Tuesday, November 29, 2011

Giving evidence to Privacy and Injunctions Committee

Yesterday I gave evidence to Parliament's Joint Committee on Privacy and Injunctions. I tried to explain the difficulties in stopping a specific piece of information appearing anywhere on the Internet, particularly in user-generated content and on social media platforms:

Saturday, November 12, 2011

Internet freedom: EU v US

A couple of weeks back, I was honoured to give the second seminar in George Washington Law School's distinguished speaker series on Internet Freedom and Human Rights. I discussed Europe's approach to this topic, on which there has been virtual silence in comparison to the debate stimulated by the US State Department.

GW has now posted a video of my talk. Thanks again to Professors Nunziato and Carillo for organising such an enjoyable visit.

Thursday, May 26, 2011

ENISA reform at the European Parliament

This afternoon I'm giving evidence to the European Parliament's industry committee at an expert hearing on the future of the European Network and Information Security Agency. Here is the text of my prepared remarks:

ENISA's role in light of current systemic cybersecurity risks

Last year, with my colleague Prof. Peter Sommer, I carried out a study for the OECD on “Reducing global systemic cybersecurity risk”. We assessed the likelihood and potential consequences of catastrophic failures of information system security, comparing them to other potential “global shocks” such as an international flu pandemic or further financial crisis. Our conclusion was that in the medium term, few single foreseeable cyber-related events have the capacity to propagate onwards and become a full-scale “global shock”.

This does not mean that individual cyber-related events could not generate a great deal of harm and financial suffering; indeed there are many examples where this has already happened. And European societies are becoming increasingly dependent on the availability of the Internet and related communications and computing infrastructures.

Bodies such as ENISA can play in key role in reducing these threats, and ensuring that in the longer term they do not develop into catastrophic global risks. Responses to such shocks limited to the level of the nation state are likely to be inadequate. Coordinated international activity is required, with all the associated problems of reaching agreement and then acting in concert. The European Union has a clear advantage in facilitating and coordinating Member State activity in this field.

The European Commission’s proposal for a regulation concerning ENISA contains a number of measures matching our own recommendations to the OECD, especially in supporting the Digital Agenda for Europe. I want to highlight three key areas: supporting the European Forum of Member States and European Public Private Partnership for Resilience; facilitating EU-wide cooperation and preparedness; and addressing market failures in security.

First: supporting the Member State forum and Public-Private Partnership.

Attacks on systems connected to the public Internet can originate from anywhere on that network. Vulnerabilities in software developed in one country and installed in a second can be exploited remotely from a third. Failures in critical information infrastructures in one nation can cascade into dependent systems elsewhere.

Member States and the private sector need to coordinate their efforts to enhance cyber security levels, develop safe and trusted methods for information sharing about vulnerabilities, block and deter attacks, and improve the resilience of critical infrastructure. Officials will need, if they are not doing so already, to plot out the dependencies of key central government and critical infrastructure systems. They will need to identify points at which computer and communications facilities may become overloaded during catastrophes and arrange for the provision of extra resource and resilience. They will also need to create contingency plans should large important systems fail. ENISA can support all of these efforts through its role in the European Public-Private Partnership for Resilience.

A further role is horizon scanning for future threats arising from changes in the broad cyber world. For example, Member States need to carefully consider the implications of outsourcing and cloud-based systems for the resilience of the services they provide, identifying any new interdependencies that result and how they would deal with catastrophic failure of third-party services. Contracts and Service Level Agreements need to include provisions on availability and liability for security breaches, as well as the geographic location of sensitive data and the level of access of third-party staff. ENISA has published a number of useful reports examining these issues in the last few years.

By procuring and operating more secure systems, governments will reduce the risk of exploitation and failure of their own critical services. They will also incentivise software companies, Internet Service Providers and other companies to create more secure products that can also be sold to the private sector.

All of these activities would benefit from cross-EU planning and support from ENISA in the European Forum of Member States.

Second: facilitating European cooperation and preparedness.

Most of the Member States now have effective government and industry Computer Emergency Response Teams. These CERTs meet and share best practice through groups such as the Forum for Internet Response and Security Teams. This also allows computer security engineers in different countries to get to meet each other and build informal relationships of trust. Such social contacts can, in an emergency, help resolve problems more quickly than via the official formal structures. ENISA could usefully support the work of such groups.

Just as has become common in the financial sector, regulators should conduct regular “stress test” exercises to measure vulnerabilities and ensure the resilience of infrastructure in the face of attack. ENISA can facilitate the European components of the international exercises that are necessary to fully test responses to global threats.

Finally: addressing market failures in information security.

Unlike much 20th-century critical national infrastructure, the Internet is almost entirely developed and managed by private companies. In the long run, the most important role of ENISA (and EU Network and Information Security policy) is to support policymakers in modulating the incentive structures that are causing market actors to under-protect systems. The technology is available to build a much more secure Internet. The key question to ask is why it is not being deployed, particularly in end-user system software.

