Let’s hope the NHS cyber attack doesn’t lead us to another National Programme for IT

SUMMARY:

The ransomware attack could have far reaching consequences for the NHS, but the wrong response would be another expensive IT upgrade.

NHS HealthA global cyber attack on Friday afternoon left a number of organisations without access to their systems and data, after ransomware known as Wanna Decryptor or WannaCry infected 200,000 machines in 150 countries.

However, the National Health Service (NHS) in the UK was hit the hardest, with dozens of Trusts reporting problems, resulting in hospitals having to cancel treatments and divert patient care.

There has been widespread speculation that the NHS was hit the hardest because many of its organisations are still running Windows XP and hadn’t updated their systems with a security patch that was issued in March.

The government had warned NHS Trusts in 2014 to move away from XP as rapidly as possible.

NHS England has said that most of the Trusts involved are up and running again, but seven are still requiring ongoing support. NHS Digital has issued guidance on protecting against cyber attacks and said that “it is important to note that the vast majority of NHS organisations report that they are running contemporary IT systems”.

That’s as much I am willing to comment on the technical, security side of this story – as I’m not a security journalist and don’t understand enough about the technical implications to comment.

However, I do know a little bit about technology in the public sector and there are a number of points that I would like to make about the long-term consequences of this attack. Namely, that this should not be used by politicians as an opportunity to issue a mandate for another expensive, ill-defined technology upgrade for the NHS.

Here are the main points I’d like to highlight as this story continues to unfold:

  • The fact that the NHS has been exposed as vulnerable is unsurprising. The NHS is widely perceived in government circles as an unwieldily beast when it comes to ‘digitisation’ and it is widely believed that big problems exist with outdated tech.
  • Having said that, many NHS organisations were not impacted by the attack on Friday and we shouldn’t take a blanket approach to criticism.
  • This event has the potential to result in politicians feeling pressured to issue some sort of reactive, large-scale mandate for another NHS-wide technology upgrade, just so that the government can be seen to be doing something. That would be a mistake.
  • Yes, technology within the NHS is by and large outdated and there is plenty of room for improvement, but the problem isn’t technology itself. The problem (in my opinion) rests with culture and outdated procurement, which is a much harder challenge to take on.
  • The NHS can’t be seen as a single organisation – much like local government, it is a complex web of layers upon layers of organisations that each operate to the beat of their own drum. That makes this hard.

Let’s not repeat mistakes of the past

Many will be aware that the government has made previous attempts to modernise technology within the NHS, most notably with the failed National Programme for IT (NPfIT).

NPfIT was a disaster. It cost the taxpayer over £13 billion and there has been very little to show for it.

The programme was pitched as a blanket upgrade to the NHS’ IT systems and as a chance for all organisations in the health service to standardise on a new platform. However, as time went on, it soon became clear that local inertia meant that many organisations resisted the standardisation.

Equally, the suppliers involved were perceived to be taking the NHS and government along for a ride, whilst the government’s contract negotiations and management were so appallingly bad that when things got rough it had no leg to stand on.

It was an unequivocal disaster and very few have been willing to touch the problem of ‘NHS transformation’ since. Health Secretary Jeremy Hunt has been making ‘paperless NHS’ promises for the past few years, but with very little insight into how he’s planning to achieve this.

However, a new organisation has been set up – NHS Digital – which has been making some progress and has been making the right noises about how transformation should look.

NHS Digital’s Director of Digital Transformation, Beverly Bryant, recently said:

We’ve been too national, too ivory tower in the past, and now our role is to step out from the centre and help the NHS, help local users, clinicians, to actually do this for themselves.

These sentiments should not change as a result of Friday’s attack. A top-down approach within the NHS has proven to not to be effective, so let’s not make the same mistake again. Yes, change needs to happen, but a new national mandate isn’t going to be the silver bullet the NHS needs.

So what’s the problem?

The problem isn’t that the technology isn’t available. We all know it is. If you look at some of the services being offered in healthcare around the world, it’s clear that the use of cloud, mobile and data have real potential to transform how the health service in the UK offers care – which would both help relieve some of the funding pressures facing the NHS and also improve outcomes for patients.

However, to take advantage of these modern technologies, the NHS needs to rethink the way that it operates. The same rules don’t apply in the digital world and the organisations need to look at innovative new ways of providing care.

An example I use a lot is the creation of some healthcare apps in the private sector. For instance, the wait time for my local GP can be anything up to two weeks. It’s very hard to get an appointment.

However, if I’m willing to pay a fee (usually around £10), I can speak to a GP via video on an app within 15 minutes and have a prescription digitally issued to my local pharmacy for collection. I’ve done this before and from booking an appointment, to speaking to a doctor, to collecting the prescription took an hour. An incredible digital service.

However, I’m a strong believer in a free healthcare service and don’t think people should feel like they need to pay for better treatment. So why isn’t the NHS doing similar things? The technology is available.

There are two main reasons: culture and procurement. Both of which are inextricably linked.

From what I understand, whilst there are pockets of innovation, the NHS is very resistant to change. There is a lack of leadership that want to do things differently, that want to work in the open, that want to collaborate and rethink how they buy and implement technology.

Couple this with the fact that the vendors supplying the NHS market, in particular GPs, are limited and for a better word have an ‘oligopoly’ – the end result is that NHS organisations are buying the same old outdated technology, from the same old companies, to solve the same old problems in the same old way, for an incredibly inflated price.

Combine this with the fact that the complexity of the NHS, with systems and processes forming a complex web of care delivery, means that politicians don’t know where to start or how to progress without making big, simple statements such as ‘make the NHS paperless!’.

Change and new models of digital operation aren’t impossible within the NHS, but the challenges around culture and procurement are so huge that many are unwilling to touch it.

My take

I’ll reiterate again that not all of the NHS is doing this badly. And when I interact with those providing care within the organisation, I’m consistently impressed with how hard they work to get patients what they need.

However, if we want the NHS to succeed, culture and procurement needs to change. Things can be done differently, but there needs to be a huge effort made to change the way that the NHS thinks about technology – much in the same way that the Government Digital Service has done in Whitehall.

If you look at where GDS has been most successful, it hasn’t been with providing new technology to departments, it has been putting mechanisms in place to drive cultural change around technology delivery and reforming how people buy tech (via innovative platforms such as the Digital Marketplace).

Friday’s attack will likely be a bit of a wake up call for politicians and government to do something about the NHS’ technology. But the wrong response would be to find some large vendor to provide all of the NHS with a new system upgrade for a huge sum.

If the Department of Health really wants to make a difference, it needs to think about changing the very fibre of the NHS, to rethink how care could be provided differently and to put mechanisms in place to make it okay for health organisations to buy and do things differently. Is there the political will to do that? I’m not so sure.

Image credit - Images free for commercial use