Helping NHS Boards understand the benefits of (and the need for) ongoing investment in technology

Today’s healthcare provision is almost totally dependent on technology – that’s why NHS leaders need to continue to see the value in IT investments to keep day-to-day systems running efficiently, stay cyber secure, gain benefit from innovations, and maintain patient safety.

Today’s NHS depends on ‘healthy technology’

Though the health sector is often viewed from the outside as digital laggards, the last 20 years has seen technology become embedded into the NHS and its processes. From electronic patient records, through vital sign measurement, connected devices, to scheduling and call centres, IT is at the heart of everything we do. If systems are not available or technology is not running as efficiently as it could, then it goes without saying that healthcare provision will be sub-optimal or even not possible to deliver at all.

Prior decades have seen major investments in technology. However, this sometimes makes boards feel that the IT box has been ticked and that further spend on digital innovations is therefore off the agenda. There’s a feeling that the investment in IT assets such as servers, workstations and laptops can be sweated until the kit reaches its predicted obsolescence date, while at the same time adding more and more applications on to this equipment, and expecting things to keep running efficiently.

IT investments must be ongoing

Investment in technology needs to be ongoing. Existing systems must be maintained and new capabilities embraced. This all costs money which should be ring-fenced in annual budgets. The recognition of this is often bound up in how the investments in IT were made in the past. Traditional on-premises software from IT vendors had a relatively large upfront cost and then regular maintenance payments built into the contracts which might be for 5+ years. So for example, there might be a purchase price of £1m and 5 annual maintenance payments of £200k, all highlighted in the original contract and thus built into upcoming annual budgets. It can then be hard to go back and ask for the next £1-2m to procure a later version or change a system. Beyond the original system function the increased benefits can be very marginal, but we need to consider the ongoing benefits that are being delivered and in effect actually look at the lost benefit if we were to switch off a system.

Ongoing maintenance payments to such vendors might cover bug fixes, security patches, software upgrades, updates to cover legal changes, and access to telephone support. However, bespoke system developments to handle specific needs for an organisation or interfaces created to knit applications together, rarely have maintenance baked into future year budgets yet still need all the same capabilities to meet evolving requirements and to run efficiently. The lack of a contractual obligation for such IT also means that any funds which have been earmarked are in danger of being taken away as a ‘saving’ in a particular year and are then hard to get back into following years’ budgets.

In our personal lives we don’t expect our spend on technology to cover us for 5+ years. There’s always a shiny new phone, sexy iPad or lightning-fast laptop to tempt us. Often the latest features and apps are not even available to run on ‘outdated’ kit. To maintain cyber safety we’re expected to upgrade to the latest versions of operating systems and applications. We need to bring such considerations into the workplace and build ongoing updates, security fixes and the adoption of advances in technology into our IT planning and budgeting.

Focused investment is needed to stay cyber secure

The healthcare sector continues to be one of the most at risk industries for attack from cyber criminals. The large number of people involved – patients, employees, agency staff, contractors – the huge volumes of sensitive data, the criticality of the service, and the number of access points, which is rapidly increasing as more and more devices get connected, makes the industry highly susceptible to ransomware attacks, identity theft and phishing.

High profile cyber-attacks are often in the news and provide salutary lessons for the NHS, but often the focus has been on cyber breaches which have resulted in lost data. Recent public sector data losses from the police force in Northern Ireland (PSNI) and the Metropolitan Police in London have hit the headlines and show the severe implications for individuals, executives, and the damage which can be done to institutional reputations. However, the PSNI example was more about procedure than technology. The Met case was a result of a potential security breach of the details of tens of thousands of officers due to “unauthorised access to the IT system of a Met supplier”.

Given GDPR regulations a focus on protecting sensitive data is extremely important but the threats such as ransomware can stop healthcare provision in its tracks by locking people out of systems and causing major disruption that can take many months to recover from. For example, on August 4th, 2022, the NHS 111 provider suffered a major incident due to a ransomware attack which knocked the service offline. This also brought down management systems for GP surgeries, care homes and mental health services including one which supported the care of around 40 million patients.

A cyber-attack in Germany in 2020 is reputed to have caused the first death due to a ransomware attack. It halved a hospital’s capacity to handle new admissions and an ambulance was redirected to another facility delaying patient treatment by an hour with a fatal outcome. This is a chilling example why ongoing vigilance and investment in cyber security is needed to keep systems as secure as possible as threats change. Cyber security is definitely not a one-off exercise or spend.

Utilising capital vs. operational budgets

In the past IT investments have often come from the capital budget. With the move to the Cloud and Software-as-a-Service (SaaS), these are often now paid on an ongoing basis from operational budgets and can be hard to capitalise. This has some advantages as organisations get used to budgeting for a regular spend on IT, but the locked in payments in a move to SaaS can be difficult to manage where significant payments start on the contract sign data or shortly after, rather than go live. Overall, the model is likely to be more expensive, but with drivers to keep things up to date, including cyber, the concept of sweating IT assets is no longer viable.

Central money from the Treasury tends to be largely capital. To gain full benefit from any additional funding NHS boards must be aware of the impact of CDEL (Capital Departmental Expenditure Limits) which ultimately govern the capital investments which can be made by each ICS/ICB. Whereas it used to be a formality to carry capital over a year end, this is now very difficult as the limit, along with any adjustment, is set within the year. This can create a use it or lose it scenario with the risk that contracts become front loaded with suppliers receiving more as down payment e.g. on contract signature. Consequently, the lower amount of retained funding can mean that there are less levers to ensure that all elements of a contract are delivered.

The role of CIOs and CISOs

Research from 2021 found that less than a quarter of trusts had a CIO (or equivalent position) on the board. Fewer still, if any, include a CISO (Chief Information Security Officer). I’d say it’s a moot point as to whether being on the board will lead to the ongoing investments needed in technology.

However, a place at the board table for a CIO does give the message that an organisation takes technology and digital transformation seriously. If the holders of such roles also spend time looking across ICS and at a national level, best practices can be developed and shared. Building their personal profile and visibility they can also act as role models and mentors to future digital champions. Often organisations regard external consultants and companies as being the most credible sources of information and can come to rely on such third-party commercial resources. You could take the view that the digital strategy is the strategy, and as such it is vitally important that the NHS and public sector develop people capable of assessing emerging technologies and applying them to their business, without getting distracted by hype. Those that can do this and remain agile will be the ones who are ultimately successful in the delivery of effective, efficient and affordable healthcare.