Tag Archives: Cabinet Office

Is the Post Office to blame for Horizon IT dispute – or is it really ministers and civil servants?

Posted on 21/11/2019 | 4 comments

By Tony Collins

How does a public institution behave when it has little effective oversight?

Mr Justice Peter Fraser is expected to rule shortly on a critical question that is at the heart of a long-running IT dispute between the Post Office and hundreds of former sub-postmasters.

His ruling may answer the question of whether the Post Office’s “Horizon” IT or sub-postmasters were likely to have been to blame for unexplained shortfalls of sometimes tens of thousands of pounds shown on local branch systems.

If the Post Office loses the High Court case, it could end up paying damages of hundreds of millions of pounds – which could fall to the taxpayer. The state owns 100% of the Post Office. Public funding of the Post Office amounted to £2bn between 2010 and 2017 and a further funding package of £370m is agreed until 2021. Any damages could be on top of this.

If the case ends up with the Post Office’s needing a taxpayer bail-out, this would raise some obvious questions:

Who in government and the civil service provided oversight when the Post Office decided controversially to trust what was shown on a proprietary computer system rather than the word of hundreds of local branch sub-postmasters?
Who in government and the civil service endorsed the Post Office’s decision to defend litigation that could end up costing taxpayers hundreds of millions of pounds?
Who in government and civil service endorsed the decision to continue defending the litigation – and indeed deepening it – despite excoriating criticisms of the Post Office by two High Court judges?

It is still possible for the Post Office to win the case in which event its actions and decisions may be vindicated. But it has lost every interim ruling so far, in a case which has lasted two years to date.

When asked about their oversight of the Post Office, ministers have distanced themselves.

In August 2019, the then Minister for Postal Services, Kelly Tolhurst, said in a letter that Post Office Limited “operates as an independent, commercial business and the matters encompassed by this litigation fall under its operational responsibility”.

But thanks to extensive research by Eleanor Shaikh, a reader of the blog of journalist Nick Wallis, who is crowd-funded to cover the High Court hearings, we know that civil servants reporting to ministers have extensive responsibilities for oversight of the Post Office.

The state categorises the Post Office as an “Arm’s Length Body”]. Shaikh learned that the Department for Business Energy and Industrial Strategy is required to “exercise meaningful and commensurate oversight of ALB [Arm’s Length Body] strategy, financial management, performance and risk management”.

A 2014 Civil Service document, Introduction to Sponsorship, adds that,

“the Secretary of State is ultimately accountable to Parliament for the overall effectiveness and efficiency of each ALB of which their department is responsible.”

It’s not only about oversight. Civil servants are,

“… expected to play an active role in the governance, financial management, risk management and performance monitoring of ALBs and are responsible for managing the relationship with an ALB on behalf of the Minister and the AO [accounting officer].”

Wallis reports in full on Shaikh’s findings.

How effective has civil service oversight been so far?

The judge’s comments in his ruling of March 2019, which the Post Office is seeking leave to appeal, suggest that there has been little effective civil service challenge to Post Office’s decisions. Indeed, one of the judge’s findings was that,

“The Post Office appears, at least at times, to conduct itself as though it is answerable only to itself.”

The judge also criticised,

untrue statements by the Post Office
threatening and oppressive behaviour by the Post Office.
the Post Office’s appearing “determined to make this litigation, and therefore resolution of this intractable dispute, as difficult and expensive as it can”.
the Post Office house style for some senior management personnel giving evidence which was to “glide away from pertinent questions, or questions to which the witness realised a frank answer would not be helpful to the Post Office’s cause”.
a culture of secrecy and excessive confidentiality generally within the Post Office but particularly focused on Horizon
Post Office witnesses in general who have become “so entrenched over the years, that they appear absolutely convinced that there is simply nothing wrong with the Horizon system at all …”
attempts by the Post Office to prevent some evidence from emerging into the public domain by applying to have it struck out as irrelevant
attacks by the Post Office on the credibility of sub-postmasters whom the judge found credible as witnesses in the case.
some Post Office procedures that went from the sublime to the ridiculous,
some Post Office submissions that were “bold, pay no attention to the actual evidence, and seem to have their origin in a parallel world”.
the Post Office’s asking a sub-postmistress to extend the local branch’s opening hours a day after her husband, who ran the branch, had died.

Of the Post Office’s most senior witness, a director, the judge described her as highly intelligent. She on occasions gave clear and cogent evidence. She helped to improve the Horizon system and had provided some useful evidence.

But in describing parts of her evidence he also referred to a “degree of obstinacy”, extraordinarily partisan”, “sought to obfuscate matters…”, “disingenuous” and a “disregard for factual accuracy”. He said at one point in his ruling, “I find that she was simply trying to mislead me.”

He concluded, “I find that it is necessary to scrutinise everything she said as a witness, both in her witness statement and in cross-examination, and treat it with the very greatest of caution in all respects.”

Comment

If the judge is right in his criticisms – and it is too early in the appeals process to say conclusively that he is right – is he simply describing the behaviour of a state institution that is, in essence, without higher control?

Civil servants from, among others, the Department for Work and Pensions, HM Revenue and Customs, the Ministry of Defence, Home Office and DEFRA appear regularly before the Public Accounts Committee and are the subject of value-for-money investigations by the National Audit Office. The Post Office has little of this scrutiny.

A large private company has many shareholders and the threat of going bust to keep it in check. But the Post Office is too big and important to the community to be allowed to fail.

When Boeing’s aircraft technology is the subject of independent, detailed and widespread criticism, its planes are grounded indefinitely while regulators investigate.

The Post Office has no fear of any regulators shutting down its Horizon system.

In an accountability vacuum, how can a state institution be expected to behave?

Individuals within a large organisation will have a sense of right and wrong. But collectively, can people within state institutions be expected to do much more than meet the requirements of the culture and law as they perceive it?

That is why effective and rigorous oversight of state institutions is critical, if only to protect the interests of taxpayers.

When the widow of a sub-postmaster who’d died the previous day took over his branch, the Post Office asked her to extend the opening hours, which seems to have surprised the judge. Wouldn’t that behaviour surprise anyone?

When shortfalls were shown on the computer system, how easy was it for the Post Office to demand that sub-postmasters made good the losses sometimes without full investigations? It was easier, perhaps, without effective oversight.

Can the Post Office be held entirely responsible for the Horizon IT debacle? It is a state institution. Responsibility for the debacle lies, therefore, with ministers and civil servants, whatever the outcome of the Horizon dispute.

Nick Wallis’ trial coverage including Eleanor Shaikh’s research on the oversight that ought to be provided by ministers and the civil service.

