NHS trusts warned that ‘legacy debt’ could pose patient safety risk

Clinical safety officers (CSOs) have warned that patient safety could be put at risk by healthcare organisations’ historical failure to comply with digital clinical safety standards.

The Digital Health Networks CSO Council has issued an advisory statement for NHS trusts and integrated care boards about the potential consequences of not completing tasks such as hazard logging and safety case reporting for software.

It follows a BBC investigation, published in May 2024, which found 126 instances of serious harm linked to IT issues across 31 trusts, including three patient deaths. 

“There will be a lot of trusts which have this ‘legacy debt’ of systems that they have had for many years, where they either haven’t asked the manufacturer for their side of the deal (which is required under DCB 0129) or they haven’t done their side of the deal in house (which is required under DCB 0160),” said Faye Clough, lead clinical safety engineer and CSO at Northumbria Healthcare NHS Foundation Trust.

She told Digital Health News that this could lead to “patient safety incidents, reports of IT incidents, IT errors, and the reputational damage that could come out of that for trusts”.

“A potential scenario might be that a clinical safety officer wasn’t involved in the procurement of a new software.

“If you didn’t ask the manufacturer if  they complied with DCB 0129, you’ve got no assurance that they’ve looked at all the risks of their software.

“It’s essentially like buying a house without having a house survey done. You don’t really know what you get in terms of safety for that product,” Clough said.

The issue of legacy debt is particularly relevant because NHS England launched a review of digital clinical safety standards in December 2024, with the standards likely to be strengthened in 2025.

“This is a patient safety issue because essentially there is no regulator for software in the NHS.

“Medical devices have to be regulated by the Medicines and Healthcare products Regulatory Agency, but you can get software into the NHS that has had no regulation behind it.

“Although these standards have been around since 2012, they’ve been poorly enforced because some healthcare organisations have not had CSOs in post,” Clough added.

The CSO Council recommends taking practical steps to mitigate legacy debt, such as running regular audits and putting issues onto a risk register to be reviewed by top management.

Chair of the CSO Council Ben Jeeves, outgoing associate chief clinical information officer and CSO at Midlands Partnership NHS Foundation Trust, said: “Tackling legacy debt is a significant challenge, given the often large scale of retrospective work that would be required.

“Where legacy debt exists, achieving 100% safety case compliance is unlikely to be achievable in many cases.

“Taking a higher-level approach might be beneficial for organisations, reviewing each system and applying a risk scoring, in order to map out the overall level of risk.

“Where there are stand out systems that would really benefit from a retrospective safety case being completed, these can be considered as part of existing safety case pipelines and programmes of work.”

Read the CSO Council’s advisory statement here.