Companies managing critical infrastructure have incentives to maintain continuity of service to their customers, but without some government intervention they may not be willing to commit resources to protecting wider interests of society. These include public confidence promoted by the general availability of shelter, electricity and gas, and telecommunications. Governments can use legislation, licensing and regulation to impose standards for security and resilience upon operators of Critical Infrastructure. This should become a core concern for regulatory agencies in the water, power, telecommunications, financial services and healthcare sectors.

ENISA can act as a centre of expertise to support the Member States and their critical infrastructure regulators, particularly in setting baseline security standards and modulating market incentives to encourage resilience. It can also usefully act as a centre of expertise supporting the Commission and groups such as the Article 29 Working Party of data protection authorities. This expertise is crucial to the success of highly technology-dependent policy goals such as the protection of Europeans’ fundamental rights to privacy and data protection.

If we are to make the Commission’s plans for “privacy by design” effective, it would be logical to task ENISA with developing urgent plans to ensure suitable standards and infrastructure are deployed, making use of the latest discoveries from EU research programmes. No other agency or regulator has a sufficiently technical EU-wide mandate to overcome the formidable structural obstacles that have so far prevented this from happening.

To conclude: ENISA clearly has a key role to play in the development of a secure and resilient European information society that protects fundamental rights. I can find much to support in the Commission’s proposal to develop its mandate.

Thank you for your attention.

Wednesday, April 06, 2011

Security and Privacy in Implantable Medical Devices

Last week I was in Lausanne to speak at a workshop on Security and Privacy in Implantable Medical Devices. It was amazing to see some of the body sensors and actuators being developed by bioengineering researchers and companies. You can see my slides on privacy by design, but I highly recommend some of the other presentations — I was particularly amazed by the Chinese researchers growing tracheas using sheep as "in vivo bioreactors"!

Monday, March 21, 2011

Privacy, trust and biometrics in Bangalore

Privacy, Trust and Biometrics
If you're near Bangalore, you might be interested in the talk I'm giving this afternoon at the Indian Institute of Science on Privacy, Trust and Biometrics. This is a hot topic in India right now, due to the government's plans for a high-tech national identity database not so dissimilar to the one recently destroyed in the UK. Hope to see you there!

Wednesday, February 16, 2011

Hillary Clinton's Internet Freedom 2.0 speech

Hillary Clinton gave a second speech yesterday on the subject of Internet freedom. Here is my response, written for Index on Censorship:

Hillary Clinton is right to say “the choices we make today will determine what the Internet looks like in the future”. The US government can have a long-term impact by supporting the development and use of technology in tune with her vision of the “freedom to connect”.

Such technology would make it easy for individuals to debate, organise and protest online without making it trivial for government spies to monitor and suppress those activities. It would widely distribute control, rather than concentrate it in government or corporate hands that can easily choose to extinguish speech — as Amazon did in throwing WikiLeaks off their servers.

It would certainly not come with surveillance functionality built in – as the US, UK and many other western governments require of Internet routers and telephone exchanges and would like to extend to social media sites.

In short: Clinton needs to make sure the Internet’s future public spaces look more like Tahrir Square and less like Tiananmen Square.

Tuesday, February 15, 2011

The Information Management and Technology Strategies of the NHS Executive

This is a second document from Philip Virgo on the history of the NHS National Programme for IT.



The key high level statement in Information for Health is:
"The challenge for the NHS is to harness the information revolution to use it to benefit patients"

We have taken this as the principal benchmark against which all investments must be measured. The core purpose of the strategy is to ensure that information is used to help patients receive the best possible care. The strategy will enable NHS professionals to have the information they need both to provide that care and to play their part in improving the public's health. The strategy also aims to ensure that patients, carers and the public have the information necessary to make decisions about their own treatment and care, to access efficiently and conveniently the services they need, and to influence the shape of health services generally.

In order to achieve these benefits the strategy commits to deliver:
  • Lifelong electronic health records for every person in the country;

  • Round-the-clock on-line access to patients' records and information about best clinical practice, for all NHS clinicians;

  • Genuinely seamless care for patients through GPs, hospitals and community services sharing infoimation across the NHS network;

  • Fast and convenient public access to information and care through on-line information services and use of telemedicine services;

  • The effective use of NHS resources by providing health planners and managers with the information they need.

These benefits when realised will improve both the quality and convenience of healthcare for the population.

The strategy breaks the work to be done in three implementation phases (1998-2000, 2000-2002 and 2002-05). Given that this seven year strategy was launched at the end of September 1998, the Committee may find it helpful to know our expectations of the key deliverables for:

December 1999
December 2000
December 2002, and
December 2005

together with a brief synopsis of the benefits to be delivered. Annex 1 sets out these expectations.