Computer Weekly’s useful summary of the latest position

4 Comments

Posted in Campaign4Change, Department for Business, DWP, Energy and Industrial Strategy - BEIS, excessive secrecy, Freedom of Information, HMRC, Home Office, Horizon system, National Audit Office, Post Office IT

Tagged Cabinet Office, public sector

Uupublished plan to throw another £13bn at the NHS’s IT problems?

Posted on 16/10/2018 | 2 comments

By Tony Collins

The Health Service Journal yesterday revealed details of NHS IT investment plans that have been costed at about £12.9bn over the next five years.

The HSJ’s award-winning technology correspondent Ben Heather says the sums currently involved – which could reduce as proposals are “reined in” – are on a par with the notorious National Programme for IT in the NHS.

He says that officials working on the plan have produced an estimate of between £10.9bn and £12.9bn for the cost of supporting proposals across 15 long-term plan “workstreams” ranging from creating personalised care to improving cancer survival.

The figures form part of the work of the digital and technology workstream for the long term plan, which is being developed by NHS England and NHS Improvement.

“The sum would be on par with the National Programme for IT, the most expensive push to improve IT systems in NHS history and an infamously costly and troubled project. It is likely to reduce substantially, however, as ambitions for the plan are negotiated and reined in over coming weeks.”

The plan is due to be published in late November or early December. The health secretary is known to be a keen advocate of new IT-related investments.

It is likely that a sizeable portion of the new £20bn planned for the NHS – which will be financed partly by tax increases that are due to be announced in the budget later this month – will go on NHS technology.

But the Health Service Journal suggests the investments will be controlled centrally, which may be a bad sign given that one of the major flaws in the failed £13bn NPfIT was that money was controlled centrally rather than by local groups of doctors and nurses.

Comment

On the face of it the current investment proposals bear no resemblance to the NHS IT programme NPfIT which was “dismantled” in 2011.

The NPfIT comprised a handful of specific major projects that were to be implemented nationally under the umbrella of “ruthless standardisation”.

The current proposals look very different. The investments fall into vague categories such as digitalising secondary care, improvements to IT infrastructure, data gathering and analytics.

The proposals have all the appearance of a different way the NHS has found to waste vast sums of public money.

It has never been acknowledged by the Treasury, NHS England or the Department of Health that the NPfIT wasted billions on spending that was invisible to the public, such as numerous consultants, years of globe-trotting by officials, first-class hotels across the world, sponsored conferences and unreported funds for marketing items that included DVDs and board games designed especially to promote the IT programme.

For officials, there’s nothing more exciting than going to work on a £13bn technology programme where money flows more freely than water. It’s no wonder officialdom is lobbying for the money.

No doubt it will be easy for officials to obtain the new billions. At any time in the recent history of the NHS it would have been easy on paper to justify £13bn for new NHS technology. Much of the £13bn could be justified simply enough by submitting plans to HM Treasury to modernise what already exists.

It was easy to justify the NPfIT. Tony Blair approved it at a Downing Street meeting that lasted 40 minutes. Computer Weekly obtained minutes of the Downing Street meeting after various FOI appeals.

But the NHS needs £13bn to be spent wisely on technology. The last thing the NHS needs is for Whitehall officials to be involved. History shows that Whitehall has the reverse Midas touch when it comes to major NHS IT investments. It is local groups of doctors and nurses who know how to spend the money wisely.

If either NHS England or the Department of Health and Social Care is involved in the new proposals for NHS IT investments – and they both are – it’s almost certain the new plans will end up as costly failures.

How would the public feel if they realised that a sizeable portion of their increased taxes for the NHS is almost certainly destined for the dustbin marked “mismanaged Whitehall IT schemes”.

Revealed: Officials’ £13bn funding ask to modernise NHS IT

Another NPfIT scandal in the making?

2 Comments

Posted in Agile, BT, BT Health, Campaign4Change, Cerner, consultants, Department of Health, excessive secrecy, Freedom of Information, Fujitsu, GDS, Government IT, health records, Institute for Government, IT-enabled projects and waste, IT-related failures, NHS, NHS England, npfit

Tagged Cabinet Office, npfit

£20bn for the NHS? – not spent like this please

Posted on 20/06/2018 | 3 comments

Johnathan Lewis, CEO Capita (right) and Simon Stevens, Chief Executive, NHS England (left) at Monday’s Public Accounts Committee.

By Tony Collins

Capita apologies for working “blind” on NHS outsourcing contract – but no humility from NHS England

Capita’s CEO Johnathan Lewis was contrite and authoritative when he appeared before public accounts MPs in the House of Commons on Monday.

He apologised unreservedly for what the committee chairwoman Meg Hillier called “a shambles”, which was Capita’s £330 seven to ten-year contract to run a range of services for GPs, dentists and ophthalmologists, as well as handle invitations and test results for cervical screening.

Capita’s Primary Care Support Services contract began in 2015 and complaints about the service from medical practitioners began to flow months later.

Capita made mistakes, said Lewis who was supported by his colleague Stephen Sharp, who reports directly to Lewis on public sector contracts. One mistake was that Capita tried to save money too soon by folding the work of 47 local NHS offices with 1650 staff into three offices without fully understanding that each office had a different way of working and a different way of delivering NHS services.

[A similar mistake helped to floor the £10bn National Programme for IT in the NHS (NPfIT), where suppliers and Whitehall officials tried unsuccessfully to use computers to standardise working practices and services in hundreds of hospitals before they fully understood the widely-different approaches of each hospital.]

Lewis told the Public Accounts Committee on Monday,

“This was an extremely complex outsourcing of services that I think both parties would recognise were not fully understood when the work was outsourced – the volumes, the scope, the fact that the service was being delivered in different ways across the different regions that became NHS England. At the same time I recognise the pressure NHS England were under to reduce costs and hence the pressure on them to outsource.”

His colleague Stephen Sharp added,

“I think mistakes were made. During the bid stage, NHS England did say there were some inconsistencies and differences within the various operations. But once Capita got into all the offices and looked at it, the inconsistencies and differences were not inconsequential. It was more or less 45 different services being run from 45 different offices, so the closure programme, which we adhered to and carried on with, we maybe should have stopped. We just made the problem worse as we went along.”

Why didn’t you stop the office closures, asked Conservative MP Anne Marie Morris who added that “even the NHS said, ‘We think you need to stop’.”

Sharp replied,

“We were actually working blind for a period of time. It was only once the service had been running under our control for a few months that complaints started to come in and we started to see visibility that there were bigger issues than we thought there were.”

With hindsight he said he would not have closed offices “until we had got the procedures operating on a national basis”. He conceded that if NHS England and Capita had deferred closing offices, the first two years of savings of about £60m would not have been achieved.

