Site navigation

What has the ransomware attack shown us…? That we need more investment in electronic health services in the NHS

Prof. Bill Buchanan OBE


Electronic healthcare technology

Quick question… which organisation spent over £15 billion on a single project and ended-up with nothing?


So computer security is front page news, but the media attention will recede, and there will be another focus for media. At present, I see many large security companies rubbing their hands around the investments that are likely to come their way. So, if you are into SIEM, IDS, database protection, end-host scanning, and so on, you can expect to see more work coming your way from the public sector, as the UK government reacts to the latest threat, and finds a short-term fix.

But I think the main lesson we have learnt is that there is a complete under investment in the delivery of an IT infrastructure in the NHS. I cannot publish many of the things that people have told me about the systems that are running, but I can say that it has been an up-hill task in trying to push forward new architectures and support the delivery of new health and social care services.

Personally I am really shocked that the NHS has even one Windows XP computer that is allowed anywhere near the network, and I can’t believe some of the figures, as this would be negligence on an epic scale!

Surely they are not running XP?

I refuse to quote some of the figures I hear about the number of XP machines in the NHS, as it would just seem so unbelievable!

The days of technicians plodding along with an updating your desktop computer have gone, and centralised security policies and updates are a core part of most modern infrastructures. The concept of segmentation and defence-in-depth of part of the networks, too, are all a core part of a modern architecture, especially in making sure that key services keep running. But all along we need to remember that we want to make the patient journey as safe as possible, and to make the best use of the precious resources.

Private clouds… and centralised security policies

In most industries we deal with, we see large-scale cloud-based infrastructures being created, where the computer on the desk is just a connection to a private cloud, and everything is virtualised, and control is centralised. Unfortunately, I’ve been contacted by so many people who have worked in IT in the NHS, and they have told me that things are not done in the best way, and there’s a general lack of investment, along with a lack of leadership from the highest level in the NHS and Government.

We have rights to know about the security of critical infrastructure

With GDPR coming up, organisations such as the NHS will have to be more transparent about their infrastructure and the practices they use, as a large-scale breach could result in significant fines. Only in the NHS could we see over £15 billion spend on an IT infrastructure, and for nothing to result.

As a research group who gained a few hundred thousand, and who were competing against this investment, we have ended up with a successful spin-out company – Symphonic – and who are making massive in-roads in creating large-scale information sharing infrastructures.

Within the grant – which myself and Prof Christoph Thuemmler undertook – we were continually challenged with the investment that was underway, and there were questions about how we could compete against that. But we innovated, and focused on citizens and their care, rather than technology. It is much less about IT spend, and much more about understanding patient pathways and understanding the risks around their health.

What can we do about health care investment in improving services?

I think the XP problem identified within the ransomware attack shows a core under investment in health care IT in the UK, and which will not be fixed by purchasing lots of new computers and upgrading their operating systems. The infrastructure needs a radical redesign of health and social care services, with a long-term commitment from Government to use the best practice from industry and apply into health and social care.

The lack of integration across the different stakeholders involved with health and social care is one thing that needs to be addressed in any new plan, and how we can still respect the rights of privacy of individuals, but understand how we can best use data for their care and support. With GDPR coming along, the NHS needs to catch-up with the rest of the industry, otherwise it will face major problems.

As it’s our family’s health that is at risk, the NHS in the UK needs to modernise and catch-up with the rest of the world, and provide modern health care services which are fit-for-purpose. We have, over the past decade, proposed some fairly simple questions, and we are still at the point that they are unanswered …

  • Why can’t I Skype a GP for a 5 minute chat, rather than waiting for three weeks for an appointment and then having to travel across town?
  • Why can’t I email a clinician?
  • Why can’t I request an appointment on-line?
  • Why can’t I be prompted by email on immunisations and checks that a child should be having?
  • Why can’t parents view the progress of their child’s health with a secure on-line platform?
  • Why does a baby leave hospital with a bunch of written notes, and no electronic footprint?
  • Why did we spend £15 billion on Connecting for Health, and end up with nothing?
  • Why does a first responder have no history of my recent conditions?
  • Who is responsible for the overall care of a citizen and where do different parts of the health and social care system join and share their viewpoints?

In health care, especially, we have to be more open about future plans, and have a continual modernisation plan which more tightly integrates disparate systems, and brings them together in a secure infrastructure, while looking towards the future of on-line provisions. The citizen should be at the centre for this design! At present the NHS struggles to cope with creating a fit-for-purpose range of services for its own staff, and the concept of the citizen being part of this is still something which it is struggling with. Resilience, too, will be a core element, as a loss of service could lead to a loss of life.

On a personal note

My Grandson left one of the most advanced hospitals in the world with a bunch of hand-written notes, and now has a paper-based health record (the Red Book). Babies born in London, though, now get an electronic record – e-Red Book (created by Sitekit, a Skye-based company) – and which tracks the health of the child, and where the family has full ownership of the record, and where they are prompted for key appointments and where they can track the progress of their child’s health. How can there be so much difference between health provision for babies in Edinburgh and London?

The record uses the best of practice in cloud-based systems, and is infinitely more secure than a bunch of hand-written notes. The foresight of London shines a guiding light for others to follow, especially in promoting innovation and new ways of doing things.


I’d like to say that we all must be part of this investment, and citizens must be included in this drive. Any future large-scale investment must involve identifying good practice and scaling it out. Giving large contracts to large and often faceless companies (or quangos) often does nothing for innovation and the delivery of something that might transform our future health and social care provision.

And… are we forgetting… the NHS will one of the best places in the world to try-out innovative approaches to health and social care, and which could help grow companies which have a different viewpoint on the world, and look to export their innovations, rather than aiming to import ideas from others.

Last question… and I am still scratching my head…

Who is responsible for still allowing so many XP machines to exist in the NHS? Government or NHS Leads?

This is equivalent to knowing that a car will fail in the future, but just let the drivers continue, until they crash, and then do something about it!

Overall… to transform our world into a Cyber Age… we need more architects in IT than technicians! So let’s forget about XP and concentrate more on people, and put them at the centre.

Professor Bill Buchanan OBE

Prof. Bill Buchanan OBE

Professor - Edinburgh Napier University

Latest News

%d bloggers like this: