Public Services > Healthcare

Nobody should have to die because we didn’t apply a security patch…

Published 17 May 2017

David Evans, director of policy and community for BCS, The Chartered Institute for IT, says the impact of the cyber attacks reiterates a need for the creation of a recognised cadre of accountable professionals working in NHS IT and the wider public sector


If there was no such thing as clinical professionals, and it was just a case of a bunch of people employed by managers to deliver healthcare, would you like that? A statement that the hospital’s policy was to avoid killing you, but that a number of deaths was inevitable….would that reassure you?

Of course not; we know what it means to have doctors and nurses who are themselves professionally accountable for your care. That accountability is part of a system that gives those individuals training and support beyond their day to day job roles, and where they can get together to work out how to improve what they all do – and expect to see the results universally applied.

Not so for those working in IT and information security in the NHS. They are what Professor Ross Anderson, a world-leading security expert from Cambridge University, unkindly describes as ‘well-intentioned amateurs’. Management assurances that NHS systems are secure don’t amount to much. As we’ve seen, when the IT goes wrong the NHS is plunged into chaos, and it is to the credit of those well-intentioned people working in IT that it doesn’t happen more often.

Professor Anderson’s point is not that the people in the NHS are less intelligent or incapable, but that there is no structural way of ensuring that they know how to do the right thing. Given that, they do amazing work. There are basic functions that every doctor, every nurse, every pharmacist in the NHS can perform safely every day. Ensuring a level of safety, security and integrity amongst information and systems is just the same – it’s not rocket science, it’s basic discipline. It is certainly the case that cyber security practice evolves more quickly than fitting of a cannula, but keeping your systems patched and up to date as a basic process has not changed massively in the last 10 years (other than it has become easier).

So what’s the answer? Well, we need a visible, recognised cadre of accountable professionals working in IT (or informatics as they call it) in the NHS, and we need a visible, cadre of accountable professionals working in information security across the public and private sectors. Both having a cross-over, of course. We need those professionals to be self-governing, public-focused, but accountable individually and collectively to the public they serve. That’s why we have professional bodies, and this is the function that is performed by the General Medical Council, Royal College of Physicians and so on for doctors. For IT and security we have bodies like BCS, the IET, and a number of others. We have the structures, but until now it hasn’t been clear to the public and public institutions why this is so important.

In the case of health and care IT people, we’ve had huge support for this top to bottom in the NHS, and we have established ways for people to get involved. We definitely need this to go further up the priority list in the NHS, and we need answers to the questions people will be posing, but the leaders are behind this and they want it.

More generally, this is one of those defining moments in the history of technology and society. Right now people are looking for answers, explanations and solutions. It simply isn’t good enough to have a ‘top tips’ page, we need structural solutions to keep people safe. Right across the UK and the world, sales teams from tech companies will be writing ‘opportunity’ in big letters on flip charts and working out how their gubbins can be positioned as the answer to the ‘cyber threat’. Those in the know will be chortling at politicians who stumble over phrases they do not understand.

That’s not good enough.

If we, as a professional community, take that word ‘professional’ seriously, then that means we put the needs of the public first. There are many true professionals working in the NHS, attempting to offer leadership and real solutions, but there are so many of us who let commercial and organisational pressures run roughshod over our values and our principles.

So our challenge out to the community is to step up, get involved as real professionals, and be part of a systemic solution, not merely cogs in a giant engine that cares not at all about real people. This is an opportunity to establish our worth to the public, not shore up next quarter’s results.

David Evans is director of policy and community for BCS, The Chartered Institute for IT

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.