Capita’s losses of £140m

Lewis said that Capita had invested £125m in the contract but, given the loss of profit margin, the losses would be closer to £140m. “We will not make money over the life of this contract,” said Lewis.

An MP asked: why not walk away?

Lewis replied, “Because we made a commitment to deliver this service and reputations depend on that commitment. We see the public sector as a segment of our market that helps us achieve a diversified revenue base. It is a segment where we have services and solutions, where we can create value for the taxpayer and that is why it is an attractive segment.”

Capita is now meeting 41 of the 45 KPIs and, though the company is making good progress against the remaining four KPIs, it doesn’t change the fact that “our initial execution on this contract was not good and for that we apologise unreservedly,” said Lewis.

There were failings on the part of NHS England too. Health officials were so anxious to achieve the savings from closing offices and replacing old IT that couldn’t be relied on that they failed to test new national, standardised working practices and services before they asked a supplier to implement this strategy.

The result was that officials at NHS England had no clear idea of how much work they were outsourcing. They left due diligence to Capita; and Capita admitted at the hearing it did not do enough due diligence at the bid stage. If it had understood how much work was involved it would have bid a higher price or not bid at all.

NHS England also failed to involve most of the potential end-users – GPs, dentists and ophthalmologists in the design and planning of new services that would directly affect them such as pensions and payments.

Lewis said.

“There are other stakeholders that have historically not been brought into this process to the extent that they should have been, such as the BMA [British Medical Association] in how we might implement the digitisation of pension payments and the management of its pensions, or the Confederation of Dental Employers with regard to ophthalmic payments.

“We want to bring them into the process in ways that they have not been historically because we think that that will ultimately lead to a more successful roll out of the technology… They rightly have influence over the process. If we are going to roll out a process for digitising the 20,000 paper documents that cover the process by which you get refunded for an ophthalmic prescription today, surely those people need to be involved in the final roll-out and configuration of that solution.”

Absence of humility?

When MPs questioned the top official at NHS England, Simon Stevens, there was little sign of humility, contrition or regret. He left an impression that the same problems could end up being repeated by a different supplier under a different contract. One Conservative MP Bim Afolami found himself “sticking up for Capita”.

Afolami said,

“Do you feel, Mr Stevens, that criticism of this contract is in any way unfair on Capita? The more I hear, the more I feel that Capita has taken the sharp end of this and NHS England, despite slight reputational difficulty, has saved £60 million. To what extent do you feel that you should take more of the blame here and Capita should take less of it?”

Stevens emphasised the £60m savings but made no mention any of the contract’s specific problems such as the thousands of patient records that went missing, dozens of women left off cancer-screening lists, the qualified GPs who were unable to work for months while the system delayed verifying their entitlement to go onto a “National Performers List”, the GPs who ran short of basic supplies or the GPs and ophthalmologists who suffered financial detriment because of delayed payments.

Said Stevens,

“First, let me say that this has clearly been a rocky road, and the National Audit Office accurately described the bumps along the way, which are regrettable. That should not obscure the fact that, notwithstanding the economic pain that Capita has experienced, the contract has saved taxpayers £60 million in lower administrative costs in the National Health Service over the first two years of its life … that £60 million of savings is not to be sniffed at; it is the equivalent of 30,000 operations.”

Comment:

Campaign4Change has repeatedly criticised Capita’s performance on Barnet’s outsourcing contract, in part because Capita and the council have been markedly defensive – thin-skinned.

It was refreshing, therefore, to hear Capita’s newish CEO Jonathan Lewis being openly contrite over highly-visible failings in the NHS contract. He gave the impression to public accounts MPs of being a CEO who is determined to put right the failings for the sake of Capita’s reputation. The cost of correcting the problems seemed a secondary consideration.

With Lewis at the helm, Capita’s share price has continued to rise in recent weeks.

Less impressive at Monday’s hearing was Simon Stevens, NHS England’s chief executive, who seemed to imply that NHS England had done nothing wrong. It was a reaction we’ve come to expect from top civil servants after an IT-related programme disaster. It’s never the fault of officialdom.

The reality is that NHS England was almost as culpable as Capita. NHS England rushed the whole outsourcing exercise – which doomed it from the start. It didn’t listen to critics who warned that primary care support services were too locally diverse and inherently problematic to standardise as part of a national outsourcing deal.

Instead of first piloting and agreeing with GPs, dentists and ophthalmologists fundamental changes in working practices that would be needed across the country, NHS England went ahead with signing a co-called transformation deal with Capita.

NHS England paid only lip service to engagement with the new system’s end-users in the medical professions. By its own admission Capita, because of its own internal shortcomings, went into the contract blind.

What’s worrying is the way civil servants blithely repeat mistakes of the past and later say they did everything right.

The National Programme for IT in the NHS – NPfIT – failed in part because it was rushed, the implications of “ruthless standardisation” were not fully understood at the outset and there was a lack of proper engagement with potential end-users in hospitals and GP practices. All these same mistakes were made by Capita and NHS England on the Primary Care Support Services contract.

When ordinary human beings become senior civil servants there seems to be a requirement that they lose at a cellular level the facility to express humility and contrition. That loss is replaced by an overly prominent complacency. Whatever goes wrong is not their fault.

Stevens said in essence that NHS England did everything right. Through its unpublished project reviews, the Major Projects Authority – now the Infrastructure and Projects Authority – endorsed NHS England’ s plans. All the so-called experts gave the outsourcing deal what Stevens called a “thumbs-up”.

It would have been surprising if Stevens had said the public sector was in any way to blame.

At least Capita has learned the lessons. It has a financial interest in doing so.

Ministers can learn from Capita’s candid chief executive

NHS England’s management of Primary Care Support Services contract with Capita – National Audit Office report

Monday’s televised Public Accounts Committee hearing with Capita’s Jonathan Lewis and Simon Stevens of NHS England

3 Comments

Posted in Campaign4Change, Capita, Department of Health, e-health, Government IT, IT projects, IT-related failures, Legacy ICT, Major Projects Authority, managing change, managing outsourced services, National Audit Office, NHS, NHS England, npfit, private sector lessons for the public sector, procurement, project management, public-private partnerships

Tagged Cabinet Office

Government Digital Service loses “genius” and “national treasure”. Is Sir Humphrey winning campaign to dismember GDS?

Posted on 15/02/2018 | 8 comments

,By Tony Collins

The dismembering of the Government Digital Service is underway, says Andrew Greenway, a former programme manager working on digital projects for the Cabinet Office. He now works as an independent consultant.

His comments in Civil Service World came, coincidentally, as another top GDS official prepared to leave.

Paul Downey, GDS’s Technical Architect – who is described by former colleagues as a “legend” and “national treasure” – has left to join the Ministry of Housing, Communities and Local Government.

