Ransoming NHS IT is not new

Friday’s attack was just more efficient

The NHS malware attack has already led to calls from the Home Secretary for lessons to be learned and IT upgrades made. So here’s a promise: if the political solution to this attack begins and ends with an expensive IT upgrade, this will happen again.

When I worked in government, NHS IT was a byword for horror. Not cynicism or rueful sighs, but proper, wide-eyed, ‘oh-my-Christ-is-that-really-happening’ horror. It still is.

The horror does not stem from a lack of investment or political enthusiasm. Ministers have promised us a paperless NHS for 25 years. The failed NHS programme for IT cost more than £10 billion. In 2012, Jeremy Hunt committed a further £1 billion towards going digital. Not all that money has been squandered. But the main result has been false dawns.

Part of the horror stems from the technology itself. Many people have noted that Windows XP, the operating system exploited by the attack, is 16 years old. It is older than Twitter and Facebook. You wouldn’t dream of using technology that old at home.

But it would be a mistake to focus on the crumbling technology without looking at why we’ve ended up here. The NHS being held to ransom by its IT is nothing new. This attack is just more efficient than the traditional route. If every hacked NHS account paid the ransomware demand of about 200 quid each, it would be substantially less than the annual spending on most of the NHS’ technology suppliers. We’ve has reached this point because NHS IT lives in an ecosystem dominated by a small number of huge vendors. Over the last two decades, they have taken hundreds of millions of pounds from the state. They have hard-wired reliance on old operating platforms like XP into the system.

On top of these cosy relationships is a rotten culture inside many of the organisations charged with running the health system. It’s nasty, brutish and short-tempered. It’s often unhappy. It’s managers bawling people out in meetings; dodgy decisions made by personal phone call to keep the email trail clean. It’s an overlapping, impenetrable web of organisations where nobody is quite sure who is doing what or who is answerable to whom. The buck doesn’t stop anywhere, it falls between the cracks. Policy is impossible because the means of delivery don’t work.

This deadly combination is then brought to the boil by politicians who don’t understand the necessary hashtags. After years of ministerial techno-wheezes, NHS IT has steadily accreted layer upon layer of processes and systems. Senior civil servants haven’t advised their political masters of the perils, all too often because they don’t understand them and aren’t embarrassed enough by this fact.

And yet despite all that, we should remember that the NHS is not universally bad at IT. Some trusts are still standing in the wake of Friday’s attack. Some teams are trying to do their best by the patients, nurses and doctors they are there to support. There are a few people who are improving patient care because of technology. And then there are thousands of front-line staff who are improving patient care despite the technology.

This attack will pass and the recriminations will echo for a few days. But without sustained political will, NHS IT will remain a postcode lottery just as much as treatment. It is unfair, unjust and unsustainable. In short, it’s what politicians get into politics to fix. But the answer to this is not to reform the IT. It is to reform the NHS; the style of leadership, the behaviour of managers, the way it buys and builds technology, a preference for simplicity, openness and honesty. There’s no patch for that.