Evolving technology risks within the NHS

10 April 2025

At our second NHS audit chairs forum, we welcomed guests from a range of NHS Integrated Care Boards (ICBs) and Trusts. The session covered how organisations should seek to understand and manage evolving technology risks, under the themes of digital transformation, AI, patient care and people. 

What is the potential impact of digital transformation for healthcare organisations?

Digital transformation in healthcare offers an opportunity to reimagine how healthcare can be delivered, using tools, technology and data to put patient experience at the heart of a transformed healthcare system. It involves implementing new processes and tools to increase efficiency and productivity, improve clinical decision-making and patient care, and reduce manual tasks.

There are several main areas where digital transformation can enhance healthcare operations, such as supporting patients with preventative healthcare and self-care, detection and diagnosis, care service delivery (including pre and post-care, virtual wards or remote healthcare), and internal functions like administration, record-keeping, reporting and compliance.

What questions should audit committees ask their management teams about digital transformation?

As healthcare organisations embark on their digital transformation journeys, it's crucial for audit committees to stay proactive and inquisitive. By asking the right questions, they can ensure that the transformation aligns with strategic goals, engages stakeholders effectively, and mitigates potential risks. Here are some key questions audit chairs can consider:

1. What are the objectives and outcomes for each use case and how does that link with our overall strategy? Explore what your prioritisation is for these use cases. If there are too many, discuss how they should be prioritised—or perhaps question whether the organisation is being ambitious enough.

2. Is engagement with stakeholders, including frontline staff and patients, sufficient to understand their experience and touch points during the transformation? Are they engaged in the design of the process?

3. Is the organisation investing and deploying the right resources? Does it have the competences and capabilities needed to deliver the project and its ongoing management? For example, AI involves handling huge volumes of data, necessitating new skills, data governance and robust oversight.

4. What risks will this transformation introduce? All new technologies introduce potential risk points as they increase the cyberattack surface area.

What are the best practices for digital transformation?

Effective digital transformation begins with strong leadership. Leaders must ensure their vision and purpose support the engagement, and that the transformation process is given sufficient time.

Collaboration and culture are crucial. New initiatives may not always work as planned, so it’s important to foster a culture that moves away from blame and towards continual learning and improvement.

Stakeholder engagement is another key aspect. Understanding the requirements of all stakeholders, including patients, healthcare professionals and external partners, at both trust and system levels, is essential.

Addressing risks, governance and security is vital during and after the transformation. Organisations must develop robust strategies to manage these aspects, ensuring that new technologies are implemented securely and that governance frameworks are in place to monitor and control associated risks.

Establishing clear metrics to measure the benefits against the objectives allows organisations to assess the impact of their digital transformation efforts. Regular evaluation helps identify areas for improvement and ensures that the transformation continues to align with strategic goals.

Key considerations for audit chairs to mitigate risks during digital transformation

Digital transformation extends an organisation’s digital footprint, increasing the number of endpoints to safeguard, secure and control. Controls can take time to be embedded into newly implemented software technology. Fragmented and legacy systems also pose a risk and require robust security patching processes.

To address these concerns, audit chairs should assess the risks associated with implementing new digital tools or systems and ensure there is a clear assurance process in place to verify that any new platform is secure. Additionally, they must evaluate whether third parties are demonstrating the same strength of cybersecurity controls to protect data. 

With human error responsible for 92% of cyber-attacks, audit chairs should focus on training staff to be vigilant users when implementing new technologies. It is essential to strike a balance between empowering staff with the tools they need and maintaining appropriate controls to minimise potential risks. 

How can organisations manage the risks posed by AI?

While AI offers many potential positives, it may also negatively impact areas such as privacy, security and ethics. Organisations need a clear digital/AI strategy that feeds into their overall strategy and goals.

Appropriate governance and guardrails must be established to explore AI use cases in a secure and controlled environment. 

