Comment by ck425
9 days ago
As someone who does software for NHS Scotland, I can easily believe the tale of multiple difference directorates/orgs believing it was someone else's remit as the NHS is a super complex organization of organizations. But in your case specifically data protection laws probably made it far worse and that's true of pretty much any tech you build/deploy in the NHS. There are strict information governance rules that have to be followed for any personal information, even just emails, which exist for very good reasons and aren't particularly onerous, but they are strict so in situation like your where it's not clear who would own/be responsible for what you were offering I can could see them getting in the way.
There are some rules that exist for very good reasons - and which have been widely undermined by front-line healthcare services though this does at least seem to be improving a bit over time.
There are also plenty of rules that exist for dogmatic reasons and impose absolute requirements that don't always make much sense in context instead of stating principles that should be appropriately applied.
I understand that those administering these rules don't want to leave loopholes where people or cost-conscious suppliers will cut corners for convenience and/or to save money. There is obviously a danger of that happening if you don't write everything down in black and white.
But you have to remember that the starting point here is receptionists at medical facilities asking people to email over sensitive health information or casually discuss it on the phone when they don't even know who they're talking to and what information is appropriate to share with them. Doctors are trying to read vital patient information from scrawled handwriting on actual paper in potentially time-sensitive life-and-death situations. Expensive scanning equipment in hospitals relies on software that runs on 20-year-old versions of Windows from a supplier that shut down long ago.
In this context you probably win a lot just by having clear policies and guidelines that really are short and simple enough for rank and file staff working in a wide variety of different jobs to understand. A reasonable set of basic technical measures would be far better than much of what is in widespread use today. Trying to make everything perfect so we have fully computerised health records and integrated diagnostic and treatment systems and everything is 100% secure and privacy-protected and supported is a laudable goal that would obviously be much better for patient outcomes and also for the daily lives of everyone working in healthcare. And in 50 or 100 years maybe we'll be able to do it. But not today and not tomorrow.
I've written software used across the NHS previously, and a lot for national security purposes since. It wasn't the only option on the table, just one that I was mainly using to ensure cost of development couldn't be used as a reason to reject and so that there was a strawman architecture on the table to help generate discussion.
It certainly wasn't even my preferred option, I'd have been much happier if they said they had a team that could run with it.