Leading provider of medical and surgical patient services achieves Level 2 NHS N3 compliance
This case study shows how IT Governance helped SpaMedica connect to the N3 network. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own NHS N3 compliance requirements.
SpaMedica Case Study
In the 21st Century, quality in healthcare is essential – without a doubt, there is a growing demand for improved and reliable services.
Patients now expect to be given a greater choice of hospitals, to receive the results from their clinical tests as quickly as possible, and to enjoy more flexibility in the date and time of their appointment. NHS N3 Connecting for Health is the national broadband network and its mission is to enable the provision of these services. Achieving NHS N3 compliance is a fundamental requirement for every organisation which pursues a business relationship with the NHS.
SpaMedica turned to IT Governance for help to achieve their goal to connect to the N3 network.
Background
N3 is the name for the National Network, which replaced the private NHS communications network NHSnet. Implementation of N3 began in April 2004 and, at present, it is one of the largest Virtual Private Networks in Europe.
N3 is vital in providing the essential technical infrastructure through which benefits to patients, clinicians and the NHS can be realised and sustained in the future. Managed by NHS Connecting for Health, N3 enables the provision of new services needed to improve patient care, such as electronic booking services, electronic prescription services, NHS care record services, imaging services and communications systems.
Given that most of the time N3 deals with personal and corporate information, it is no surprise that all suppliers that aim to connect to the network need to meet strict requirements as set out in the Information Governance (IG) Toolkit.
Click here to read more »
Level 2 is the minimum level at which an organisation can connect to N3 and must be achieved by all organisations that fall under the information assurance responsibility of the Department of Health. Depending on the services provided, these organisations are referred to in the IG Toolkit as either a Commercial Third Party or an NHS Business Partner.
Commercial Third Parties are generally organisations that provide services to the NHS, typically IT-related services that do not directly involve patients, e.g. IT support providers to the NHS or organisations that host or manage the N3 connection on behalf of another, non-NHS, organisation.
Business Partners are organisations that treat patients on behalf of the NHS and receive patients from the NHS in addition to receiving patients through other routes, e.g. independent healthcare providers.
Requirements
IT Governance Ltd’s client, SpaMedica, specializes in treatments of the eyes and, as such, falls into the Business Partner category.
‘In bidding for new NHS contracts’ said SpaMedica’s CEO, Anil Pitalia, ‘we are required to demonstrate we have good information governance in place. NHS Connecting for Health are requesting compliance with the IG Toolkit. Very often organisations do not know all the benefits available to them if they have an N3 connection. One obvious advantage is the ability for GPs to book patients into our hospital using the Choose & Book application.’
‘Having worked as a clinician and NHS consultant for 20 years, I am well aware of my and my hospital’s obligations in terms of information security.’ continues Anil, ‘ However, translating these into a policy and documented procedures was a challenge.’
‘My employees did not have the time or experience to progress this project in a sensible timescale. Small companies like ours do not have their own information governance departments, unlike an NHS Trust.’ said Anil Pitalia. ‘Therefore, I turned to IT Governance for specialist help. IT Governance took the IG Toolkit policies and tailored them to fit SpaMedica’s business processes.’
Click here to read more »
In order for SpaMedica to become an NHS Business Partner, all the deliverables required to achieve Level 2 compliance had to be completed. These requirements form part of the IG Toolkit which is a performance tool produced by the Department of Health. Organisations are required to carry out self-assessments of their compliance against the IG requirements which conform to the rules and central guidance set out in the Data Protection Act 1998; the Confidentiality NHS Code of Practice; the international information security standard: ISO/IEC 27002:2005; the Information Security NHS Code of Practice, and others.
The requirements for each organisation type are available at the NHS Information Governance Toolkit website www.igt.connectingforhealth.nhs.uk. A new version of the IG Toolkit is released in June/July each year, and organisations are expected to resubmit the IG Toolkit assessment in order to stay connected.
Information governance is concerned with the way organisations ‘process’ or handle information. There are different sets of IG Toolkit requirements for different organisational types. However, all organisations have to assess themselves against requirements for:
-
management structures and responsibilities (e.g. assigning responsibility for carrying out the IG assessment, providing staff training, etc.);
-
confidentiality and data protection; and
-
information security.
To achieve connection to NHS N3 and to acquire the necessary knowledge to implement the resulting plan, SpaMedica turned to governance and compliance specialists IT Governance Ltd.
