Journal article 647 views 102 downloads
Misunderstanding IT: Hospital cybersecurity and software problems reach the courts
Digital Evidence and Electronic Signature Law Review, Volume: 15, Pages: 11 - 32
Swansea University Author: Harold Thimbleby
PDF | Version of Record
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 4.0 International License (CC-BY-NC-ND).Download (917.73KB)
The corruption of patient data in a hospital prompted a criminal investigation, resulting in approximately 70 nurses being disciplined, with some charged with wilful neglect contrary to the Mental Capacity Act 2005. Some nurses received custodial sentences. This paper explains the background. The pa...
|Published in:||Digital Evidence and Electronic Signature Law Review|
Institute of Advanced Legal Studies (IALS)
Check full text
No Tags, Be the first to tag this record!
The corruption of patient data in a hospital prompted a criminal investigation, resulting in approximately 70 nurses being disciplined, with some charged with wilful neglect contrary to the Mental Capacity Act 2005. Some nurses received custodial sentences. This paper explains the background. The paper demonstrates the inability of hospital IT systems and management to provide reliable evidence, and highlights broad problems with poor IT culture affecting manufacturers, hospitals, police, lawyers, and advisors — all the way through to regulators and legislators. Widespread misunderstandings of IT and data compromises the provision of effective care as well as legal processes.This paper includes recommendations, the most urgent being that hospitals (the NHS and other national healthcare systems more generally) should acknowledge that IT is unreliable, and that they should procure and actively manage IT equipment with this in mind. Effective and up-to-date monitoring of the legal issues relating to IT generally and cybersecurity should be routine.The NHS needs to improve its IT maturity, management and policies. The police, the legal system and regulators also need a more mature approach to IT. Manufacturers are not currently providing dependable systems that are fit for purpose to operate safely and reliably in normal, complex hospital environments. All parties should engage qualified external oversight.
Originality: following an early invited conference keynote paper, this is the first archival full analysis of a major cybersecurity problem in a hospital, based on substantial original data and legal evidence. The paper was invited for the journal, the leading legal evidence journal.Significance: five nurses were tried in the Crown Court for alleged falsification of data; this paper explains how the author proved the IT evidence to have no probative value, so the case collapsed. The paper has been used in Electronic Evidence (4th ed, eds: S Mason & D Seng, 2017, a standard legal reference) which has 3 pages (section 9.90) called "Analysis of failure." The Judge's Ruling (also published in the same journal) makes clear the contribution of Thimbleby to the case. The paper is also cited in the Hopkins Report, a major NHS review. Rigour: the paper is based on deep analysis of evidence provided to the author as an expert witness acting for the court. The paper was written using automatic merging of data to ensure diagrams and figures etc were accurate and anonymised.
cybersecurity; healthcare IT; electronic evidence