The Download: When the App gets there first

This week, HSJ reported that patients were discovering suspected cancer results in the NHS App before hearing from a clinician.

The story highlighted multiple cases where serious scan results or oncology referral letters had appeared in the app before hospitals or GPs had made contact.

NHS England said guidelines were “clear” that patients should not receive diagnoses for serious conditions through digital channels without adequate support or context.

So what is going wrong, and is the app actually to blame?

Many commenters argued this is less about the technology and more about the underlying processes and capacity. As one put it, there is a “clinical workflow lag that sits behind it”.

Most patient data is released in real-time to the NHS App, while a minority of more sensitive results can be delayed. Trusts are responsible for setting the delay periods and, as such, they can be inconsistently applied.

Some told us it was due to a primary/secondary disconnect: GPs upload documents to the App, and they often have no idea whether hospital teams have been in direct contact with the patient.

Others noted that the issue long predates the NHS App. One commenter recalled patients receiving physical letters inviting them to cancer clinics before their GP had contacted them, showing that digital systems are now exposing delays that have always existed.

And not everyone thinks delaying results is in patients’ best interests. Several people said early access gave patients time to prepare emotionally and practically. In some cases, it allowed them to chase the hospital sooner, accelerating treatment planning.

So is early access to results a problem? It may ultimately come down to personal preference. But there was broad agreement that clinicians will have to be more responsive if the NHS App is to serve as the effective “digital front door” the government envisages.

Cyber secure-er?

New legislation will ban public bodies from paying ransoms after cyberattacks. Has the NHS ever done so?

Not officially, but healthcare providers overseas have, and the victim of last year’s deadly attack in South London would not confirm that it did not. Given that the NHS’s vast array of only-sometimes-secure suppliers is its major point of vulnerability, banning the payments by NHS trusts themselves might be a moot exercise.

Synnovis, whose lack of basic two-factor authentication allowed the attackers in last summer, has just confirmed, remarkably, it has finally begun alerting organisations whose data was affected.

The company, which is majority privately owned but is a partnership with Guy’s and St Thomas’ and King’s College Hospital foundation trusts, said this followed an investigation that had “taken a large team of forensic experts and data specialists more than a year” to piece together what had been stolen and put on the dark web.

The responsibility is now with the affected organisations to alert patients.

It is worth remembering at this point that major Synnovis customers are also GSTT and King’s, both of which have extensive private patient units often treating very wealthy individuals from abroad.

You would think these patients – and all the other tens of thousands of people affected – would already have been informed, but the trusts this morning said they were analysing what Synnovis had given them.

As well as two of the country’s biggest trusts and primary care covering 2 million people, Synnovis has its own private sector clients. The legal implications – will the company be sued by its NHS minority shareholders? – are not yet in the public domain but must be on leaders’ minds.

Big business

Cyber attacks are big business: earlier this year, it was confirmed the 2024 attack had cost Synnovis £33m and the South East London health system £36m.

The Download is aware of large trusts that have investigated getting insurance for cyber attacks, but in some cases, the premiums have proven so high it is better value to cross your fingers.

The issue is wide-ranging. Earlier this year HSJ revealed a cyber attack had taken down the security system at Broadmoor Hospital.

The amount of government bailout required for medical devices firm NRS Healthcare is not yet known, but one of its problems was being locked out of its systems by a cyber attack last year.

Hospitals trusts in Cheshire incurred £3.7m costs as a result of their cyber attack at the end of 2024.

And mental health record supplier Advanced was fined £3m by the Information Commissioner’s Office in March, on top of £25.8m in remediation costs over two years since it was attacked in 2022.

And just five days ago the cyber-gang Clop listed the NHS as one of the organisations it had compromised through an Oracle E-Business Suite exploit.

The well-respected central NHS cyber security team are doing what they can to try to get supply chain vulnerabilities under control. But at the trust level, there often is not the resource to tighten this up.

Organisations should start thinking of a major cyber attack in the same way they would a fire, flood or other disaster, ie, something they need an emergency preparedness plan for.

And as consultant Saif Abed put it at a recent conference, if your trust’s cyber security plan was not written with the clinical leads involved, then it might not be able to keep providing safe care when (not if) an attack cripples information systems.

And of course, these are not the only things that can go wrong with large IT systems.

NHS fallout from the most recent DNS outage, this time of security firm CloudFlare, appears to be limited. However, given that it stopped ChatGPT from working for a while, it probably did disrupt the many NHS doctors who use that service. And one notable customer of CloudFlare is… The National Cyber Security Centre.