‘The benefit to us in having a specialist consultant on board is that it allowed me and my team to get on with our day job, which is that of treating patients, while IT Governance (ITG) took care of all the N3 connectivity related issues.’
Process
During the consultation process with SpaMedica, IT Governance Ltd split the N3 Connecting for Health challenge into two areas:
Submission
The first area focuses on delivering a complete NHS IG Toolkit submission set with all relevant information gathered as per an agreed project plan. The bulk of this activity consists of developing information security and governance policies. For SpaMedica, IT Governance Ltd prepared an asset list and conducted a basic risk assessment, including identifying information flows and ‘safe havens’. IT Governance’s consultant reviewed the eye clinic’s existing third-party contracts and advised on changes that would be required whilst also preparing sample contracts. Furthermore, since at Level 2, an organisation has to provide documented evidence of the processes, controls, audits and training it has in place, IT Governance Ltd developed job descriptions, training records, meeting minutes and audit schedule for the clinic. The latter includes change control, a staff handbook, a user agreement and system monitoring reports.
IT Governance managed the entire N3 submission process for SpaMedica, including uploading evidence with actions to produce any missing items and developing an ‘improvement plan’. Once the self- assessment scoring was complete, SpaMedica’s CEO, Anil Pitalia, approved and submitted the application.
‘The ITG consultant knew what had to be done and simply asked me to review the documentation and ensure it was appropriately tailored and fit for our hospital’s purpose.’
Mentor and Coach
The second area of support, which IT Governance offers when advising organisations on compliance issues, can be described as mentoring. IT Governance guided SpaMedica through the process, so that they were confident enough to take ownership of all the outputs from the N3 application process. Understanding the requirements was essential, especially as N3 connected organisations needed to reconfirm their status through the annual resubmission of the IG Toolkit assessment.
The challenge for SpaMedica was to adopt all the resulting policies, form an internal information governance team, assign the required job roles and, most importantly, own the resulting ‘implementation plan’ which is automatically generated by the IG Toolkit. Where a particular item was not complete, the company had the option to define an action to complete the task. One example of an action that SpaMedica undertook was to train staff on all modules of the NHS e-learning website. SpaMedica appointed individuals to complete specific tasks, and these were identified on the ‘implementation plan’.
Outcome
It took the NHS authority approximately two weeks to inform SpaMedica that their self-assessment was agreed. Feedback from the NHS included a comment suggesting it was “one of the best [they] have seen”.
‘We are pleased to have worked with IT Governance. The IG website can be quite daunting. We did not want to be held back in business – completing the IG Toolkit was a mandatory requirement for our hospital to be CfH compliant,’ comments Anil.
‘We turned to IT Governance as they had the expertise and experience of helping organisations comply before and so took the stress away, allowing us to concentrate on other things. IT Governance helped us achieve a suitable balance and priority for information governance, providing advice and assurance on the implications of the process; it was reassuring to have a partner that has the relevant experience.’
Next Steps
Although organisations approved for N3 connection at Level 2 are not required to achieve Level 3, they should be working towards Level 3 compliance in the long run.
Level 3 is a step further and is equivalent to an organisation that has an ISO27001 management system in place. This means that an organisation needs to demonstrate (and provide evidence) that they have all their processes and records documented and they are reviewing what they have got in place, as well as conducting regular audits, risk assessments and review meetings.
Regarding Spa Medica’s future plans Anil says, ‘I hope that the IG Toolkit requirements will become more transparent and that with N3 compliance already achieved our hospital is well placed for whatever changes there might be. Indeed, we intend for SpaMedica to move toward ISO27001 in due course, if not this year then may be next, once the organisation is bedded in.’
‘I am reassured that IT Governance are available to continue to support us’
IT Governance are able to offer on-going support in the form of a managed service, simply conducting audits for clients at the level required, or provide training to staff members to conduct audits, so as to minimise the cash cost of maintaining connectivity going forwards. A higher level of information security can be achieved and maintained through training, which is an area IT Governance are well versed in.
Finally, when talking to one of IT Governance’s Directors following achievement of N3 connection, Anil said,
‘Organisations like yours deserve to do well.’
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped SpaMedica achieve N3 Connecting for Health IG Toolkit compliance on time and within budget, so we can help you. Call us now on 0845 070 1750.