Performance Management

The NHS Executive will ensure that all Chief Executives are aware of the importance of all this as the fundamental underpinning of many of our other objectives such as achieving clinical governance. They will be performance managed against these plans. A process is being put in place which will relate local spend to local progress against the national targets. This will be closely monitored for each local community at Regional Level, with quarterly reporting nationally.

The full Local Implementation Strategies (plans) will be costed and identify how money from both the Modernisation Fund and other investment sources is being used for specific tasks.

Every effort is being made to clear away previous obstacles to progress, but we must take a long-term view and provide commitment to the NHS in terms of resources being made available in order to achieve our vision and get best value for money out of the investment.


The PAC Chairman suggested that benefits would be fairly measurable. We will be developing more specific measures of progress having assessed the full Local Implementation Strategies. Although we can easily measure results of activity such as the numbers of practices with network connections etc, the real test of all this is whether we have changed the culture and service environment so as to maximise the opportunities provided by information and communications technology to provide a modern and dependable health service.

The ultimate measures of success should be demonstrated through improved patient outcomes, and improvements in patient perceptions of the convenience and quality of care as measured through patient surveys.

Annex 1


Dec. 1999Arrangements in place to ensure the NHS Continuity of service over the millennium
1999 copes with the millennium problem
Continuity of service over the millennium period
Health Informatics Services establishedSkilled staff able to support the development and implementation of Local Implementation Strategies for Information for Health
National IM&T Education, Training and Development Strategy published Direction for the development of information proficiency, professional development, and information-related learning opportunities for all staff.
Dec. 2000Patients attending 10 per cent of Acute Hospitals to have integrated Electronic Patient Records that support electronic ordering of tests and results reporting, electronic prescribing and care pathways (Level 3 EPR) Supports the delivery of better patient services, clinical governance, closer working relationships with Primary Care and supports the flexible management of services.
All Health Communities have full costed Local Implementation Strategies [1]By December 2000 all Health Communities should be implementing their Strategies for improving information. These will support Health Improvement Programmes, and Clinical Governance by addressing practical ways of supporting the delivery of joined up and patient-centred services across Health and Social Care organisations.
Evaluation and dissemination of the work of Electronic Health Record demonstrator communities begun To demonstrate as early as possible to the rest of the NHS the benefits and issues associated with the introduction of modern electronic record systems.
National Advisory Body on Confidentiality and Security established To provide advice and guidance on key issues in improving arrangements for ensuring confidentiality and security in the management of information about health and healthcare.
Dec. 2002To have enabled primary care staff to take advantage of modern and well managed information technology and information services to achieve better and more consistent patient care. Examples of the benefits [2] will include:
  • Access to accredited information on treatments and conditions that can be shared with patients
  • Ability to communicate more effectively with secondary care staff to support more efficient transfer of patient care and ongoing shared patient care (eg, electronic referral and discharge; on-line booking of appointments)
  • Faster and higher quality of clinical communications such as test results, second opinions etc between primary and secondary care staff
  • Better internal communications within general practices and primary care groups/trusts
  • Faster communication between the Department of Health/NHS Executive and primary care staff (eg, medical alerts)
Substantial progress in implementing integrated primary care and community EPRs in 25 per cent of Health AuthoritiesEither implemented, or agreed and funded plans for implementation of, systems that will deliver integrated information about patients to support better quality care. This will mean practice-based community Trust staff do not have to enter data twice.
35 per cent of all acute hospitals to have implemented a Level 3 EPR See above.
Telemedicine and telecare options considered routinely in all Health Improvement Programmes Clear assessments made of the benefits to be had from using telemedicine services as part of delivering the Health Improvement Programme priorities.
A National electronic Library for Health accessible through local intranets in all NHS organisationsBy enabling NHS workers within a local health community to have ready access to the National electronic Library for Health from their normal place of work high quality knowledge, eg, concerning guidelines, will be readily available.
Information strategies as appropriate to underpin completed National Service Frameworks (NSF)Starting with local implementation of the national cancer information strategy, local information strategies will be developed that support a "whole system" approach to providing better services across local health communities to support the roll-out of specific NSFs.
Demonstrator Electronic Health Record sites have an initial first generation Electronic Health Record in operationCommunity-wide Electronic Health Record demonstrators, and those sites demonstrating more focused aspects of Electronic Patient Records, to have disseminated good practice and lessons learnt.
Dec. 2005Full implementation at primary care level of first generation person-based Electronic Health Records
100 per cent of acute hospitals with level 3 EPRs
Electronic Health Records (that can provide secure and confidential links to organisation-specific Electronic Patient Records) are in place and used to support the delivery of patient-focused joined-up care across local health communities.
The electronic transfer of patient records between GPs The electronic transfer of patient records from any GP practice to any other will improve access to relevant aspects of patients' histories and provide the basis for developing improvements in Electronic Health Records.
100 per cent of acute hospitals with level 3 EPRsSee above.
24 hour emergency care access to patient records:The ability to access the key information from patients' records that is needed to support the provision of emergency care whenever it is required will improve the delivery of good quality care.

