Incident: Outdated NHS Wales IT System Outages Impact Patient Care

Published Date: 2018-11-08

Postmortem Analysis
Timeline 1. The software failure incident happened in the first half of the year mentioned in the article [78033]. Estimation: Step 1: The article was published on 2018-11-08. Step 2: The article mentions that there were 21 systems outages in the first half of the year. Step 3: Considering the first half of the year would be from January to June, the software failure incident likely occurred in the first half of 2018.
System The software failure incident in the NHS Wales IT system involved the following systems: 1. NHS Wales Informatics Service (NWIS) [Article 78033] 2. Cancer IT system, CaNISC [Article 78033]
Responsible Organization 1. The NHS Wales Informatics Service (NWIS) was responsible for causing the software failure incident as highlighted in the report due to outdated systems and failures impacting patients [78033].
Impacted Organization 1. Patients in the Welsh health service [78033] 2. Staff at Cardiff's Velindre Hospital [78033] 3. Cancer patients in Wales [78033]
Software Causes 1. Outdated and dysfunctional IT systems within the NHS Wales Informatics Service (NWIS) leading to 21 systems outages in the first half of the year [78033]. 2. Lack of support from Microsoft for the cancer IT system, CaNISC, since 2014, posing a cyber security risk [78033].
Non-software Causes 1. Outdated and paper-based records leading to reliance on obsolete systems [78033] 2. Funding constraints leading to pressure on maintaining existing systems while trying to deliver new ones [78033]
Impacts 1. The software failures in the Welsh health service had a negative impact on patients, with 21 system outages in the first half of the year, affecting patient care and experience [Article 78033]. 2. Outdated, paper-based records were relied upon when electronic records could have led to better patient care, indicating a lack of efficiency and potential risks to patient safety [Article 78033]. 3. The cancer IT system, CaNISC, posed a cyber security risk as Microsoft stopped providing support for the system in 2014, potentially putting cancer patients in Wales at risk and creating unnecessary stress for those undergoing treatment [Article 78033]. 4. Data outages were becoming common, affecting appointments, prescriptions, and the overall functioning of healthcare practices, causing disruptions for both clinicians and patients [Article 78033].
Preventions 1. Regular maintenance and updates of the IT systems could have prevented the software failure incident by ensuring that the systems are up-to-date and secure [78033]. 2. Implementing a proactive approach to cybersecurity by addressing the risks associated with outdated systems, such as the cancer IT system CaNISC, could have prevented cyber security vulnerabilities [78033]. 3. Investing in modernizing the IT infrastructure and transitioning from paper-based records to electronic records could have prevented reliance on outdated systems and improved patient care [78033].
Fixes 1. Conduct a thorough review of the senior leadership capacity within both NWIS and the wider NHS digital team [78033]. 2. Implement a digital transformation in Welsh healthcare to improve the outdated IT systems [78033]. 3. Address the funding constraints to support the delivery of new digital systems while maintaining the existing ones [78033]. 4. Upgrade the cancer IT system, CaNISC, to eliminate cyber security risks and ensure patient safety [78033].
References 1. Public accounts committee chairman Nick Ramsay 2. Committee members 3. Richard Pugh, head of services at cancer charity Macmillan in Wales 4. Auditor General for Wales 5. Dr. Peter Saul, Royal College of GPs in Wales

