On 12 May one in five NHS trusts were impacted by a ransomware cyber-attack. Lucy Campbell argues that government needs to think about accountabilities and capabilities, not just technology, to reduce future risks.
Forty-seven NHS trusts are among the global victims of the ransomware Wanna Decryptor. Microsoft has called on governments to see the attack as a “wake-up call” to improve their security and ensure systems are updated. But only last summer the Care Quality Commission and Dame Fiona Caldicott, National Data Guardian, warned Health Minister Jeremy Hunt of a "lack of understanding of security issues". Questions remain: why is the NHS still vulnerable and what can be learnt for the future?
Managing legacy
One of the problems with digital government is reforming the technology infrastructure which underpins its services (‘legacy’). There has been much speculation about how the continued use of Windows XP operating systems within the NHS contributed to the cyber-attack. Although only 4.7% of NHS devices use Windows XP, these are spread across 90% of trusts. Computers that have not been updated with Microsoft’s latest software were susceptible to the ransomware. Meanwhile, NHS legacies are further complicated by the patchwork of contracts across trusts. This digital fragmentation is in keeping with the scale of fragmentation within the NHS itself.
Accountabilities and standards
The NHS is in a “legacy nightmare”, but these technology problems have been exacerbated as no central organisation is responsible for digital in NHS trusts. Following the end of the 2015 contract with Microsoft, individual trusts have been responsible for their own upgrades. Since the attack both the Prime Minister and the Security Minister, Ben Wallace, have re-affirmed these responsibilities, saying central government provided £50 million to support NHS IT networks. Although the Government Digital Service (GDS) digital service standard states organisations must “address the security level, legal responsibilities, privacy issues and risks associated with the service”, this has been applied inconsistently across the NHS. The contrast with central government departments – which have not been affected by the ransomware – shows how much more needs to be done to spread digital standards across the public sector.
Capability and capacity
The existence of a new technology is not enough for take-up: change needs to be adaptive, requiring long-lasting engagement and individuals championing new technology. Moving away from legacy platforms requires time and skills which individual NHS trusts may lack or be unable to resource given current pressures. Furthermore, the financing of the NHS creates short time horizons and complicates the iterative processes and spending required for most IT upgrades.
What next?
In our report, Making a success of digital government, we identify a number of challenges facing digital government. The failure to coherently approach several of these challenges (moving to full-scale transformation, tackling IT legacies and building a digitally capable workforce) in the wider public sector has left the NHS vulnerable. The next government on 8 June will need to:
- affirm and focus its commitment to digital technology
- clarify who will take responsibility for supporting and enforcing standards, including security
- continue to develop the digital professions and build expertise across the public sector.
We'll be publishing our second report on digital government later this year.
- Supporting document
- IFGJ4942_Digital_Government_Report_10_16 WEB (a).pdf (PDF, 409.95 KB)
- Topic
- Brexit