In a new series of columns for Highland Marketing, former clinician, general manager and IT director Jeremy Nettle wants to explore why some trusts are better at innovation than others. As a starting point, he asks why some have such old and insecure IT.
During my tenure as an IT director within the NHS, I soon realised that if we wanted to move to innovative clinical and business processes there was going to be a cost.
Also, that the cost wasn’t just going to be the procurement, software, implementation and support, but the whole infrastructure.
The trust I was working for at the time needed to attract more patients from GP fund-holders, so we decided to offer them a same-day bloods service. We sent couriers out to collect the samples, and installed PCs in practices so we could send the results electronically.
The idea was very popular; but then we had to stop and think ‘what would happen if the system went down?’ Our whole business case was built on getting patients to come to us, so it was essential to keep it running.
Fortunately, we had a new hospital with a computer room, and we could fill it with computers. But it brought home to me that the cost of IT is like an iceberg; what you see and use is just the top third of the total costs.
What you don’t see, but must be built into the total cost of ownership (TCO) is the infrastructure, back-ups and fail safe devices to enable services to continue 24/7/365 (as the modern jargon puts it). This is the real cost that too many organisations fail to build into the TCO.
IT that is cheap and convenient, but flawed
Edward Lucas, a security expert who writes for the Daily Mail, says the result is that we have built a lot of IT systems that are cheap and convenient, but fatally flawed.
Recently, we have seen two examples from two very different industries of this. British Airways is facing a £150 million bill for letting down tens of thousands of passengers over the bank holiday weekend, after its systems failed following a power surge.
And some parts of the NHS are still recovering from the WannaCry ransomware attack. BA’s problems resulted in lost time and money. The #NHScyberattack shows that when healthcare computers crash, A&Es can be closed and operations postponed.
Incidentally, 99 countries were hit by 75,000 attacks using a virus that had been built by the NSA as a superweapon, and which was dubbed the ‘atom bomb of malware’ after it was stolen by a mysterious hacking collective called The Shadow Brokers.
That, I believe, truly demonstrates the world we are in. We want the benefits; but it is far too easy when budgets are tight to reduce the major infrastructure support functions that look after the systems that deliver those benefits.
Tech that doesn’t build in security
To take another example, after I left the NHS, I ran a project for a well-known bank that wanted to reduce its transaction costs by shifting data entry and checking onto the account holder. It did this by adding a new front-end, without changing its back-end systems.
Believe it or not some software used by the financial system in this country is so old that it still does its sums in pre-decimal currency. Gone are the days when we carefully check cheque-book stubs against paper bank statements. Today, we believe what we see on the screen.
But this is a paradise for criminals, pranksters and other enemies, who use the anonymity intrinsic to our computer systems to wreak havoc. Why has this been allowed to happen?
It’s simple. Since the invention of the internet, security has never been a priority. And our dependence on computers is increasing far faster than our ability to secure them.
Time to learn from XPerience
Or think of the ongoing reliance of many industries on the operating system Windows XP. One report that I read last December suggested that 90% of NHS trusts were still running XP, two and a half years after Microsoft stopped supporting the system.
Citrix, an American software company, had sent a Freedom of Information request to 63 trusts, 42 of which responded; and 24 of them weren’t even sure when they would upgrade.
Now, only a small percentage of that 90% of trusts will be running fleets of PCs on XP (comments made by ministers during the WannaCry attack suggest that figure is around 5%). Most will have just a few computers running software that was built for the OS, or they’ll be operating a range of machines and devices that have software that relies on it.
Even so, it shows the challenge that many NHS organisations have in running their strategic applications. So back to my original point: are they ‘firefighting’ or do they have a strategy for identifying and dealing with every instance of XP that has been discussed at board level? With the cost of doing factored into financial discussions about IT and procurement?
Add up all the costs at the start
Issues like this are one reason that we have seen organisations moving systems to ‘the cloud.’ They’re not just looking for a cost reduction; they also want flexibility so they can adapt to changing requirements.
If they come up with an innovative idea, like my trust did all those years ago, they don’t want to procure a system and then put a new rack in the computer room to run it. They need to respond faster.
Just this week, my old trust sent me a letter. It would have been much better if it had sent me an email or an SMS, with the option to put the appointment straight into my Outlook calendar. Systems of that kind can be easily run in the cloud.
However, cloud won’t be the answer for everything. When it isn’t, trusts need to make sure that they have a solid business case for a development, and that the true TCO is captured. Also, to make sure that they are clear about the expected return on investment (ROI) and that they go back and measure that, to build confidence in future projects.
Otherwise, the risk is we’ll see more and more examples of under-invested, under-supported, increasingly old and potentially insecure systems failing to do what we need them to do. Or just failing altogether.
Next month, Jeremy will be writing about why some organisations struggle with transformation while others succeed, and outlining some of the ingredients to enable successful change.
Jeremy Nettle
Avocat in Digital Disruption
Twitter: @jeremynettle