David Hencke reports on revelations from the National Audit Office over massive IT spending and the unaccountable role of NHSX.
Hugely expensive plans are being drawn up to put everybody’s NHS health data in a computer cloud once the current COVID-19 pandemic is over, a report by the National Audit Office (NAO) reveals today.
The uncosted new system would replace the current fragmented IT system in health trusts and GP surgeries and it is not clear yet when or how it would work with a current £8.1 billion IT modernisation programme being undertaken by health trusts and NHS Digital, the IT arm of the Department of Health and Social Care.
The NAO report — written before the COVID-19 crisis broke — is scathing about the fragmentation of IT in the NHS, which in some cases leaves it vulnerable to cyber-attacks.
In 2017, the NHS experienced widespread disruption from the WannaCry cyber-attack, including the cancellation of around 19,000 appointments at an estimated cost of £92 million. The department and its arm’s-length bodies have since taken steps to improve cyber security, including setting up a Data Security Centre to help prevent, detect and respond to cyber-attacks.
Meanwhile the NAO found that staff in 46% of health trusts cannot rely on the current digital system for information they need when they need it.
The NAO found that the modernisation programme which should be largely complete by 2024 was relying on a £3 billion contribution from cash-starved health trusts and was sceptical whether they would or could contribute.
The report reveals some new information about the role of NHSX – set up last July, a month before Boris Johnson became Prime Minister. The NAO says the department and NHS England can “change or close it as they see fit” without reference to anyone.
It says NHSX is working on creating communication protocols known as Application Programming Interfaces (APIs) which would go through different layers so they could transfer patients’ data from an individual health trust or GP surgery to a cloud. This is similar to people transferring their own personal data and files on their computer or smart phone to a Google cloud.
The difference is that this data could be shared across the whole of the NHS — and it could like the recently trialled NHSX contact app for COVID-19 — be vulnerable for security reasons after plans to extend its role to cover an individual’s health status were inadvertently made public on Google Drive.
A NAO spokesman said: “The use of APIs with a data layer, is at an early stage. It does not have a clear scope yet, so we are unable to comment on its implementation, much less how it affects the COVID-19 response. But we note that other parts of Government found similar approaches to be difficult and expensive.”
On the use of the cloud he added: “The Department’s Vision for digital, data and technology includes the principle that all healthcare services should run in the public cloud. We have not assessed progress against the ambition.”
“We have noted that organisations should not underestimate the cost and effort of moving to the cloud. And also noted that, since cloud is a service funded by revenue expenditure (whereas in the past IT projects have largely been funded through capital investment) so it will have funding implications that will need to be managed”.
The implication is that the cost of the new system will come from spending on patient services rather than being a capital project funded by the taxpayer.
Meg Hillier, chair of the Commons Public Accounts committee, said: “The Department of Health and Social Care knows what a digital revolution could mean for NHS patients. However it hasn’t drawn up the detailed plans needed to make one happen.
“NHS systems were originally supposed to be sharing data seamlessly by 2005. Fifteen years later, the NHS hasn’t even established a complete set of standards for Trusts and the IT industry to follow.
“The NAO report shows that not enough has been learnt from previous failed IT strategies. Meanwhile, continuing dependence on obsolete systems leaves the NHS open to another WannaCry style cyber-attack.”