How...and why...to

Paul S Weston, review & accreditations director at ORCHA, the organisation for the review of care and health apps writes about the mandatory Digital Health Assessment Criteria which new products must pass ahead of being commissioned by the NHS.

Introduced in early 2021, the NHS England Digital Technology Assessment Criteria for health and social care (DTAC) is a benchmark which all digital health products or health apps must reach if they are to be commissioned by NHS England.

The DTAC is a coming together of certificates and standards which the NHS have been using for several years, so adopting this at a national level and with a national mandate has been a welcome step towards best practice. However, one year on from launch the DTAC is still feeling very new to many digital health innovators and healthcare providers.

In short, the DTAC ensures a digital health product or health app is fit for purpose. Its objective is to ensure this new generation of digital tools is safe, secure, and usable. It tests products for usability and accessibility plus technical security and robustness. It also considers clinical safety and risk, medical device regulations, data protection and interoperability, amongst many other factors, depending on the nature of the product.

When developers do take their products through the DTAC process, we are finding some common pitfalls. What can be done to avoid these?

Many developers overlook mandatory Clinical Safety Officer training in clinical risk management. This training is essential to demonstrate an understanding of the principles of safety, risk management and risk mitigation. The course is just a day long and can be done online through NHS Digital as well as third party providers (Clinical Risk

Many developers overlook mandatory clinical safety o cer training in clinical risk management. This training is essential to demonstrate an understanding of the principles of safety, risk management and risk mitigation.

Management TrainingNHS Digital). The developer’s clinical safety officer needs to make time to attend.

Next, we often find that penetration and security testing is out of date for a digital product or has not been carried out to a required specification. This testing is expensive, so it is often put off. It can also be challenging to find suitably qualified professionals to carry out the testing. But the summary reports are essential, and the common vulnerability scores the product is given will indicate whether it will meet key DTAC criteria. The testing explores the top things hackers will look for, scrutinising the robustness and the code behind a product. The test must have been carried out within the last 12 months and achieve a vulnerability metrics (CVSS) score of 7.0 or above against the Open Web Application Security Project (OWASP) top 10 vulnerabilities. More information and links to approved testers can be found at Penetration TestingNCSC.GOV.UK .