Downey is the latest in a long line of leading government technologists to leave GDS, which will confirm in the minds of many that Sir Humphrey has won the campaign to stop GDS interfering in the 100 year-old autonomy of individual government departments.

Cabinet Office minister Francis Maude and entrepreneur Martha Lane Fox set up GDS in 2011 to break down departmental silos and have a “single version of the truth” for everything that government touches.

Former prime minister David Cameron said the creation of GDS “is one of the great unsung triumphs of the last Parliament”

Downey helped departments to create new digital services. He represented GDS on the UK government Open Standards Board. Formerly he was BT’s Chief Web Services Architect.

In reply to Downey’s tweet announcing his departure, Stephen Foreshew-Cain, former Executive Director of GDS, tweeted, “When people talked about standing on the shoulders of giants, they were talking about you.”

Mike Bracken, Foreshew-Cain’s predecessor as head of GDS, tweeted about Downey’s departure, “You’re a legend, my friend”.

Tom Loosemore, founder of GDS who, in 2012, wrote the Government Digital Strategy for GDS, also tweeted praise for Downey.

Loosemore left GDS in 2015 for the Co-op group. In an interview shortly after leaving, Loosemore said, “The shape of government needs to change … Businesses don’t run on siloed departments any more and neither should government.”

Liam Maxwell, National Technology Adviser at HM Government who used to be the government’s chief technology officer and who ran teams at GDS, tweeted,”You have been total inspiration to me and hundreds of others”.

Dismembering

Greenway said GDS retains people, prestige and power. “There is no question that the civil service is in a much stronger position on digital than it was six years ago. Some of the work going on in government, including the teams in GDS building digital platforms, remains world-leading”.

Despite bleeding skills elsewhere, GDS has not experienced a terminal brain drain, says Greenway. “Many of those who have stayed are doing a heroic job in trying circumstances.”

But he added that officials working on digital programmes in other departments describe the GDS team as well-meaning but increasingly peripheral.

It now looks as if the Department of Digital, Culture, Media and Sport will take over from GDS. But Greenway warns against replacing a weakened centre with diffuse departmental effort.

“The point of GDS was to have a single team that could act as the voice of users for government as a whole. To do that well, it needed a mandate covering data as well as design, operations and technology. It also had to have a clear mission. Increasingly, it has neither of these.

“The departmental shape of government gives no incentive for any non-central department to step in. It is a great shame that the two most well-placed advocates for an effective centre — the Treasury and Sir Jeremy Heywood — have proved unable or unwilling to stop the rot …

“The dismembering of GDS is underway.”

Comment

GDS was a great idea. But Sir Humphries tend not to like great ideas if they mean internal change. Permanent secretaries are appointed on the basis that they are a safe pair of hands. Safe in this context means three things:

not spilling the beans however rancid they may be
valuing department’s unique heritage, administrative traditions, staff and procedures
talking daily of the need for large-scale “transformative” change while ensuring it doesn’t happen.

Thus, for the past few years, GDS professionals have found that top civil servants want central government departments to continue to be run as separate bureaucratic empires with their uniqueness and administrative traditions preserved.

GDS technologists, on the other hand, want to cut the costs of running Whitehall and the wider public sector while making it easier for the public to interact with government. This puts GDS at odds with Whitehall officials who believe that each departmental board knows best how to run its department.

In the long run GDS cannot win – because it was set up by politicians who wanted change but whose stewardship was temporary while the will to dismember GDS comes from the permanent secretariat who do not welcome change and have the power to resist it.

More’s the pity because taxpayers will continue to spend a fortune on preserving departmental silos and huge, unnecessarily-complex technology contracts.

Andrew Greenway on the dismembering of GDS – Civil Service World

GDS deserves credit for its successes – Government Computing

GDS to lose some policy control? – Computer Weekly

Government Digital Service blog

Government Digital Service being “dismembered”

8 Comments

Posted in Campaign4Change, culture, GDS, Government digital Service, Infrastructure and Projects Authority, Institute for Government, MHCLG, private sector lessons for the public sector, public sector, public services

Tagged Cabinet Office, Francis Maude, government IT

Ministers told of major problem on Capita NHS contract more than a year later

Posted on 02/02/2018 | 2 comments

By Tony Collins

Today’s Financial Times and other newspapers cover a National Audit Office report into GP clinical notes and correspondence, some of it urgent, that was not directed to the patient’s GP.

The correspondence was archived by Capita under its contract to provide GP support services. But patient notes were still “live”. They included patient invitation letters, treatment/diagnosis notes, test results and documents/referrals marked ‘urgent’.

What isn’t well reported is that ministers were left in the dark about the problems for more than a year. The National Audit Office does not blame anyone – its remit does not include questioning policy decisions – but its report is impressive in setting out of the facts.

Before NHS England outsourced GP support services to Capita in 2015, GPs practices sent correspondence for patients that were not registered at their practice to local primary care services centres, which would attempt to redirect the mail.

By the time Capita took over GP support services on 1 September 2015, GPs were supposed to “return to sender” any correspondence that was sent to them incorrectly – and not send it to primary care services centres that were now run, in part, by Capita.

But some GPs continued to send incorrectly-addressed correspondence to the primary care services centres. Capita’s contract did not require it to redirect clinical correspondence.

An unknown number of GP practices continued to send mail to the centres, expecting the centre’s staff to redirect it. A further complication was that Capita had “transformation” plans to cut costs by closing the primary care services support centres.

Capita made an inventory of all records at each site and shared this with NHS England. The inventories made reference to ‘clinical notes’ but at this point no one identified these notes as live clinical correspondence. Capita stored the correspondence in its archive.

In line with its contract, Capita did not forward the mail. It was not until May 2016 – eight months after Capita took over the primary care services centres – that Capita told a member of NHS England’s primary care support team that there was a problem with an unquantified accumulation of clinical notes.

It was a further five months before Capita formally reported the incident to NHS England. At that time Capita estimated that there was an accumulation of hundreds of thousands of clinical notes. When the National Audit Office questioned Capita on the matter, it replied that, with hindsight, it believes it could have reported the backlog sooner.

In November 2016, Capita and NHS England carried out initial checks on the reported backlog of 580,000 clinical notes. It wasn’t until December 2016 that ministers were informed of problems – more than a year after Capita took over the contract.

Even in December 2016 ministers were not fully informed. Information about a backlog of live clinical notes was within in a number of items in the quarterly ministerial reports. NHS England did not report the matter to the Department of Health until April 2017 – about two years after the problems began.

Even then, officials told ministers that clinical notes had been sampled and were considered “low clinical and patient risk”. But a later study by NHS England’s National Incident Team identified a backlog of 1,811 high priority patient notes such as documents deemed to be related to screening or urgent test results.

