Can we get past cyber fear?
If 2017 were a thriller, the NHS ransomware attack would be the unthinkable ending: a vivid realisation of the ever-present worry of “hackers” and “cyber”. And the target, the NHS — that vulnerable, under-funded national treasure that sets us apart — couldn’t be more symbolic.
Computer Weekly reports a major governance failure: no one was responsible for security and there were no enforceable standards. And with GP surgeries and A&E departments closed, routine surgery delayed, and vital information inaccessible, this attack hasn’t just been about data and privacy. In some cases, it’s become a matter of life and death.
While there’ll be plenty of finger pointing (Dame Fiona Caldicott’s recommendation to update outdated systems and equipment was reiterated less than a year ago), the attack also shows how central technology is to delivering health and care. Technology in the NHS is not just apps and activity tracking or Health Innovation Units. It’s telephone systems and patient records — part of business as usual in every CCG and hospital trust.
Although the ransomware attack was shocking, the way to move on from it is relatively straightforward. Or, to put it more bluntly, a kneejerk cyber crackdown isn’t going to help us safeguard a system that is as much about people and process as it is about tech.
Rather than benchmarking with commercial trends, the NHS digital strategy should flow from meaningful standards. (We suggested a starting point for these last year, when our research turned up tension in the NHS between innovation and just getting the basics right).
And the capability of every trust and CCG should be built. Our proposal for better digital leadership, at board and executive level, in every trust and CCG, recognises the scale, complexity and fragmentation of the NHS. Integrated health and care depends on integrated, well-managed systems. It’s not just the job of the CIO — it’s a shared responsibility for every executive.
The effects of this attack aren’t confined to the NHS. It’s a political hot potato, and the specialist jargon — ransomware, bitcoin, patches — will add to the list of obscure terms we need to worry about and vague anxieties that can be exploited.
We need a deeper public understanding of technology. “Cyber security education” is good, but not enough to help us navigate a world that increasingly feels full of hackers, job automation, and weaponised drones.
At Doteveryone, we’re starting a research programme to understand more about our digital attitudes, and prototyping digital explainers alongside the BBC’s Weather Watchers programme. We’re at the start of this and certainly can’t do it alone. Building true digital understanding across Britain will require support from government, media and employers, and ensuring critical thinking about technology is as highly prized in our education system as hands-on skills.
Such simple-sounding solutions — better standards, better leadership, better understanding — don’t really scratch the itch to fight fire with fire. But as we make plans to better protect Britain against digital attack, let’s remember what’s stopped 250,000 infections of WannaCry: a 22-year-old named Brian and a £10 URL. Not everything has to be thrilling.