The NHS is a highly regulated organisation that prioritises transparency and compliance in everything it does. Nowhere is this more important than in digital development, where issues of security, privacy and risk management are especially critical.
To address these issues, the NHS uses the Digital Technology Assessment Criteria for health and social care (DTAC). It's a national baseline criteria that brings together legislation and good practice for anyone developing digital health technologies for the NHS.
This article looks at how DTAC impacts software and app development, and how your Trust can leverage the power of no-code platforms to effectively meet its requirements.
DTAC is designed to give staff, patients and citizens confidence in using the NHS's digital health tools. It means that healthcare organisations - like NHS trusts - can easily assess the technology they develop.
Any new digital technology, including pilots and trials, is required to be assessed using DTAC. This includes apps, web based portals, systems and patient facing digital tech.
And, if you're developing multiple products for the NHS, each one should be assessed separately against the criteria.
To be DTAC compliant, tools must meet standards in the following areas:
The aim is to maintain a consistent approach across all digital health tools, so DTAC involves answering a set list of questions, ensuring that all the evidence being reviewed is the same.
DTAC is important for assessing external suppliers, both at the point of procurement and during the development process to ensure due diligence.
For external organisations who work on NHS projects regularly, this can be helpful. It provides a clear set of guidelines that you can get to know and understand.
However, developing one-off digital solutions in this way can be another story. While it's critical that all tools are highly regulated, the compliance rules can prove too rigid for some. With such a specific framework to stick to, many developers struggle to meet the standards and innovation slows down completely.
So, what's the answer?
We know that no-code platforms are helping to speed up innovation when building NHS apps. And, because App Rail works closely with many NHS trusts, it's also been developed to address many of DTAC requirements as a matter of course.
The App Rail platform is accessible by design. It leverages each native platform's accessibility frameworks and good practices, allowing it to deliver exceptional experiences to a large target audience.
Take data encryption as an example. If you have data stored on the device it must be encrypted. If you build from scratch you have to check this every time, but with App Rail it works by default, saving a lot of time and money.
With many apps, this encrypted information goes through servers, causing an issue if they make an error or it doesn't get encrypted for any reason.
App Rail is also designed to be privacy aware. All data is kept outside the platform, with no need for data to be permanently stored and no additional servers needing to be deployed.
Instead, data is handled by existing servers and infrastructure, which means that no new data retention compliance requirements are being introduced. This also helps to reduce the threats of any additional internet-exposed vulnerabilities.
And security tokens that are traditionally required to be stored for maintaining the session are safely stored within the native platform's secure and encrypted storage systems.
This integrated approach empowers Trusts to design apps with a tool that aligns with their specific needs. And, when it comes to DTAC, it also helps to take care of a lot of the “red tape” that often slows down development, for example:
App Rail can automatically generate and prefill DPIA forms for review by Information Governance teams.
App Rail has been developed in alignment with the Open Web Application Security Project (OWASP) strategies for creating secure solutions and is continuously assessed in order to guarantee its security.
Apps under-go regular security testing (pen-tests) with a recognised 3rd party organisation.
All code is peer reviewed and technical builds are performed in a reproducible and secure environment.
All communications use industry standard encryption with the TLS encryption protocol.
App Rail integrates with and leverages existing authentication and authorisation infrastructure, including OAuth2 and NHS login. This ensures that existing policies such as Multi-Factor Authentication are made available in the mobile experience.
We provide plugins and sample code for FHIR integration.
Developing apps in NHS Trusts can be a complex process, and DTAC compliance adds an additional layer of project management into the mix. But it exists to ensure that standards are met and results are consistent.
The ultimate goal of any new NHS app is to improve outcomes for its users. To achieve that, teams must create innovative solutions. That's where a tool that automatically addresses many DTAC requirements comes into play.
App Rail makes it possible for Trusts to deliver apps that integrate with systems already deployed and being used, freeing up valuable time and money to drive more innovative solutions.
Building apps in NHS trusts is often hindered by lack of capacity, policies and procedures, which can be at odds with the agile nature required by tech projects.
Using a no-code approach takes away many layers of complexity, leaving trusts with a simple structure where they can develop their apps independently and lean on our team for support and guidance.