[1] Once these plans have been agreed between local health communities and NHS Executive regional Offices in spring 2000, we will have a precise picture of the local activity which will need to take place in each local health community. The sequence and detail of these activities will vary across the NHS as there is not a common starting point. We are clear that over the lifetime of the strategy the sum of all the activity must ensure that all the local health communities have accomplished the common nationally uniform targets.

[2] While many of these benefits are partly quantifiable and measurable, the most significant impact on both patients and the services offered will come through the cultural change and education of staff that will be associated with them.

NHS Executive

17 December 1999

Public Accounts Committee hearing on the NHS Information Management Strategy

Philip Virgo has written an excellent summary of the continuing problems of the National Health Service's National Programme for IT. As useful background he has dug up the following evidence given to the House of Commons Public Accounts Committee back in 1999.


Members present:
Mr David Davis, in the Chair
Mr Alan Campbell
Mr Ian Davidson
Mr Geraint Davies
Ms Maria Eagle
Mr Barry Gardiner
Mr Alan Williams

SIR JOHN BOURN KCB, Comptroller and Auditor General, further examined.
MR JAMIE MORTIMER, Treasury Officer of Accounts, H M Treasury further examined.


Examination of Witnesses
SIR ALAN LANGLANDS, Chief Executive, NHS Executive, and MR FRANK BURNS, Chief Executive, Wirral Hospital NHS Trust, examined.


1. This afternoon the Committee will take evidence on the 1992 and 1998 Information Management and Technology Strategies of the NHS Executive, the Report done by the Comptroller and Auditor General. We have before us Sir Alan Langlands and Mr Frank Burns. Good afternoon again, Sir Alan, and welcome back. You are a regular visitor. Now, you are familiar with our methods, so I will go straight into questions to get started on this. My first question for you is this: one of the essentials of any IT strategy is that it is based on systematic and rigorous assessments of the business needs. To what extent did you undertake assessments of the needs of the NHS at each level in developing the 1992 and 1998 IT strategies?
(Sir Alan Langlands) Well, I think it is important to recognise that each of these strategies was conditioned by the government policy at the time in relation to the NHS. The 1992 Strategy was drawn, if you like, from the previous Government's White Paper Working for Patients which introduced the internal market into the NHS and the 1998 Strategy was drawn essentially from the 1997 White Paper which talked of a different NHS with the internal market abolished and a greater emphasis than ever before on quality and the integration of services. In both cases, however, there was regular dialogue with people working in the Service and indeed people beyond the Service to assess needs. As far as I can trace it back, around the late 1980s and early 1990s there was systematic consultation with the Service, there were a number of working groups, there was a series of consultation documents and papers for decision that went to the then NHS Management Executive, there was discussion with Ministers, and there were detailed papers and detailed guidance documents issued to the Health Service. In 1996/97, again in the run-in to the 1998 Strategy, there was a lot of consultation and, if anything, I think it went wider with the clinical professions, with social services, with people working in the education sector and with the industry. That whole process of assessing the position, assessing the needs at that time was undertaken by Frank Burns, who is on my right, who spent about a year doing some of the early discussion and then 15 months on secondment in the NHS Executive taking this whole thing forward. The result was the publication of the Strategy Information for Health' in 1998 which captures the Government's current position on these issues.

2. Now, the Government has decided to support the implementation of this Strategy with the investment of about £ 1 billion, and paragraph 5.19 outlines that, but the Comptroller and Auditor General's Report points out that you did not produce an overall business case, assessing the costs and benefits, nor do you have a lifetime expenditure plan, so on what basis then did you assess that the investment was justified? I am actually referring to item 10, I think it is, in the summary. (Sir Alan Langlands) I think the investment of about £1 billion based on the lifetime of the Strategy, which takes us to 2005, is probably an underestimate given the sort of money that is likely to be spent in the NHS already on this subject. We are dealing here with a huge change, with a very ambitious Strategy. The Government are very keen to ensure that we move towards life-long health records for everyone, very keen to ensure that professional staff in the Health Service have 24-hour access to records and that they have information about good practice, and they are very keen to build on what is happening in other industries and other parts of government in relation to the use of network technology to spread information around the system quickly, so seen in the context of the sort of scale and the complexity of the Health Service, this is a massive investment. As I say, the figure is broad-brush. I think the key point here is that there is no intention of committing money or spending money until business cases are worked through for each component part of the Strategy so that the Government's line is to say, "This is the likely expenditure over that period, but each component of the Strategy will then be broken down and will go through the appraisal of the business planning process", and we are already doing that. I think there is a central point here that we see the Strategy as a sort of broad statement. We agreed with the Treasury that it would not be subject to a formal business planning process, but it was subject to expert review and it was allowed to be published on the basis that we would follow up with a very detailed performance programme management framework, which we circulated to the NAO, and it was agreed that we would have business cases for individual projects. We are meeting all of these conditions, so my point is, I think, that no public money is expended on this until we go through the correct procedures of each point in the process.