The National Audit Office says, “NHS England expects to know by March 2018 whether there has been any harm to patients as a result of the delay in redirecting correspondence. NHS England will investigate further where GPs have identified that there could be potential harm to patients. The review will be led by NHS England’s national clinical directors, with consultant level input where required.”

Last month Richard Vautrey, chairman of British Medical Association’s General Practitioners Committee, wrote to the NHS Chief Executive Simon Stevens criticising a lack of substantial improvement on Capita’s contract to run primary care service centres.

In December, the GP Committee surveyed practices and individual GPs on the Capita contract. The results showed a little improvement across all service lines, when compared to its previous survey in October 2016, but a “significant deterioration” in some services. Vautrey’s letter said,

“While any new organisation takes time to take over services effectively, the situation has gone from bad to worse since Capita took over the PCSE [Primary Care Support England] service almost two and a half years ago …

“This situation is completely unacceptable. As a result of the lack of improvement in the service delivery of PCSE we are now left with no option but to support practices and individual doctors in taking legal routes to seek resolution. While this is taking place, we believe it is imperative that NHS England conducts a transparent and comprehensive review of all policy, procedures and processes used by PCSE across each service line.”

Comment:

It’ll be clear to some who read the NAO report that the problems with urgent patient notes going astray or being put mistakenly into storage, stems from NHS England’s decision to outsource a complex range of GP support services without fully considering – or caring about – what could go wrong.

It’s not yet known if patients have come to harm. It’s clear, though, that patients have been caught in the middle of a major administrative blunder that has complex causes and for which nobody in particular can be held responsible.

That ministers learned of a major failure on a public sector outsourcing deal over a year after live patient notes began to be archived is not surprising.

About four million civil and public servants have strict rules governing confidentiality. There are no requirements for civil and public service openness except when it comes to the Freedom of Information Act which many officials can – and do – easily circumvent.

Even today, the fourth year of Capita’s contract to run GP support services, the implications for patients of what has gone wrong are not yet fully known or understood.

It’s a familiar story: a public sector blunder for which nobody will take responsibility, for which nobody in particular seems to care about, and for which the preoccupation of officialdom will be to continue playing down the implications or not say anything at all.

Why would they be open when there is no effective requirement for it? It’s a truism that serious problems cannot be fixed until they are admitted. In the public sector, serious problems on large IT-related contracts are not usually fixed until the seriousness of the problems can no longer be denied.

For hundreds of years UK governments have struggled to reconcile a theoretical desire for openness with an instinctive and institutional need to hide mistakes. Nothing is likely to change now.

National Audit Office report – Investigation into clinical correspondence handling in the NHS.

2 Comments

Posted in Campaign4Change, Capita, change management, culture, Department of Health, excessive secrecy, FOI, Freedom of Information, Government IT, health records, IT-related failures, managing outsourced services, National Audit Office, NHS, NHS England, openness and transparency, outsourcing, project management, supplier relationships

Tagged Cabinet Office, IT projects

A proposed Bill and charter that could change the face of Whitehall IT and save billions

Posted on 02/11/2017 | 4 comments

By Tony Collins

A government-commissioned review yesterday backed a Bill that could, if enacted and applied to Whitehall generally, prevent billions of pounds being lost on wasteful projects.

The Public Authority Accountability Bill – known informally as the Hillsborough Law – would establish an offence of intentionally or recklessly misleading the public, media or court proceedings.

It would also impose a legal requirement on public authorities to act with candour, transparency and frankness when things go wrong.

Although the Bill was a reaction, in part, to the cover up by public authorities of their failings in the light of Hillsborough, it could, if enacted, deter public authorities from covering up failings generally – including on major IT programmes.

For decades public authorities have had the freedom – unrestricted by any legislation – to cover up failures and issue misleading statements to the public, Parliament and the media.

In the IT sphere, early problems with the Universal Credit IT programme were kept secret and misleadingly positive statements issued. The National Audit Office later criticised a “good news” culture on the Universal Credit programme.

And still the DWP is fighting to block the disclosure of five project assessment reviews that were carried out on the Universal Credit IT programme between 2012 and 2015.

It could be argued that billions of pounds lost on the NPfIT – the National Programme for IT in the NHS – would have been avoided if the Department of Health had been open and candid at the start of the programme about the programme’s impractically ambitious aims, timescales and budgets.

The Department for Business, Energy and Industrial Strategy is currently keeping secret its progress reports on the £111bn smart meters rollout – which independent experts have said is a failing programme. The department routinely issues positive statements to the media on the robust state of the programme.

The Public Authority Accountability Bill was drafted by lawyers who had been involved with representing bereaved Hillsborough families. It is aimed mainly at government inquiries, court proceedings and investigations into lapses of public services.

But it would also enshrine into law a duty on public authorities, public servants, officials and others to act within their powers with “transparency, candour and frankness”.

Lawyers who drafted the Bill refer on their website to “institutional defensiveness and a culture of denial” when things go wrong. They say,

“In 2017 we expect public authorities and individuals acting as public servants to be truthful and act with candour. Unfortunately, repeated examples have shown us that this is not generally the case.

“Instead of acting in the public interest by telling the truth, public authorities have tended to according to narrow organisational and individual motives by trying to cover up faults and deny responsibility …”

Backing for the Bill came yesterday from a 117-page report on the Hillsborough disaster by Bishop James Jones. The government commissioned him to produce a report on the experiences of the Hillsborough families so that their “perspective is not lost”.

Jones’ impressive report refers to institutions that “closed ranks, refused to disclose information, used public money to defend its interests and acted in a way that was both intimidating and oppressive”

His report refers to public bodies in general when it points to a “cultural condition” and “mindset” that features an “instinctive prioritisation of the reputation of an organisation over the citizen’s right to expect people to be held to account for their actions”. This, says the report, “represents a barrier to real accountability”.

It adds,

“As a cultural condition, this mindset is not automatically changed, still less dislodged, by changes in policies or processes. What is needed is a change in attitude, culture, heart and mind.”

The report urges leaders of “all public bodies” to make a commitment to cultural change by publicly signing a new charter.

The charter commits public bodies to:

Place the public interest above its own reputation.
Approach forms of scrutiny with candour, in an open, honest and transparent way, making full disclosure of relevant documents, material and facts.
Learn from the findings of external scrutiny and from past mistakes.
Avoid seeking to defend the indefensible or to dismiss or disparage those who may have suffered where the organisation has fallen short.
When falling short, apologise straightforwardly and genuinely.
Not knowingly mislead the public or the media.

The report says that institutional defensiveness and a culture of denial are “endemic amongst public institutions as has been demonstrated not only by the Hillsborough cover up but countless other examples.”

