Paul S Weston, review & accreditations director at ORCHA, the organisation for the review of care and health apps writes about the mandatory Digital Health Assessment Criteria which new products must pass ahead of being commissioned by the NHS.
Claire Wood Photography
Introduced in early 2021, the NHS England Digital Technology Assessment Criteria for health and social care (DTAC) is a benchmark which all digital health products or health apps must reach if they are to be commissioned by NHS England.
The DTAC is a coming together of certificates and standards which the NHS have been using for several years, so adopting this at a national level and with a national mandate has been a welcome step towards best practice. However, one year on from launch the DTAC is still feeling very new to many digital health innovators and healthcare providers.
In short, the DTAC ensures a digital health product or health app is fit for purpose. Its objective is to ensure this new generation of digital tools is safe, secure, and usable. It tests products for usability and accessibility plus technical security and robustness. It also considers clinical safety and risk, medical device regulations, data protection and interoperability, amongst many other factors, depending on the nature of the product.
When developers do take their products through the DTAC process, we are finding some common pitfalls. What can be done to avoid these?
Many developers overlook mandatory Clinical Safety Officer training in clinical risk management. This training is essential to demonstrate an understanding of the principles of safety, risk management and risk mitigation. The course is just a day long and can be done online through NHS Digital as well as third party providers (Clinical Risk Management Training - NHS Digital). The developer’s clinical safety officer needs to make time to attend.
Next, we often find that penetration and security testing is out of date for a digital product or has not been carried out to a required specification. This testing is expensive, so it is often put off. It can also be challenging to find suitably qualified professionals to carry out the testing. But the summary reports are essential, and the common vulnerability scores the product is given will indicate whether it will meet key DTAC criteria. The testing explores the top things hackers will look for, scrutinising the robustness and the code behind a product. The test must have been carried out within the last 12 months and achieve a vulnerability metrics (CVSS) score of 7.0 or above against the Open Web Application Security Project (OWASP) top 10 vulnerabilities. More information and links to approved testers can be found at Penetration Testing - NCSC.GOV.UK.
Finally – a simple bit of admin, but one which often causes delays in the DTAC process. Anybody who has access to administrative features, including the software developers, must be able to demonstrate multi-factor authentication. This involves having two separate pieces of identification logged.
The following pointers should also help to make your DTAC assessment a smooth ride:
- Adopt an exam technique to all the paperwork. It helps to organise your documentation against the specific requirements – and only include relevant information. Some sort of indexing system or evidence tracker will be immensely helpful, given all the paperwork.
- Be aware of differing lead times for any evidence which must be externally validated and ensure the evidence is indeed still valid and not outside of expiry dates.
- Expect the initial DTAC process to take two to three months. If it has taken longer than six months, that should be a warning bell that certain aspects are not in place.
- Then view the process – and the compliance it achieves - as a moving feast. Your digital product is being benchmarked against many regulations, which may change, and you may update your product or documents might expire and need to be re-submitted.
Shortly after the launch of the DTAC, ORCHA was commissioned by developer Wellmind Health to achieve certification for two of its products – Pathway Through Pain and Be Mindful.
Commercial director Sarah Germaney said: “We were looking for something that would differentiate the quality of our apps, so that we could demonstrate that they had been assessed against accessibility, usability and data security.”
The Wellmind Health team had some background in NHS requirements as their products had featured on the NHS app library before the library was taken down. However, whilst they had many aspects covered, the DTAC brought in more requirements, particularly relating to privacy and quality, data sharing and cyber security. A cyber essentials assessment was required, and a data protection impact assessment.
Germaney said: “This was a real partnership with ORCHA, with much back and forth over several months. There are a lot of processes you have to have in place which rely on other factors. “Overall, I would say to developers that this process is tough – it isn’t easy – because there’s a very robust examination of all your processes. They may be proved compliant, but many details still require thorough scrutiny. Our rationale for going through this was that we wanted anyone in the NHS to be confident that our products met all their criteria.”
As the Wellmind Health team has reflected, the DTAC gives valuable third-party validation, and this should give confidence when speaking with individual NHS organisations and reduce potential delays in the demonstrating compliance.
Getting through the process will take staying power but there are numerous support offerings available to digital health suppliers. These range from substantial offers where third-party organisations assume responsibility for certain sections of the DTAC to external quality assurance programmes which offer unlimited re-reviews aligned to your product roadmap. In all instances, do your homework and ensure that the solution you opt for is right for your business and reflective of your skills and competences.