3. Well, I am sure others will come back on that, Sir Alan. You did actually sign off this Report or the Department did and item 10 says that the 1998 IT Strategy has no full business case.
(Sir Alan Lan glands) Well, indeed, and I am accepting that, Chairman.

4. Let me, if I may, just ask the Treasury about that. How can you justify expenditure in excess of 1 billion, not just 1 billion, without an overall business case?
(Mr Mortimer) Well, we are not doing that. We are insisting that all projects in excess of the Department's delegated limit need to be subject to a business case. What we have not done-

5. But a piecemeal one, by the sounds of it.
(Mr Mortimer) Well, taking one project at a time.

6. I thought that is what "piecemeal" meant.
(Mr Mortimer) We did not think it was sensible to insist on a business case for the whole of the Strategy, and we did agree the Strategy subject to the three points that Sir Alan has outlined, and one of those points, and we made it very clear indeed, was that all projects above the delegated limit required a business case and Treasury approval.

7. Again I suspect people will come back on that. Let me come back to you, Sir Alan. In the light of the delays and cost overruns on projects and programmes under the 1992 Strategy, which are noted in the Report at paragraphs 3.10 and 3.14, what confidence do you have that projects forming part of the 1998 Strategy will be delivered on time and to cost? This is a sort of fairly to-the-point current question really, I suppose.
(Sir Alan Langlands) Yes. I think the NAO Report, if you like, gives some confidence in that it is very clear that the 1998 Strategy is at this stage an improvement on the previous position. I am perfectly prepared to accept that there were some avoidable problems in relation to the 1992 Strategy, but equally I think running right through this Report is a sense of just how big and how complex these things are, how quickly technology is changing and I think it is unrealistic to think that everything in this field will go perfectly, so I do not expect the 1998 Strategy to be trouble-free. All of this is premised on huge technical change and also great behavioural change amongst staff in the NHS, but I think we have learnt a number of lessons. I think the Government is adopting a more directive approach in relation to the 1998 Strategy using earmarked money which was not the case before. I think that the performance programme framework that we sent you shows greater coherence than we had before and I think we are putting a much stronger performance management line in place and a much greater emphasis on local implementation strategies. We are trying to meet the NAO points on setting clear objectives, on mapping interdependencies, on monitoring expenditure. The criticisms that run through the Report in relation to 1992 we accept and we are putting in place as each business plan goes through the Treasury rigour on all of these points, so I think we have learnt a number of important lessons and I would like to think that we are no different in that respect from most other big, complex organisations in either the public or the private sector. The other thing that I think is very significant this time around is that on the publication of the 1998 Strategy by the previous Secretary of State in 1998 we had almost universal support from the professional staff at the NHS and I think there is a real feeling in the Service that this plan is there to support clinical practice and that management information and other sort of analytical information that we might need in order to plan and administer the Service is a by-product of that, so I have a strong feeling in clinical circles that we have got it the right way round this time.

8. That leads me to two further questions. One of the lessons learned, not just by the NHS, but by other government IT projects, is the need for the appropriate skills to be available. What have you done to ensure that the NHS and, for that matter, GP practices have access to the appropriate skills?
(Sir Alan Langlands) Well, this, as you rightly point out, is complicated in an organisation that employs a million people where nearly half of these are clinicians, half non-clinical staff. The first thing we have done is establish, if you like, this IT theme at the heart of clinical education. I have got a publication here which, just by virtue of having the labels for each of the professional training groups on the front, shows that we are dealing with almost 30 different groups, so we have got 30 different clinical groups hooked up to the idea that there is a need to imbed learning about health information in their undergraduate and postgraduate programmes. We also in relation to non-clinical staff are having early discussions with the University for Industry and with one of the main Health Service trade unions to try and encourage the generic skills development among all grades of staff. We have a national, being looked at in the next couple of weeks, a national education and training strategy. We are very keen that at a local level there is a named person responsible for education and training and we have developed tools for assessing, if you like, information and computer literacy at a local level. On the specific point about GPs, we have got a very clear programme linked to the implementation of GPnet which is a scheme whereby we will exchange information between GP surgeries and hospitals and we have built into our accreditation mechanisms for the first time for GP systems a requirement to include information about training, so investing, if you like, in the mainstream staff of the Health Service and investing in the skills of specialist staff who have already health informatic skills is our overall approach.