Stuart Hamilton, son of Roy Hamilton who died at Hillsborough, is quoted in the report as saying,

“Police, officials and civil servants should have a duty of revealing the full facts and not merely selecting some truths to reveal but not others. Not lying or not misleading is simply not good enough. Without this, future disasters cannot be averted and appropriate policies and procedures cannot be developed to protect society.

“Such selective revealing of information also results in the delay of justice to the point where it cannot be served”.

He added,

“I believe that without a change not only in the law but also in the mindset of the public authorities (which a law can encourage) then very little exists to stop the post-event actions happening again.”

IT-enabled projects

Whitehall departments and the Infrastructure and Projects Authority publish their own narratives on the progress on major IT-enabled projects and programmes such as Universal Credit and smart meters.

But their source reports aren’t published.

Early disclosure of failings could have prevented hundreds of millions of pounds being lost on FireControl project, BBC’s Digital Media Initiative, the Home Office Raytheon e-borders and C-Nomis national offender management information projects and the Rural Payments Agency’s CAP delivery programme (which, alone, contributed to EU penalties of about £600m).

Comment:

Yesterday’s beautifully-crafted report into the Hillsborough disaster – entitled “The patronising disposition of unaccountable power” – is published on the Gov.uk website.

It has nothing to do with IT-enabled projects and programmes. But, in an unintentional way, it sums up a public sector culture that has afflicted nearly every Whitehall IT-based project failure in the last 25 years.

A culture of denial is not merely prevalent today; it is pervasive. All Whitehall departments keep quiet about reports on their failings. It is “normal” for departments to issue misleadingly positive statements to the media about progress on their programmes.

The statements are not lies. They deploy facts selectively, in a way that covers up failings. That’s the Whitehall culture. That’s what departments are expected to do.

According to Bishop Jones’ Hillsborough report, one senior policeman told bereaved families that he was not obliged to reveal the contents of his reports. He could bury them in his garden if he wished.

It’s the same with government departments. There is no legal duty to keep programme reports, still less any requirement to publish them.

If Bishop Jones’ charter is signed by leaders of public authorities including government departments, and Andy Burnham’s Bill becomes law, the requirement for candour and transparency could mean that IT programme progress reports are made available routinely.

If this happened – a big if – senior public officials would have to think twice before risking billions of pounds on a scheme that held out the prospect of being fun to work on but which they knew had little chance of success within the proposed timescales, scope and budget.

It’s largely because of in-built secrecy that the impossibly impractical NPfIT was allowed to get underway. Billions of pounds was wasted.

Some may say that the last thing ministers and their permanent secretaries will want is the public, media and MPs being able to scrutinise what is really happening on, say, a new customs IT project to handle imports and exports after Brexit.

But the anger over the poor behaviour of public authorities after Hillsborough means that the Bill has an outside chance of eventually becoming law. Meanwhile public sector leaders could seriously consider signing Jones’ charter.

John Stuart Mill wrote in 1859 (On Liberty and The Subjection of Women) that the “only stimulus which can keep the ability of the [public] body itself up to a high standard is liability to the watchful criticism of equal ability outside the body”.

4 Comments

Posted in Campaign4Change, culture, DWP, excessive secrecy, Firecontrol, Freedom of Information, Gateway reviews, HMRC, Home Office, Infrastructure and Projects Authority, IT-enabled projects and waste, IT-related failures, Major Projects Authority, National Audit Office, npfit, project management, public sector, Universal Credit

Tagged Cabinet Office, Francis Maude, npfit

Is Gauke being told the whole truth on Universal Credit’s rollout problems?

Posted on 03/10/2017 | 5 comments

By Tony Collins

“It is working,” said Work and Pensions secretary David Gauke in Manchester yesterday. He was referring to a plan to accelerate the rollout of Universal Credit from this month.

“I can confirm that the rollout will continue, and to the planned timetable,” he added.

But are civil servants giving Gauke – and each other – full and unexpurgated briefings on the state of the Universal Credit programme?

Last year, in a high-level DWP document that government lawyers asked a judge not to release for publication, a DWP director referred to

“a lack of candour and honesty throughout the [Universal Credit] programme.”

Senior civil servants were not passing bad news on the state of the Universal Credit IT programme even to each other.

The DWP document was dated several years after Iain Duncan-Smith, the original force behind the introduction of Universal Credit, found his internal DWP briefings on the state of the UC programme so inadequate – a “good news” culture prevailed – that he brought in his own external advisers – what he called his “red team”.

In 2013 the National Audit Office, in a report on Universal Credit, said a “good news” mentality within the DWP prevented problems being discussed.

If problems could not be discussed they could not be addressed.

Last year the Institute for Government, in a report on Universal Credit, said IT employees at the DWP’s Warrington offices burst into tears with relief when at last permitted – by external advisers – to talk openly about problems on the programme.

The Work and Pensions Committee has questioned why DWP ministers told MPs all was going well with the programme when it was well behind schedule and beset with problems.

The Public Accounts Committee called the DWP “evasive and selective” when it came to passing on information about the state of the Universal Credit programme.

Is there any reason to believe that the “fortress mentality” that the NAO referred to in its report on Universal Credit in 2013 is no longer present?

When David Gauke announced yesterday that he is continuing the rollout of Universal Credit, was he basing his decision on the full facts – or a “good news” version of it as told to him by the DWP?

Comment

David Gauke will have been given the “new minister” treatment when he joined the DWP on 11 June 2017.

“The first thing you’ve got to overcome when you walk through the door is that everybody is being almost far too nice to you,” said one of Gauke’s predecessors, Iain Duncan Smith. He was speaking in 2016 after leaving the DWP.

IDS was much criticised for assuring Parliament all was well with the Universal Credit IT programme when it wasn’t. But maybe he was right to point out that, when he joined the DWP, he found that the “biggest cultural barrier” was getting civil servants to be honest about difficulties.

“The Civil Service, legitimately, see it as their role to deliver on politicians’ policy demands and this can sometimes make them resistant to the idea that they should inform you early of problems,” said IDS.

It was IDS who told BBC’s Radio 4 Today programme in December 2013, that Universal Credit was on track.

“It’s on budget. It’s on budget. Some 6.5million people will be on the system by the end of 2017.”

In fact, fewer than 700,000 people are claiming Universal Credit, according to the latest DWP statistics.

DWP’s 30 years of a “good news” culture

In the past 30 years, it has been almost unknown for the DWP’s mandarins to concede that they have had serious problems with any of their major IT-based projects and programmes.

Perhaps it’s understandable, then, that Gauke apparently refuses to listen to critics and continues with the accelerated rollout of Universal Credit.

