How To: Report an NHS IT Clinical Safety or Cybersecurity Issue to NHS Digital

Having recently been trying to escalate a clinical safety issue with a clinical system to NHS Digital, I found it was somewhat difficult to find the right contact details for reporting clinical safety issues with IT systems. The details aren’t very clear and are buried in the myriad web pages of NHSD.

Any clinician with a concern is empowered to report clinical safety issues, as part of their duty of candour and an ongoing commitment to quality improvement, so I thought it would be worth doing a short HOWTO, partly as a ‘note to future self’ and as a guide for others.

Clinical Safety

The NHS Digital Service Bridge is, I’m told, the entry point for reporting clinical safety concerns - phone 0113 397 3973

You can also report via email on clinical.safety@nhs.net or try assurance@nhs.net

Cybersecurity

The NHS Cybersecurity team can be reached on cybersecurity@nhs.net

Don’t assume your report has been received or actioned until you have a reply from a human.

Screenshots

I highly recommend using screenshots to illustrate your point, as this will improve understanding of the problem and reduce the wordcount of the report.

Make sure you completely redact any patient identifiable details in the images. (I can recommend the use of PicPick Portable which is a full-featured screenshot app for Windows, which doesn’t need Admin rights for installation, and features picture editing including pixelation and redaction.)

Notes on ‘Responsible Disclosure’

In the wider Tech world there is a concept of Responsible Disclosure, which encourages discreet private reporting of issues to the software company, particularly where there are serious security implications. This enables the software company to create a fix before the vulnerability is widely known, and is generally seen as a good thing in that industry. In general this should work fine for NHS Cybersecurity issues.

However, in Clinical Safety this balance is further complicated by the ongoing clinical safety risk being run and the potential implications for affected patients of continuing to use a system with safety issues. If patients are being actively harmed then it’s not the time for discreet quiet disclosure to the system supplier.

Beware though, because full public disclosure is also known as Whistleblowing, and the NHS has a long and appalling history of persecuting whistleblowers.