The AI strategy should outline the problem and how the use case will solve it, the people impact, and potential risks for all stakeholders. It should also define the levels of assurance and governance needed, how outcomes/benefits will be measured and evaluated, and establish guardrails to ensure clinical safety, cyber security and data protection. Additionally, incident response testing and business continuity plans are essential components of managing AI risks effectively.

The people impact of AI - patients and workforce

When adopting AI, it's vital to consider its impact on both patients and the workforce in terms of adoption, engagement, and involvement. Key considerations include:

  • Skills and capabilities: identifying the skills required and how the nature of work will evolve.
  • Digital upskilling: developing an approach to train staff in digital skills and effectively communicate the benefits of AI.
  • Ethical considerations: AI presents a huge challenge for regulators, given the rapidly evolving nature of technology. Staying informed about regulatory implications is critical for organisations.
  • Equality considerations: ensuring fair and equal access to AI technologies for all groups.
  • Evaluating impact: assessing the positive outcomes AI brings to both staff and patients.
  • Managing patient expectations: building trust around AI is essential. Public perception of AI can vary, and some patients may view its integration negatively. Managing these expectations is key to fostering trust.

Business continuity if a digital system fails

If a digital system, tool or underlying infrastructure fails, healthcare organisations must have business continuity processes in place to ensure that patient care can continue while systems are restored.

Assessing the impact to patient service will help management develop contingency planning to ensure service resilience.

What should audit committees ask to be included on IT risk registers for their organisation?

As the risk landscape continually evolves, organisations must ensure their risk registers, oversight and governance are aligned with emerging threats. Audit chairs need central visibility into ongoing activities to ensure management is implementing appropriate processes and controls to address new risks.

Questions audit chairs can ask include:

  • From a risk and transformation perspective, are we capturing all the initiatives and projects within the organisation? Risk registers can often be incomplete, leading to a false sense of assurance in terms of the identification and mitigation of risks.
  • Have we identified the right risks and are the appropriate follow-on actions in place? Are they sensible, reasonable, and practical?
  • Are actions linked to clear timescales, and do the timescales correspond to the severity of the risks involved?
  • Are key risk areas captured, including safeguarding patient data, third-party cyber security and controls, and cyber workforce training?

How we can help your NHS organisation

Our specialist NHS team work with over 80 NHS ICB and Provider Trust clients. Our experts are here to support you with developing your system assurance maps, internal audit and controls, fraud risk management, tax services and tax risk governance, technology and cyber risk, and transformation projects.

To discuss how we can strengthen your organisation’s risk management framework, please contact Clive Makombera, Mohi Khan or Richard Curtis.

Clive Makombera
Clive  Makombera
Partner, Head of NHS
Contact Clive  Makombera +44 (0)20 3201 8524
Mohi Khan
Mohi Khan
Business Transformation Partner and Head of Healthcare and Life Sciences
Contact Mohi Khan +44 (0)7825 552950
Richard Curtis
Richard Curtis
Technology Assurance Director
Contact Richard Curtis +44 (0)7818 002534
Clive Makombera
Clive  Makombera
Partner, Head of NHS
Contact Clive  Makombera +44 (0)20 3201 8524
Mohi Khan
Mohi Khan
Business Transformation Partner and Head of Healthcare and Life Sciences
Contact Mohi Khan +44 (0)7825 552950
Richard Curtis
Richard Curtis
Technology Assurance Director
Contact Richard Curtis +44 (0)7818 002534
Services
Industry

Related insights

FCA findings on private market valuation review

Stuart  Clowser, Jon Scott
09 Apr 2025

Accounting for customer loyalty schemes

Saxon Moseley, Danielle Stewart OBE
27 Mar 2025

Tackling damp, mould, and condensation in social housing

John Guest
25 Mar 2025

Court of Appeal allows capital allowances for design fees

Paul Smith
21 Mar 2025

Failure to prevent fraud – countdown to 1 September 2025

Nick Gilbey, Laura Schmuttermeier
14 Mar 2025

M&A activity in the recruitment sector: 2024 year in review

Jonathan Wade
12 Mar 2025