Would he have any idea that the Citizens Advice Bureau, in a carefully-researched report this year, said that some claimants are on the DWP’s “live service” (managed by large IT suppliers) which is “rarely updated” while other claimants are on a separate “full service” – what the CAB calls a “test and learn” system – which is still being designed?

Would Gauke know of the specific concerns of the all-party Work and Pensions Committee which wrote to the DWP earlier this year about Universal Credit decision makers being “overly reliant on information from [HMRC’s] Real-time information” even when there is “compelling evidence” that this data is incorrect?

Would Gauke have any reason to believe those who refer to regular computer breakdowns and inaccurate and inconsistent data?

In the DWP’s own document that it did not want published, the DWP director said that, internally, “people stopped sharing comments which could be interpreted as criticism of the Programme, even when those comments would be useful as part of something like an MPA [Major Projects Authority] review.”

Many staff believed the official line was ‘everything is fine’. Nobody wanted to be seen to contradict it.

All this suggests that the DWP will carry on much as before, regardless of external criticism. Individual ministers are accountable but they move on. Their jobs are temporary. It’s the permanent civil service that really matters when it comes to the implementation of Universal Credit.

But mandarins are neither elected nor effectively accountable.

NHS IT programme?

There may be some comparisons between Universal Credit and the NHS IT programme, the £10bn NPfIT.

A plethora of independent organisations and individuals expressed concerns about the NPfIT but minister after minister dismissed criticisms and continued the rollout. The NPfIT was dismantled many years later, in 2011. Billions was wasted.

Based on their civil service briefings, NPfIT ministers had no reason to believe the programme’s critics.

Universal Credit has more support than the NPfIT and the IT is generally welcomed, not shunned. But the Universal Credit rollout is clearly not in a position yet to be speeded up.

Whether Gauke will recognise this before his time is up at the DWP is another matter.

Like IDS, Stephen Crabb and Damian Green – all secretaries of state during the rollout of Universal Credit – Gauke will move on and his successor will get the “new minister” treatment.

And the cycle of ministerial “good news” briefings will continue.

Perhaps the DWP’s senior civil servants believe they’re protecting their secretaries of state.

As the civil servant Bernard Woolley said in “Yes Minister”

“If people don’t know what you’re doing, they don’t know what you’re doing wrong.”

Thank you to David Orr, an ardent campaigner for open government, who alerted me to Universal Credit developments that form part of this article.

5 Comments

Posted in Campaign4Change, DWP, excessive secrecy, GDS, HMRC, Institute for Government, Legacy ICT, Major Projects Authority, National Audit Office, npfit, Universal Credit

Tagged agile, Cabinet Office, Efficiency and Reform Group, government IT, public sector

HMRC appoints Microsoft executive as head of IT

Posted on 15/09/2017 | 4 comments

By Tony Collins

Government Computing reports that HMRC has appointed a new chief digital and information officer, Jacky Wright, who is currently Microsoft’s corporate vice-president, Core Platform Engineering.

Theresa May ratified Wright’s appointment. Candidates were considered from across the civil service and the public and private sectors, and internationally.

The chief executive of HMRC Jon Thompson said,

“Jacky is a seasoned commercial leader with ‘best in class’ credentials, globally. Balancing strong operating experience with a record of driving innovation… Her influence as a technology leader and as a champion for the role of women and BAME [black, Asian, minority ethnic) in industry, is a major win for this organisation.”

Wright will take up her appointment from 16 October. She said,

“I am passionate about the impact innovation can have in truly transforming services for people and businesses in a positive way and want to continue the great work being done within HMRC and across the Civil Service at this time. I am proud to represent women and BAME in technology and will continue to promote the vital role of diversity within our industry and more broadly.”

One of HMRC’s biggest IT challenges in the coming months and years will be to detach itself from the £10bn “Aspire” outsourcing deal in which Capgemini and Fujitsu are the main suppliers.

Aspire is being broken up. HMRC says the contract is already “dead” but the department will rely on Capgemini as a strategic supplier until June 2020 and most probably beyond. HMRC has spent at least £720m a year on Aspire since 2008, including 2015/16.

Comment:

After spending years trying to distance itself from major IT suppliers, HMRC has appointed a top Microsoft executive as its new head of IT.

That said, Wright is an excellent appointment. She’s widely recognized for her contributions to the technology industry and for championing diversity. She has been in Britain’s Powerlist 100 of Most Influential People, the Top 100 BAME Leaders in Business, and Savoy Magazine’s Top Women list.

The challenge for Wright will be to use her influence and skills in a civil service that, at the top level, may not fully appreciate her. Will she feel sufficiently valued and stay?

Francis Maude – the former IT reformer and Cabinet Office minister – said in a Speaker’s Lecture this week that the civil service values policy experts more than operational and technical leaders.

“Policy nearly always trumps operational and technical skills for the leadership roles,” said Lord Maude.

“It feels like a class divide: there are the white-collar policy mandarins, and the blue-collar technicians who do operations, finance, procurement, IT and digital, project management, HR, and so on.

“All the attempts to create genuine parity of esteem have failed. This has to change in the future. Many government failures could have been prevented if operational and technical teams had the same access to Ministers as do policy officials.”

In working for HMRC, Wright may need to acclimatise to a civil service culture that could, at times, strike her as frustrating, closed and irrational. HMRC’s former IT chiefs include Steve Lamey, Phil Pavitt and Mark Dearnley.

Will an innovations specialist of Wright’s calibre last at HMRC? If she does, it could imply that HMRC is defying the civil service culture and is valuing a top international IT professional.

If she doesn’t last, it could imply that she has been hired as a Formula One driver and then given a Prius to race.

The Prius is an impressive piece of machinery. But it’ll never go particularly fast, however expertly it’s driven.

Microsoft’s Jacky Wright named as HMRC’s new CDIO

4 Comments

Posted in Accenture, Campaign4Change, capacity building, Capgemini, CDIO, Fujitsu, HMRC, Microsoft, supplier relationships

Tagged Cabinet Office, Francis Maude

Whitehall renews facade of openness on major IT projects

Posted on 20/07/2017 | 2 comments

By Tony Collins

Headlines yesterday on the state of major government IT projects were mixed.

Government Computing said,

“IPA: Whitehall major projects show ‘slow and steady’ delivery improvement”

Computer Weekly said,

“Government IT projects improving – but several still in doubt”

The Register said,

“One-quarter of UK.gov IT projects at high risk of failure – Digital borders, digital tax and raft of MoJ projects singled out”

The headlines were prompted by the Infrastructure and Projects Authority’s annual report which was published yesterday.

The report listed the RAG – red/amber/green – status of each of 143 major projects in the government’s £455bn major projects portfolio. Thirty-nine of these are ICT projects, worth a total of £18.6bn.