9. The next question is fairly straightforward: what improvements in healthcare and service will the public get for this £1 billion investment?
(Sir Alan Langlands) I think if you think of a world where we have electronic patient records easily accessible 24 hours a day, the key point will be access to information so that if you are taken to an A&E department, it will be possible to ensure that clinicians have your full set of records available no matter where you live in the country, and I think that is a huge change. I think there will be benefits, and they are very difficult to measure, but benefits to accrue from the notion that through electronic libraries and other methods the clinical staff of the Health Service will keep their practice up to date. We have some very specific programmes of information going on in relation to the Government's main priorities of coronary heart disease, mental health and cancer services which are aimed at tracking the speed with which people go through the system, aimed at setting and monitoring performance against national standards, for example, in relation to breast cancer and colorectal cancer and other cancer sites, and we are trying to improve the cancer registration process, so there are examples that I think will quickly have a direct impact on clinical practice and, therefore, ultimately benefits to patients both in terms of convenience and the sort of care they receive.

10. This is a question to which the answer can be as long as you care to make it, but since most of the benefits would be, I would have thought, fairly measurable, fairly clear cut at least, could I ask you for a note on this particular thing, setting out what progress you expect to make in terms of benefits arising from this investment'. Finally, I have to ask you this, it is almost required at this time of the year: the Committee reported in August that because of the millennium bug, 9 per cent of NHS bodies had a severe risk of material disruption, but what is the figure now?
(Sir Alan Langlands) The figure now, I think, published last week is zero. We have been given, if you like, the all-clear by the independent assessment process, Action 2000. We have one further return to come in from people in the Health Service dated the end of October and we have a final check, if you like, at the end of November, but the independent assessment and my current assessment is that there is no risk of material disruption in the NHS. We have checked more than 300,000 systems and we have spent more than £340 million in trying to tackle this problem, so at the moment we think we are very well prepared.

Mr Gardiner

11. Could I begin by asking the Treasury just so I am clear on the guidance that my understanding is that Treasury guidance sets out the importance of justifying programmes as a whole where there are a number of expenditures that are linked together. Is that actually correct?
(Mr Mortimer) No. I think that what we do is that we require business cases on projects above £1 million and to the extent that the programmes involve projects costing above that amount, then those business cases come to the Treasury and the Treasury give or deny approval.

12. That is not what it says here, but that is fine. Can I then ask, is it not the case that one of the findings of the Report on the 1992 Strategy is that one of the problems with that was that there had not been a sufficient business appraisal, a complete and overall business appraisal done across the whole project at the time?
(Mr Mortimer) I am not quite sure what point you are referring to, whether you are criticising the lack of a business case for the whole Strategy or

13. At the moment I am just seeking clarification and I do assure you that I am just seeking clarification.
(Mr Mortimer) Well, I can interpret your question in two ways. One is that you may be saying that the overall Strategy should have had a business case, and we did not think that that would be very sensible. We thought that all the important projects should be properly appraised individually and so we fell back on the arrangement of insisting on Treasury approval for individual projects above £1 million (whole life costs). There is also an issue because, of the six projects and programmes examined by the NAO, two ongoing programmes involved a large number of cases, but they all fell below the delegation limit, so the Treasury did not actually review any of the projects, so that may be your criticism. There is a case for saying there should be some form of Treasury review where there are lots of individual projects falling just below the threshold for each particular programme, but what happened was strictly in accordance with the rules operating at the time.

14. My understanding was that there was Treasury guidance that said it was important to justify programmes as a whole where there were a number of expenditures which were linked together and that that was actually done in correspondence with the NHS Executive. Sir Alan, perhaps you could come in at this point
(Mr Mortimer) Sorry, but I know what you are referring to now. It is true that the Green Book does say that, if individual projects are interrelated, then the proposals should be looked at as a whole. The view we took was that we wanted to examine the individual projects and, if there were interdependencies, these should be identified. We certainly are not saying that interdependencies should be ignored; they should be properly taken into account, but we thought that this could be done by looking at free-standing projects.

15. Sir Alan, would you care to add anything or subtract anything?
(Sir Alan Langlands) No. I think we have the same position and the important point I want to underline is that we are not jibbing at the principle of having to make a business case before committing new money. That is clear and accepted. Where we do differ in the interpretation of the guidance from the NAO Report, although if you look at paragraph 2.8 you can see the ambivalence coming through there as well, where we do differ is that we do not think it is necessary to have to go through a full-blown business case process for a strategy document which is essentially a general statement of direction covering a diverse range of issues. We prefer to get down to the detail and talk hard facts around specific projects.

