It is only when something goes wrong that it becomes easy to see what a false economy it was to fail to prevent it. Upgrading computer systems is a complicated and expensive business, and it was understandable that NHS managers put off doing it. It is, therefore, rather unfair to suggest that they – or Jeremy Hunt, the Secretary of State for Health – had ignored warnings that Windows XP was insecure.
It was not as if simply spending more money to patch or upgrade the operating system would have been straightforward. As anyone who has ever upgraded a home computer knows, the attempt to keep up to date can mean that things that used to work cease to do so. In hospitals, with all manner of devices connected to computers, this is more difficult and more likely to be a matter of life or death. The cost and risk of things going wrong has to be set against the risk of attacks.
The temptation can be to assume that warnings of cyber attacks are marketing ploys by IT companies or wolf-crying by ill-informed lay people. Anyone who remembers the millennium bug is entitled to be a little sceptical.
Now the NHS, the highest profile victim of Friday’s ransomware attack, knows better. The security of operating systems is important and it is worth spending more to defend against it.
Instead of rushing to allocate blame, however, this crisis could be turned to the NHS’s advantage in being used as a prompt to rethink its assessment of costs and risks. This is a task that goes far beyond computer systems. One of the deep problems of the NHS is that it is such a large disorganisation that it fails to ask itself fundamental questions about its priorities.
The biggest example is not Windows XP but social care. Because care of elderly people is the responsibility of local councils rather than the NHS, the system as a whole operates inefficiently. The NHS is unable to discharge people because care is not available for them, and the conveyor belt of patients, in a system running at capacity, backs up. Much of this is a matter of resources, and it is certainly not possible to fix it without more resources, but a lot of it is the result of disorganised priority-setting and perverse incentives.
The paradox of resources is that, while funding is squeezed, it tends to be the soft targets that bear the brunt. These can be false economies, as with sticking with old computer systems or cutting local council provision for the elderly. But that does not mean that, if additional funds are made available, they will be spent in the most effective way. The horror stories of big new computer systems for the NHS during the New Labour years of relative plenty should make that clear.
Rigorous analysis of priorities, including assessing the risks of unpredictable events such as cyber attacks, is something that the NHS should be doing anyway. One example of where this has been successful is Nice, the National Institute for Health and Care Excellence. This brought together the entire NHS to make judgements about what treatments are value for money. It has made explicit some of the hard choices at the margins about expensive cancer treatments, for example, and it has forced the NHS to take a more robust line on unproven therapies such as homeopathy.
The middle of an election campaign may not be the best moment for this kind of calm reflection, but after this week’s crisis with NHS computer systems, it is time for the NHS and associated services to apply this kind of thinking to other parts of their work. If he can step back from firefighting the daily crises of an underfunded service, Mr Hunt should convene some deep thinking about assessing the unexpected challenges that might break the NHS in future. It would be a false economy not to.Reuse content