Publication of the projects’ red/amber/green status – called the “Delivery Confidence Assessment” – seemed a sign that the government was being open over the state of its major IT and other projects.

A reversal of decades of secrecy over the progress or otherwise of major IT projects and programmes?

In a foreword to the Infrastructure and Project Authority’s report, two ministers referred twice to the government’s commitment to openness and accountability.

MP Caroline Nokes, Cabinet Office minister, and MP Andrew Jones, a Treasury minister, said in their joint foreword,

“The government is also committed to transparency, and to being responsive and accountable to the public we serve.

“Accordingly, we have collected and published this data consistently over the past five years, enabling us to track the progress of projects on the GMPP [Government Major Projects Portfolio] over time.

“We will continue to be responsive and accountable to the public.”

But the report says nothing about the current state of major IT projects. The delivery confidence assessments are dated September 2016. They are 10 months out of date.

This is because senior civil servants – some of whom may be the “dinosaurs” that former minister Francis Maude referred to last month – have refused to allow politicians to publish the red/amber/gtreen status of major projects (including the Universal Credit programme and the smart meters rollout) unless the information, when published, is at least six months old.

[Perhaps one reason is to give departmental and agency press officers an opportunity to respond to journalists’ questions by saying that the red, red/amber of amber status of a particular major project is out of date.]

Amber – but why?

An amber rating means that “successful delivery appears feasible but significant issues already exist” though any problems “appear resolvable”.

In September 2016 the Universal Credit programme was at amber but we don’t know why. Neither the IPA or the Department for Work and Pensions mention any of the “issues”.

The £11bn smart meters rollout is also at amber and again we don’t know why. Neither the IPA nor the Department for Business, Energy and Industrial Strategy mention any of the “issues”. Permanent secretaries are allowed to keep under wraps the IPA’s reasons for the red/amber/green assessments.

Even FOI requests for basic project information have been refused. Computer Weekly said,

“Costs for the Verify programme were also withheld from the IPA report, again citing exemptions under FOI.”

Comment

The senior civil servants who, in practice, set the rules for what the Infrastructure and Projects Authority can and cannot publish on major government projects and programmes are likely to be the “dinosaurs” that former Cabinet Office minister Francis Maude referred to last month.

Maude said that Whtehall reforms require that new ministers “face down the obstruction and prevarication from the self-interested dinosaur tendency in the mandarinate.”

Clearly that hasn’t happened yet.

The real information about Universal Credit’s progress and problems will come not from the Infrastructure and Projects Authority – or the Department for Work and Pensions – but from local authoritities, housing associations, landlord organistions, charities and consumer groups such the Citizen’s Advice Bureau (which has called for Universal Credit to be halted), the local press, the National Audit Office and Parliamentary committees such as the Public Accounts Committee and Work and Pensions Committee.

On the smart meter rollout, the real information will come not from the Infrastructure and Projects Authority – or the Department for Business, Energy and Industrial Strategy – but from business journalist Paul Lewis, consumer advocate Martin Lewis, business organistions such as the Institute of Directors, experts such as Nick Hunn, the Energy and Climate Change Committee and even energy companies such as EDF.

Much of this “real” information will almost certainly be denied by Whitehall press officers. They’ll be briefed by senior officials to give business journalists only selected “good news” facts on a project’s progress and costs.

All of this means that the Infrastructure and Projects Authority may have good advice for departments and agencies on how to avoid project failures – and its tact and deference will be welcomed by permanent secretaries – but it’s likely the IPA will be all but useless in providing early warnings to Parliament and the public of incipient project disasters.

Ministers and some senior civil servants talk regularly about the government’s commitment to openness and accountability. When it will start applying to major government IT projects?

UK.gov watchdog didn’t red flag any IT projects. And that alone should be a red flag to everyone

2 Comments

Posted in Campaign4Change, DWP, Energy and Industrial Strategy - BEIS, excessive secrecy, Freedom of Information, Government IT, Infrastructure and Projects Authority, IT-enabled projects and waste, Major Projects Authority, Ministry of Justice, National Audit Office, openness and transparency, Universal Credit

Tagged Cabinet Office, Francis Maude

Aftermath of the cyber attack – will ministers learn the wrong lessons?

Posted on 16/05/2017 | 6 comments

By Tony Collins

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

Similarly the government-commissioned Wachter review “Making IT Work: Harnessing the Power of HealthInformation Technology to Improve Care in England“ made no mention of Windows XP or any operating system – perhaps because ministers were much more likely to welcome a review of NHS IT that focused on innovation and new technologies.

Cancer treatments postponed

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream – when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter – asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security. He is a member of the GCHQ board and its senior information risk owner. He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack. He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

“NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

Do not properly segment their networks
Allow workstations to openly and freely connect to each other in a trusted zone.
Do not have a proper patch / update management regime
Do not firewall legacy systems
Don’t have basic ACLs [access control lists)

Three lessons?

Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.
Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs – and the upgrading of medical devices that rely on old operating systems.
Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Patches are available for: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

Microsoft stockpiled patches – The Register

UK government, NHS and Windows XP support – what really happened – Computer Weekly

NHS letter on patches to counter cyber attack

Multiple sites hit by ransomware attack – Digital Health (31 comments)

Lessons from the WannaCrypt – Wannacry – cyber attack according to Microsoft

6 Comments

Posted in Campaign4Change, change management, Cloud Computing, Department of Health, e-health, G-Cloud, GDS, GDS, Government IT, health, health records, IT-related failures, Legacy ICT, NHS, NHS England, open source

Tagged Cabinet Office, Efficiency and Reform Group

	Martin Allen on Another MoD IT-based project i…
	Martin Allen on Another MoD IT-based project i…
	Martin Allen on 43 years of state IT project d…
	loulotus123 on Nine-year outsourcing deal cau…
	The Post Office Scan… on 43 years of state IT project d…

Tag Archives: Cabinet Office

Is the Post Office to blame for Horizon IT dispute – or is it really ministers and civil servants?

Government Digital Service loses “genius” and “national treasure”. Is Sir Humphrey winning campaign to dismember GDS?

Is Gauke being told the whole truth on Universal Credit’s rollout problems?

HMRC appoints Microsoft executive as head of IT

Whitehall renews facade of openness on major IT projects

By David Bicknell and Tony Collins

Posts by email

Search Campaign4Change

Blogroll

White papers and links

See us on Facebook

Campaign4Change

Subscribe

Top Posts & Pages

Recent comments

Tony Collins

David Bicknell

Follow me on Twitter

Tag Archives: Cabinet Office

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

By David Bicknell and Tony Collins

Posts by email

Search Campaign4Change

Blogroll

White papers and links

Campaign4Change

Subscribe

Top Posts & Pages

Recent comments