lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: Marek.Isalski at smuht.nwest.nhs.uk (Marek Isalski)
Subject: A rather newbie question

Working in a hospital in the UK National Health Service, I'll chip in slightly off-topic here, but it's all about risk assessment/management and a lot of what's said here can be applicable in IT/security risk management...

Disclaimer: I'm not involved in clinical risk management directly, but I work very closely with the clinical risk management teams here and am involved in our Trust's drive for CNST Level 2 compliance (acronym explanations follow).  Opinions and understanding are my own, not my employers', and I speak on behalf of myself rather than my employer, the NHS, Department of Health et al.

When someone sues an NHS hospital in the UK, the millions are paid out by the NHS Litigation Authority.  Hospitals in the NHS pay an annual premium to the NHS LA into a pot of money from which the LA pays the claimants.  This premium is based on the size of the hospital, the procedures it carries out (maternity, mental health and other specialties may carry "extra risk" and so LA contributions may be increased), and most importantly the level of compliance with the so-called Clinical Negligence Scheme for Trusts, or CNST.  CNST outlines various standards and requirements which, if met, should reduce the number of clinically negligent incidents and this leads to a lowered CNST contribution to the Litigation Authority.  It's a bit like fitting insurance-approved locks to your house or fitting an alarm and thus lowering your insurance premium.  But here we're dealing with mega-bucks -- a typical CNST contribution is about 1-2% of the total income for a hospital, or around a couple of million pounds in our case.

It turns out that, certainly in the UK, not all staff in the health service are trained in basic CPR.  I'm an IT manager.  I don't often come into contact with patients.  I am not "cost effective" to train in resuscitation.  Why?  Risk management.  While it may be sterile, scientific, unyielding on the affected individuals, and feel "unwholesome" to Joe Public, lines end up being drawn.  For example: the medical profession has decided on current criteria for assessment of death; these feed into an NFR Policy ("not for resuscitation" policy which is used to determine when resuscitation in, for example, a cardiac arrest can be stopped because the patient is deemed to be unviable).  The criteria used to determine NFR are reviewed all the time and change, just as anyone who is in St. John Ambulance will be taught a slightly different recovery position each year: the guidelines adapt to changes in best practice and medical knowledge.  But the lines are still drawn, and sometimes these are short of 100%.  On with the risk management!

While you might expect otherwise, the highest attainment level, CNST Level 3, only specifies:

  "CRITERION 5.3.1: 90% of eligible staff have attended basic life support training in the last 12 months."
  ""Eligible" staff are those determined in the trust's own resuscitation policy (reviewed at level 1) who should receive training."
    -- CNST General Manual June 2002

Where the line is drawn for "eligible" starts to get a bit of an ethical mess: training costs time and money, versus not training potentially costing lives.  The purists in risk management would need to get the units on both sides of the equation homogenous to strike the balance of how much to spend on training.  As a result, even if only implicit in how much ends up being spent training staff to do resuscitation, a "value" or "cost" is attached to a life ("cost" defined as how much financial impact a death due to clinical negligence might cause to a healthcare organisation, not necessarily the cost in terms of emotional trauma and hardships for those close to the victim).  [aside: for the true mathematician, one might consider severe injuries and conclude these can "cost" more than death]

Whatever the figures people might attach to "value of life", a line is drawn somewhere that might say something like: "all consultant doctors and nurses above grade F must attend mandatory annual resuscitation training".  And from that point on, CNST judges you.  A trust that fails to live up to its 90% attainment will pay more to the Litigation Authority.  The result: either cut costs somewhere (reduce staffing is a classic way of doing this -- dropping from CNST level 3 to level 2 might cost you the order of 10 nurses, though) or the bank account goes overdrawn (and being in the red further reduces your funding in the next financial year: being in the red lowers your "star rating", which directly influences how much money your Trust receives annually, to the tune of 0.5% better off for each star you have... the consequences are inevitable, aren't they? :-)  But I digress somewhat...

A balance of an achievable level of training, training costs, insurance/litigation payout and what I call the "magic seaweed factor" (the slightly unscientific way some risks are assessed) all contribute to decide the level at which we train our staff in basic resuscitation.  Beyond that, it's a case of educating the non-trained to call 2222, the standard number across the NHS (or should be thanks to another scheme's diktat) for crash teams, cardiac arrest and resuscitation.

My personal view is that I don't feel training the IT Department how to do CPR is worthwhile: I'd rather have the extra nurse looking after the intensive care unit or in the emergency department (after suicide a road traffic accident is the most likely cause of harm to someone in my social demographic).  Just so long as my colleague sat opposite remembers to call crash when I collapse from stress-related heart failure.

Hope that this has been a useful contribution, even if slightly off-topic.

Regards,

Marek Isalski
Software Support and Data Security Manager
Software Support, IT Projects, Directorate of Health Informatics
Wythenshawe Hospital, South Manchester University Hospitals NHS Trust


>>> <Valdis.Kletnieks@...edu> 04/05/2004 00:18:29 >>>

(And I am told that in fact, hospitals *do* require all their staff to get
at least "basic CPR" training and the like...)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