16. Let me ask you this then: is it not the case that one of the possible benefits of an overall business case that demonstrates precisely the benefits of doing the project as a whole is that you can use it to persuade the NHS bodies themselves to put in the required investment'?
(Sir Alan Langlands) Well, I do not think so. The business case process on that scale, if it were possible, and I honestly doubt very much if it is possible, I cannot read our existing Strategy and think through step by step how that could be converted into the option appraisal business planning process, but if it were possible, I think the end result would be a technical document, the sort of thing that the Department of Health sends to the Treasury all the time, which would have no chance of winning hearts and minds in the NHS. The key points, the sort of points I have been labouring about faster access and integration of services, the things that the Government wants to highlight at the moment would be lost in a sea of detail, so the idea to get the strategic direction out, to use that to condition behaviour, commitment and involvement of people in the NHS and then to work through each part of the Strategy in a detailed way, again I am not disputing the need for that technical work to be done, but it is the point at which it is done that is the key difference between us.

17. One of the criticisms in the Report is that links between the projects in the 1992 Strategy were not stated in the individual project business cases and as a result of that links were lost and it was difficult to demonstrate the value to the NHS bodies themselves. You would reject that as a criticism of the 1992 Strategy, would you'?
(Sir Alan Langlands) No, I do not reject that because the interdependencies here are very important. In fact, there are interdependencies with other things as well, with staffing issues and the Government's strategy on trying to improve clinical quality that go beyond the strategy. These are very complicated issues. I am sure that the 1992 Strategy did have a number of interdependencies in it. I am sure that these were not always adequately drawn out in the way in which the direction was set and discussed with the Health Service and I am happy to accept that as a criticism. I do not think it will happen this time for two reasons. One is that we are putting a higher premium on very detailed local implementation plans which have to make the connections from a patient's perspective and a clinical perspective. Prefacing each of our individual business cases we are going to have a map that shows the linkages and we are over-arching that with a programme and performance management framework' which did not previously exist. This is much more of an interventionist approach, a driven approach, a controlled approach than we had in 1992. So my contention is that we have learned our lessons. We are trying to incorporate them in the way we do things this time.

18. Let me try and restate that in order to see that I have understood you clearly. You agree that there were failings in the 1992 Strategy. You accept the criticism that was made in the Report which is that linkages were lost and opportunities and therefore costs were incurred as a result of that, but the specific way in which the 1992 Strategy is criticised, that is for not presenting an overall business case that could have made those links at the beginning you say will not result in the same problems this time because you are building it from the base up and you are developing those links from the base up. Is that a correct understanding of what you are telling the Committee?
(Sir Alan Langlands) I think there are two things I would disagree with. One is, I do not think we lost ground on costs or cost control as a result of perhaps missing some of the interdependencies. Two, I would not as a uniform point say that everything in 1992 was wrong because I do not think it was. Without it we would not have some of the important building blocks that we need now. My last point is not to suggest that everything is now bottom-up but to suggest that is an important part of an approach which is bottom-up in terms of local implementation plans and top-down in terms of an agreed national programme, probably with national mandating of certain parts of the strategy and national control of not all but a lot of the new expenditure in this area. So it is top-down and bottom-up which I think is probably the only way of handling it.

19. You said there that you disagree that costs were unnecessarily incurred in the 1992 Strategy. Is it correct that the NHS Executive did not monitor costs incurred by the NHS bodies in implementing the programmes of the 1992 Strategy and overall NHS expenditure on the 1992 Strategy is not known?
(Sir Alan Langlands) Some of it is known, as the Report sets out.

20. I said overall expenditure is not known.
(Sir Alan Langlands) Overall we still do not monitor the detailed expenditure of individual health bodies on IT.

21. So how can you be confident that no costs have been incurred that should not have been had the links correctly been made if you do not know what the overall costs are?
(Sir Alan Langlands) We can be confident from a national point of view. We would expect local people to be confident about their local position and to be tracking and assessing that. All of these local bodies are subject to detailed audit processes. None of them in this period had their accounts qualified as a result of any problems of that nature.

22. So what you are telling me is the information is all there but nobody has actually drawn it all together, is that right? (Sir Alan Langlands) There is information there. It would be a huge task to draw together on behalf of the whole of the NHS and, indeed, every study that is made of this by the Audit Commission or by the NAO Report is sampled. The NAO Report is based on visits to four per cent of the total health bodies in the country, 20 organisations. The other 96 per cent will probably reflect the same patterns and the same problems, but to get into the other 96 per cent in detail would be a major task. We are doing it at the moment in relation to the absolute detail of the year 2000 and we are checking a register of 300,000 systems. It would be impossible to cover the waterfront from one national organisation. We would be paralysed by the monitoring and we would not achieve any action. 23. I think the difficulty I have with what you are saying is that you are saying that the 1992 Strategy did not actually have any overall control of the expenditure, it did not have that information. One of the nice things about the brief that was circulated to Members today was it suggested that one of the session objectives might be to help the NHS Executive to avoid similar problems with the 1998 Strategy. The way that this Committee works is critical. It seems there is a role here for drawing lessons out of 1992 and hoping that they do not recur. I think what you are telling me is that the lessons that the Report draws about this aspect of the failings of 1992 either have not been learned or not agreed with but that is not going to be different in 1998 and that concerns me. Are you going to have overall expenditure control for the 1998 Strategy? (Sir Alan Langlands) Yes. My comments relate to 1992. What you have to remember about 1992 is that we were operating in the Health Service an internal market. There was very little direct control over the activities of trusts who are the main groups involved in this process. We were monitoring against three or four national financial parameters. This time round, as I said to you at the beginning when we were talking about bottom-up, •we are going to have local implementation strategies for the national strategy drawn up by 100 health bodies around the country coordinating the activities of 400 and these are going to be costed. So for the first time we will have a handle on this at a local level and at a national level a handle on the additional resources that are likely to be allocated over the next five years.

