The procurement of NHS England’s Outcomes and Registries Platform (ORP) has raised alarms about data security and compliance with public sector procurement rules.
The ORP aims to consolidate renowned clinical device registries that medical experts and technologists have developed over many years. These registries are crucial for managing clinical services, commissioning new treatments, identifying effective therapies, and ensuring patient safety.
Earlier this year, it came to light that the ORP’s login page was accessible to anyone online and lacked multifactor authentication (MFA), conflicting with NHS England’s own regulations. Although NHS England claimed to enhance security and implement MFA, concerns lingered. The Federation of Clinical Registries (FCR), which includes healthcare professionals and technologists, expressed frustration at being sidelined as they raised their concerns. They highlighted that deeper data protection issues remain unaddressed, asserting that the ORP allows nearly anyone to register without proper vetting. They noted the bizarre situation of having over 6,000 registered users, but only about 900 were active.
Also troubling is that the ORP resides on the internet, which goes against the guidelines for storing sensitive Class Five data. The FCR has repeatedly sought clarity from NHS England’s Cyber Security Department regarding these issues. Class Five data pertains to highly sensitive information, requiring strong organizational commitments and specialized guidance for its management.
The FCR reminded NHS England of the risks, citing that the National Major Trauma Registry, formerly the Trauma Audit and Research Network, was compromised in a ransomware attack last year.
As for the ORP contract itself, the FCR raised concerns about how it was awarded. Initially, they felt a new draft contract from NHS England threatened established registries and assumed it meant an end for them. This led the FCR to uncover various troubling occurrences: payments were halted, data streams to key registries were blocked, and historical data was lost or deleted as legal contracts expired. They then learned that NEC, a Japanese supplier, was tasked with developing the ORP platform.
The FCR discovered a £1 million contract from March 2023 meant for the initial development of the ORP. Yet, the lack of transparency surrounding the contract’s details raised further suspicions. They filed Freedom of Information requests to get a clearer picture of the registry development costs but received no information.
Later, the FCR found out about another contract worth £1.24 million awarded to NEC early in 2024, but this was not made public until July. They were baffled by the repeated insistence from NHS England that all registry development fell under the initial contract, even as they discovered another one existed.
They also claimed that both contracts were awarded without proper processes or market evaluations. The NHS England ORP senior responsible owner initially said a market evaluation took place, but later, the NHS transformation director contradicted that statement, generating frustration among FCR members who believed they had more expertise in delivering medical registries than NEC.
The FCR raised concerns that the late publication of the second contract indicated an attempt to retroactively validate the award process. Things further complicated when a new procurement process began in late 2024 that resembled a request for information rather than a traditional tender process. Suppliers questioned the murky specification process, as NHS England only planned to disclose that information to the winning bidder.
This entire situation reinforces the FCR’s belief that the procurement lacks proper procedures. They think NHS England is scrambling for cover, trying to avoid consequences by dodging Freedom of Information requests. NHS England counters that the awards followed established framework agreements and insists on the importance of the ORP for patient safety. They assert that their cybersecurity and data protection measures are appropriate while vowing to maintain transparency as they move forward with the procurement process.