology. Doing this should include implementing cybersecurity awareness training to challenge misconceptions around security, encourage conversation, and to ensure employee knowledge of the security basics and threats faced. 

This ultimately allows healthcare organisations to do what they do best: provide the highest standard of patient care, safe in the knowledge that their operations, patients, and data are safe.

Share article