‍

‍

‍

‍

In my experience working with digital health teams on compliance, getting clinical safety and hazard logs done properly has consistently been one of the most challenging aspects of achieving DTAC compliance, and rightly so.

Getting something involved in patient care clinically sound should be thorough, comprehensive, and only achievable through rigorous testing.

When it's finally complete, there's often a sigh of relief:

 "DCB 0129 is done."

The same happens on the buyer's side when DCB0160 documentation arrives and has been reviewed.

And this is rightly a huge milestone. But it's also the moment both suppliers and deploying bodies step into the riskiest phase of the lifecycle; the period after go-live, when the technology, workflows, and data flows start changing beyond the scope of the previously achieved assurances.

And with more technology deployed and a huge buildup of legacy systems, that risk is compounding.

The Scale of Legacy Debt

Clinical safety leaders have long been warning about "legacy debt”, systems that have been live for years without the right level of assurance work ever being completed or kept current.

Digital health is now central to service delivery—EPRs, decision support, online consultation tools, remote monitoring, AI pilots. When those systems drift out of assurance, the risk doesn't stay neatly inside "clinical safety" as a category. It spans information governance, data protection, cybersecurity, accessibility, operational resilience, and ultimately patient harm.

While we wait for the findings of the NHS’ clinical safety standards review, trusts still need to govern the portfolio they have today, and this includes systems deployed under previous expectations that continue to evolve faster than assurance processes can keep up.

But whatever emerges from the review won't retroactively fix the legacy debt already accumulated across the system.

Assurance Is Fragmented Because the System Is Fragmented

Most trusts and deploying organisations are doing what they can within the structures they have.

Clinical safety lives in one place (hazard logs, safety cases, CSO workflows). Information governance lives in another (DPIAs, RoPAs, processor agreements). Security posture lives somewhere else again (DSPT evidence, supplier assurance, incident response). Accessibility gets handled separately. Procurement sits in procurement.

None of this is irrational. It's just how organisations have evolved.

But it means risk has become disjointed.

You can have a beautifully written safety case and still be exposed because:

• A supplier pushes an update that changes workflow risk and nobody re-tests the assumptions
• Data flows drift from what was documented in the DPIA
• A supplier's security posture changes after onboarding

Clinical safety teams have been calling this out for years, especially the reality that "catching up" on historic assurance is often unrealistic.

A national study on compliance with clinical safety standards reported more than 10,000 (70%) of digital health technologies in use across the NHS lacked complete documented safety assurance. The study found that for a typical NHS trust, three out of four digital tools influencing patient care do not demonstrate compliance with minimum clinical safety requirements.

If we know we can't keep up with the backlog, and more legacy debt is accumulating every day, and the standards are about to change, and that's before we even factor in AI governance, how do trusts govern all of this?

What Good Looks Like: A Single View of "Is this product safe?”

DCB0160 is vital, but it can't carry the weight of modern digital risk on its own. The question trust leaders are being forced to answer isn't "did we produce a safety case?" It's:

“Are we safe today, across our entire supplier portfolio, and can we prove it?”

In practice, that means moving towards:

• One inventory of what's deployed (not five partial lists across different teams)
• One risk picture that links clinical safety, information governance, security, accessibility, and operational risk
• Evidence that stays live versioned, time-stamped, and easy to audit
• Clear ownership for each system and each risk decision (including acceptance)
• Lifecycle triggers so changes (updates, integrations, supplier changes, new data processing, workflow changes) automatically prompt the right reviews

Right now, a lot of cost is spent as a result of this disconnection; extra meetings, duplicated evidence, chasing documents, recreating context, finding the "latest" version of something, and bringing new people up to speed when roles change.

Instead of adding more processes, we need to reduce the hidden admin load created by this fragmentation, giving SIROs, CIOs, CCIOs, information governance, InfoSec, and clinical safety teams a shared reality to work from.

Why this matters now

The NHS’ digital risk landscape is moving into a new era; more AI, more integration, more reliance on digital pathways, and higher expectations of assurance for both suppliers and buyers.

If we keep treating clinical safety, cyber, and information governance as separate compliance exercises, the burden will keep growing while visibility stays limited.

Trusts, Commissioning bodies and deploying organisations need a pragmatic, comprehensive, holistic way to look at the risk and compliance posture of their suppliers.

If you're a SIRO, CIO, CCIO or IG lead dealing with legacy assurance debt, you're not alone. We're working with a number of trusts and GP partnerships to solve this problem.

If you'd like to learn more, feel free to get in touch here.

-Michael Bell