The head of IT systems for the UK’s NHS has said the country’s health service is more fragmented than it has ever been, with the unwieldy framework contributing to the healthcare system’s WannaCry disruption.
Speaking at the HIMSS eHealth Summit in Sydney today, NHS CIO Will Smart said a complex structure of autonomous, competing local interests – including 250 hospitals and 8000 GP practices – led to around 20 per cent of the NHS being knocked offline on 12 May.
“You might have heard there was a small cyber attack in the NHS a couple of weeks ago,” Smart said, with a wry nod to a crisis that generated global media coverage and considerable industry self-analysis.
“Our challenge is that most of the IT staff work locally; they don’t work for me directly, so there’s a challenge around standards and what our role is in defining what those standards should be and our role around assurance and accountability, around adoption and implementation,” he said.
Following the NHS’s radical restructuring in 2012, responsibility for the security of systems, including legacy medical devices vulnerable to cyber attack, was handed to healthcare providers.
“The challenge of legacy is absolutely a local challenge and what I don’t want to do as the national CIO is to say, ‘Well, of course, what you need to do is switch all of this stuff off and do a big bang and replace everything’. But we are very much saying to local providers that running your IT is your local accountability. That sits very firmly with your board, with your CIO, and you need to manage it effectively.”
Managing IT effectively is a tough job for each of the local providers within a healthcare network that handles about one million patients every 36 hours and 21 million diagnostic tests a year.
It’s a problem compounded by poor expert staffing levels.
“We don’t really have a strong complement or large group of CIOs in healthcare because you can make more money in banking or somewhere else,” Smart said.
For Smart, one initiative designed to help solve the problem is the upcoming creation of a NHS Digital Academy to provide training for clinicians and IT staff.
Otherwise, the WannaCry attack may lead to a far greater expectation by the NHS that local providers heed security warnings and take the necessary steps to protect IT systems and patient data.
“We’re moving to a world that will be much more prescriptive and we’ll be expecting much stronger assurances that measures have been taken.”