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident having happened again at one_organization: The article reports on the ongoing software failures within the NHS Wales Informatics Service (NWIS) in the Welsh health service. The report highlighted that there were 21 systems outages in the first half of the year, indicating a recurring issue within the organization [78033]. (b) The software failure incident having happened again at multiple_organization: There is no specific mention in the article about the software failure incident happening at multiple organizations.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article. The outdated and dysfunctional computer systems in the Welsh health service, managed by the NHS Wales Informatics Service (NWIS), were highlighted as causing failures with a negative impact on patients [78033]. The report by the public accounts committee raised concerns about the competence, capability, and capacity of NWIS in delivering technology and digital services for patient care in Wales. Issues such as reliance on outdated, paper-based records instead of electronic records for better patient care, the cyber security risk posed by an obsolete cancer IT system, and delays in digitizing patients' NHS records all point to failures introduced during the design and development phases of these systems. (b) The software failure incident related to the operation phase is also evident in the article. The report mentioned 21 systems outages in the first half of the year, impacting patient experience and staff morale at Cardiff's Velindre Hospital [78033]. The cancer IT system, CaNISC, was highlighted as a particular problem, with evidence that Microsoft stopped providing support for the system in 2014, posing a cyber security risk. Data outages were becoming common, affecting appointments, prescriptions, and the functioning of practices, leading to disruptions that took hours to recover from. These operational failures indicate issues introduced during the operation and maintenance of the systems.
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in the article is primarily within the system. The failures in the Welsh health service's computer systems were attributed to outdated systems, lack of digital records, and reliance on paper-based records [78033]. The issues were related to the competence, capability, and capacity of the NHS Wales Informatics Service (NWIS) in delivering technology and digital services for patient care in Wales. The report highlighted problems within the dysfunctional system, including concerns about the impact of outages on patient experience and staff morale at Cardiff's Velindre Hospital [78033]. Additionally, the cancer IT system, CaNISC, was flagged as a particular problem due to the lack of support from Microsoft and the cyber security risk it posed [78033]. (b) The software failure incident also had elements originating from outside the system. The report mentioned that funding constraints were a challenge for NWIS, which was trying to maintain existing systems while under pressure to deliver new ones [78033]. This external factor of limited funding contributed to the difficulties faced by the organization in addressing the outdated systems and digital record challenges within the Welsh health service.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the NHS Wales IT system was primarily attributed to non-human actions, such as outdated computer systems and the lack of support from Microsoft for the cancer IT system CaNISC [78033]. These non-human factors contributed to system outages and posed cyber security risks. Additionally, the reliance on outdated, paper-based records instead of electronic records was highlighted as a factor impacting patient care [78033]. (b) Human actions also played a role in the software failure incident. The report raised concerns about the competence, capability, and capacity of the NHS Wales Informatics Service (NWIS) in managing IT systems effectively [78033]. The committee's inquiry pointed out issues with the current 'patch-and-mend' approach on obsolete IT systems, indicating a need for better decision-making and strategic planning by human actors within the organization [78033].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware can be seen in the article where the cancer IT system, CaNISC, was highlighted as a particular problem. The report stated that committee members were "alarmed" by evidence that Microsoft stopped providing support for the system in 2014, indicating a hardware-related issue as Microsoft's support for the system ceased [78033]. (b) The software failure incident related to software can be inferred from the overall context of the article, where the outdated computer systems in the Welsh health service were mentioned to be causing failures with a negative impact on patients. The report questioned the "competence, capability, and capacity" of the NHS Wales Informatics Service (NWIS), suggesting software-related issues within the IT systems [78033].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident mentioned in the articles does not indicate any malicious intent by humans to harm the system. Instead, the failures are attributed to outdated systems, lack of support from vendors like Microsoft, funding constraints, and challenges in digital transformation within the Welsh health service [78033]. The issues highlighted in the report point towards non-malicious factors contributing to the software failures.
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident in the NHS Wales IT system seems to be related to poor decisions. The article mentions that the system is "outdated" and failures are negatively impacting patients, with the public accounts committee questioning the "competence, capability, and capacity" of the NHS Wales Informatics Service (NWIS) [78033]. Additionally, the report highlighted issues with the cancer IT system, CaNISC, where Microsoft stopped providing support in 2014, posing a cyber security risk. The report also criticized the reliance on outdated, paper-based records instead of electronic records for better patient care [78033]. These factors suggest that poor decisions and inadequate planning may have contributed to the software failure incident.
Capability (Incompetence/Accidental) development_incompetence (a) The article reports on a software failure incident related to development incompetence within the NHS Wales Informatics Service (NWIS). The public accounts committee chairman highlighted concerns about the "competence, capability, and capacity" of NWIS in managing the IT systems, indicating that the outdated computer systems and failures were negatively impacting patients [78033]. (b) Additionally, the article mentions accidental software failures, such as data outages, becoming common and disruptive for practices and patients in Wales. Dr. Peter Saul from the Royal College of GPs in Wales emphasized the critical nature of IT systems for clinicians and how data outages can significantly disrupt appointments, prescriptions, and the functioning of practices [78033].
Duration temporary The software failure incident reported in Article 78033 was temporary. The article mentions that there were 21 systems outages in the first half of the year, indicating that the failures were intermittent or temporary in nature rather than permanent [78033]. Additionally, the report highlighted issues with the cancer IT system, CaNISC, which posed a cyber security risk after Microsoft stopped providing support in 2014. This suggests that the failure was due to specific circumstances rather than being a permanent issue [78033].
Behaviour crash, omission, value (a) crash: The article mentions that there were 21 systems outages in the first half of the year within the Welsh health service, indicating instances where the systems failed to perform their intended functions, which aligns with the concept of a crash [78033]. (b) omission: The report highlighted concerns about the impact of outages on patient experience and staff morale at Cardiff's Velindre Hospital. It was mentioned that the cancer IT system, CaNISC, posed a cyber security risk after Microsoft stopped providing support for it in 2014, indicating instances where the system omitted to perform its intended functions [78033]. (c) timing: The articles do not provide specific information indicating failures related to timing. (d) value: The report mentioned that continuing with the current 'patch-and-mend' approach on an obsolete IT system could put cancer patients in Wales at risk, indicating instances where the system performed its intended functions incorrectly, leading to potential harm [78033]. (e) byzantine: The articles do not provide specific information indicating failures related to a byzantine behavior. (f) other: The articles do not provide specific information indicating other types of software failure behaviors.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence no_consequence (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any direct consequences such as death, physical harm, impact on basic needs, property loss, or non-human entities due to the software failure incident at NHS Wales. The focus is more on the negative impact on patient care, staff morale, and the need for digital transformation in healthcare. Therefore, the consequence of the software failure incident falls under the category of 'no_consequence' as there were no real observed consequences mentioned in the articles [78033].
Domain health, unknown (a) The failed system was intended to support the health industry, specifically the Welsh health service. The NHS Wales Informatics Service (NWIS) was established in 2010 to deliver technology and digital services for patient care in Wales, including establishing electronic patient records [Article 78033]. The system failures in the Welsh health service were having a negative impact on patients and staff morale at hospitals like Cardiff's Velindre Hospital [Article 78033]. (b) No information available. (c) No information available. (d) No information available. (e) No information available. (f) No information available. (g) No information available. (h) No information available. (i) No information available. (j) The failed system was directly related to the health industry, focusing on healthcare services in Wales [Article 78033]. (k) No information available. (l) No information available. (m) No information available.

Sources

Back to List