Ransomware Crisis Highlights Why Procurement Value, Not Cost, Is Key

It seems clear that some of the hospitals and other health organisations affected by the terrible computer ransomware attacks last week have not invested in IT and IT security in the way that they arguably should. That is not a great surprise – it has been obvious for the past couple of years at least that the NHS is under severe cost pressure, faced with growing demand from a growing, ageing and increasingly obese population. At the same time, many key cost drivers have gone in the wrong direction; more diseases can be treated but often with more and more expensive drugs for instance.

When organisations are under pressure, third-party spend is often looked at in terms of what is “discretionary”. The problem is, what is discretionary to you might not be to me. So the CFO might see much IT expenditure as falling into that category – surely we don’t need to spend that much on security software or on upgrades from Microsoft XP?  But the CIO might point out that very bad things might happen if we don’t spend it. As The Times said in relation to last week’s problem;

“Security experts have warned repeatedly that the NHS is particularly badly defended because hospitals tend to have many devices running on obsolete systems. The Times recently reported concerns that patients were being put at risk by the nine out of ten NHS trusts that continue to use Windows XP, which no longer receives security updates. Experts said yesterday that, despite repeated warnings, security remained a low priority for management”.

There are also suggestions that the Cabinet Office and Government Digital Services stopped paying centrally for Microsoft support, perhaps in part to push health trusts into upgrading. (Did the Cabinet Office claim stopping of that support contract as a “saving”, we wonder?) But the clear message in any case is that the consequences of avoiding or cutting costs must always be examined as part of the value discussion.

We also heard last week that the new MasterChef winner, Saliha Mahmood-Ahmed, a doctor in Watford, brings her own food into work for herself and her doctor husband because hospital food is so lousy. And yet, nutrition must play a significant role in patient health and recovery, so cutting the cost of hospital catering runs the risk of driving poorer health outcomes. She wants to campaign to improve matters – good luck to her. As the Times said:

She described a regime in which meals are microwaved from frozen, where the only concern is that they be served at the correct temperature to meet health and safety directives. “If you are unwell and you don’t have a freshly cooked nutritious meal, how are you ever going to feel better? Not just physically, but in yourself? It shocks and astounds me.”

This is why we don’t like the measure (cost per weighted activity unit) that Lord Carter seems to want to use as a basis to assess hospital efficiency – including procurement performance. As we said here,  it is fairly easy to get a “better” number here, at the extreme you could just stop feeding patients altogether. Or stop all spending on IT. Or don’t clean the wards. That cost measure would look “better” after those actions, but of course health outcomes would decline and patients would die.

We’re all for NHS Trusts learning from each other, even cost benchmarking when it is done properly (not simply by comparing prices paid from NHS Supply Chain). But surely we must link spend to outcomes if it is to have any meaning? If a hospital could increase catering costs by 10%, but reduce average length of patient stay by a day because of that, it would be hugely positive economically as well as for the health of patients.

It’s not easy, but just like in every other organisation, we need procurement, finance and indeed the whole organisation to be making careful assessments of the value obtained from third party spend – not  just looking at simplistic price and cost measures.

Voices (2)

  1. Secret Squirrel:

    It’s not exactly like that, Peter.

    Whilst I may occasionally have been a critic of CCS and GDS….(OK, a massive sceptic), the story isn’t support wasn’t available. It was but you had to pay for it yourself. That’s not unreasonable given that the NHS Enterprise Agreement gave rights to Windows 7 at least (I can’t remember details, been out of it too long now) so there was no great reason for the vast majority of machines (desktops, laptops etc) to be running something in support

    And it was pretty clear also that support wasn’t sufficient to be secure either.

    The decision was therefore to devolve the decision making and spend to departments and public bodies. That they then chose not to was solely their own decision.

    Full explanation is here http://www.computerweekly.com/blog/Computer-Weekly-Editors-Blog/UK-government-NHS-and-Windows-XP-support-what-really-happened

  2. Sigi Osagie:

    Brilliant piece, Peter. The NHS / public sector sorely needs people like you who can see the wood for the trees.

Discuss this:

Your email address will not be published. Required fields are marked *