Clinicians and technologists behind a number of medical devices registries being brought together by NHS England on a new common platform have accused the health service of flouting public sector procurement regulations
The ongoing procurement process for NHS England’s Outcomes and Registries Platform (ORP) continues to draw concerns over the state of the project’s data security practices, amid claims that the whole enterprise may be riding roughshod over compliance with public sector procurement regulations.
The ORP project is designed to bring together various, world-renowned clinical devices registries, established over many years by medical specialists and technologists, that act as a repository of data to support the NHS in the nationwide operation and management of clinical services. They enable the commissioning of services, the introduction of new treatments and better identification of effective (or ineffective) treatments, a large range of quality assurance processes, research and policy development, and help to ensure patient safety.
Earlier this year, Computer Weekly reported how the project’s login page was accessible to anybody with an internet connection, rather than via the Health and Social Care Network (HSCN), and was not protected by multifactor authentication (MFA), which runs contrary to NHS England rules.
Responding at the time, NHS England said that it was moving to enhance security on the ORP platform and MFA has been implemented since that article was published.
This has gone a little way to alleviating some of the worries previously highlighted by the Federation of Clinical Registries (FCR), a group of registry lead healthcare professionals and technologists who are concerned at the ORP programme’s direction of travel, and say they are being repeatedly sidelined by NHS England when they try to raise their doubts.
According to the FCR, other security concerns are going unaddressed by NHS England, allegedly including far deeper data protection issues that have been ignored.
“Even though they’ve introduced MFA, what have they done about the fact that practically anybody can register for that system? Things are being sent around on spreadsheets and users are being pre-registered in bulk without even asking whether they want to be on the system,” an FCR representative said, speaking to Computer Weekly on condition of anonymity. According to responses supplied to the FCR, there are at least 6,000 registered users, and only 900 of those are classed as “active” users.
“It’s [also still] sat on the internet, which goes against the cloud security guidelines for Class Five data. The FCR has repeatedly chased the NHS England Cyber Security Department for clarification on these security issues.”
Class Five data is defined within the NHS as cloud-hosted data that carries the highest level of risk. Official guidance holds that operating services at this level requires “board-level organisational commitment, following specialist advice and guidance”.
The FCR representative said that NHS England should be aware of the risks to the various datasets because one of the existing registries, the National Major Trauma Registry (NMTR), previously known as the Trauma Audit and Research Network (TARN), was compromised by a ransomware gang in a 2023 attack on the University of Manchester. The university no longer runs the registry in question.
Responding to questions over the ongoing security concerns, NHS England told Computer Weekly that the system conformed to NHS cyber security guidance and that there was no specific requirement for it to be part of the HSCN.
Contract award
The FCR also said that it has significant concerns over the process of how the ORP contract was awarded in the first place. The genesis of the FCR was a perceived threat to established world-renowned registries following the issue of a new draft contract by NHS England, which the established registries say they saw as “essentially a notice to quit”.
In the wake of this, the FCR said it found many issues, including instances where registry contract payments were withheld, data flows to key registries stopped, registry projects stalled, and historical data left unavailable or deleted because legal contracts had been allowed to expire. Subsequently, FCR contacts within NHS England told the group that Japanese supplier NEC had been tapped to develop the wider ORP platform and the various registries in scope, in light of which the FCR set out to try to find out more about how that contract came to be awarded.
What it uncovered was a contract worth about £1m dating to March 2023, described as “somewhat vague” in its nature, that covered the initial development of ORP including integration of two of the clinical registries, vascular diseases and joint conditions, into the platform. At the time of writing, this has not yet been delivered.
However, the FCR was unable to establish any other details of the contract via the government contract finder service – which is where they would normally be published, albeit often in redacted form.
“We then became aware that they [NEC] were working on multiple other registries which didn’t get any mention in what we could see about the contract. All we had was the title, so it was very difficult for us to know what it was covering and what it was not,” said the FCR representative.
“Every time we asked them, they just kept pointing back to the original contract and saying it covers all this work on cochlear, breast implants, ligaments, everything. But there was no reference to that in the title, so we thought this can’t be true.”
The FCR started to file freedom of information (FoI) requests to try to establish the costs of the development of the individual registries and their integration into ORP, but was told there were no further details to share.
Undeterred, the group continued to escalate through the Information Commissioner’s Office (ICO), which over the summer of 2024 found that NHS England had failed to comply with the group’s requests appropriately.
However, according to the FCR’s version of events, its contacts within NHS England subsequently found another ORP contract for £1.24m, awarded to NEC on 23 February 2024 but officially unpublished until 11 July 2024, almost three months after a question had been raised about it in the House of Commons.
“They didn’t disclose it in response to the MP in Parliament, they didn’t disclose it when we were doing all the FOIs, they didn’t disclose it on the public website where all the contracts are meant to be published. It wasn’t on there and when the FCR asked the senior responsible owner [SRO] for that programme, they didn’t disclose it either. They kept pointing back to that original contract.
“We couldn’t understand how all these other registries were being developed under that initial contract, and they kept saying, it’s covered by that. Well, actually they’re all in the second contract,” said the FCR representative.
A further claim made by the FCR is that both of the contracts were directly awarded to NEC without following proper process and without a proper market evaluation. Responding to the FCR’s questions, the NHS England ORP SRO at the time said that a market evaluation was conducted, but subsequently the NHS England transformation director has changed tack on this, saying they were not. This situation has led to resentment among FCR members who feel it is they – rather than NEC – who have proven expertise in the delivery of medical registries.
NHS England said that its response to the ICO related to the contracts and expenditure in place at the time of the FCR’s initial request, and that it has now provided “further details to the ICO’s satisfaction”.
Following the rules
Additionally, the FCR said the publication of the second NEC contract some months after it was awarded suggests that those in charge of the procurement are trying to retroactively wave it through and give the appearance that the rules have been followed.
The ORP contract timeline became murkier still in August and September 2024, when a new procurement process appeared to kick off, which this time took the form of a request for information (RFI), followed by a demonstration from suppliers and then the award of a contract, initially appearing to cut out the tender process entirely.
“Suppliers asked, ‘What’s the specification for the system?’, and NHS England said, ‘We’ll only disclose the specification for the system to the winning bidder’. How does that make any sense?” said the FCR representative.
Coupled with the publication of the second NEC contract some months after it was awarded, the convoluted processes involved in what should have been a straightforward procurement has lent additional weight to the FCR’s belief that the ORP project is being retroactively given the green light.
“They know they haven’t followed the right processes and now it’s just a case of trying to protect themselves. All of these non-responses to FOIs, they’re trying every trick in the book to avoid landing themselves in it,” said the FCR’s whistleblower.
NHS England said that the contracts had been awarded under established framework agreements – details of both being available via Contracts Finder, located here and here. However, responding to the FCR’s concerns over costs, it said these were withheld for commercial confidentiality reasons under section 43(2) of the Freedom of Information Act 2000.
The organisation confirmed that it had issued a single RFI for the new contract, which is currently live, and said all respondents were being kept informed of progress and timescales for engagement.
An NHS England spokesperson told Computer Weekly: “The tracking and monitoring of devices and implants is crucial for patient safety, and the Outcomes Registries Platform meets all appropriate standards in cyber security and data protection. We are running an open and transparent procurement process for the next phase of the programme.”