24. Do you have any firm expenditure plans for the 1998 Strategy?
(Sir Alan Langlands) Yes, we will have.

Mr Gardiner: Thank you.

Chairman: Mr Davies?

Mr Davies

25. Before coming to Sir Alan can I just ask for a confirmation from the Treasury on a point made earlier. Was it the case that the Treasury said there would be no business plan for expenditure under £100 million? (Mr Mortimer) No.

26. What was the threshold? I must have misheard you.
(Mr Mortimer) The threshold for the 1992 Strategy was business cases were required for projects over £l million.

27. Thank you very much. Sir Alan, there are wide and ambitious headings for the strategy to embrace up until 2005, but it strikes me from listening to you that you have got no real idea about how much more than £1 billion we might spend on IT by 2005. Would it be reasonable to say that in your view there is some probability that we might spend £2 billion by 2005?
(Sir Alan Langlands) It is possible that we might spend more than fl billion, but that would have to be justified at each stage by clearing business cases through the Treasury. So my first point is that the £1 billion relates to a national figure. It is being tightly controlled in the Department of Health. It is only allocated against approved business cases. in the five-year period until 2005 it could be less than £ 1 billion or it could be more, but any variation from that figure would be as a result of conscious decisions.

28. There is a list of infrastructure projects in terms of NHS numbers, e.g. administrative registers, NHS networking, GP health authority links. I assume you have allocated that £ 1 billion which has been earmarked according to those headings with some justification or is it still a bit vague?
(Sir Alan Langlands) We have allocated it this year. Ministers have yet to take decisions on next year and subsequent years.

29. Which of those headings do you think is most likely to be overspent?
(Sir Alan Langlands) I do not think they will be overspent because the emphasis will be on tight control of these funds.

30. The impression I get from listening to you is that the hearts and minds of the new Government are behind the Health Service, IT is very important, etcetera and £l billion out of the extra £21 billion the Government has promised is relatively small. Are you operating on the basis that money is easy and if you need it you can ask for it and if you spend £1.5/2 billion that will be alright, because that is what I am hearing?
(Sir Alan Langlands) I am certainly not operating on that basis and money is not easy and the £l billion does not relate directly to the £21 billion because they are both operating over different timescales. The timescale for the £21 billion that the Government are adding to the Health Service budget is for the three-year period of the Comprehensive Spending Review this year and the next two years. The £l billion, which is an estimate, stretches until the year 2005 and is subject to detailed applications through business cases to draw that money down for the Health Service. I am certainly not blasé about it.

Chairman: I am afraid we cannot stretch the answer any longer. We have to go and vote now.

The Committee suspended from 5.08pm to 5.11pm for a division in the House

Chairman: We will restart. I will ask Mr Davies to carry on.

Mr Davies

31. This Committee has seen a long chequered history of IT management in terms of national insurance systems, passport systems, Ministry of Defence systems which have been very costly and chaotic, gone over budget and not been within the time constraints of those contracts. Have you learned any lessons in terms of IT management from other government departments making such a hash in this area?
(Sir Alan Langlands) I think we have learned a lot of the lessons that are rehearsed in this Report around project management. We have learned some lessons of our own over the years. Some of the issues that we have had to deal with in this Committee in relation to NHS computing have been to do with accountability and propriety, but others have had to do with the need to match hard developmental systems and infrastructure kit with softer investments in training and development. Others have been about the rigour of the business planning process and the project management process. We are learning all the time and we will look carefully at the problems that others experience not just in the public service but in the private sector where these things do not surface so clearly as they do here.

32. Is there any coherence imposed from the centre on the thousands of systems you have got in place or is it very much up to the local authority to make decisions and therefore a mixed bag?
(Sir Alan Langlands) I think until now issues of procurement have often been localised and as I said earlier, we have lived through a time when delegation was the name of the game in the Health Service, devolution of responsibilities, but we are looking at the moment at procurement in some detail on a whole NHS basis. We are having discussions with suppliers about a different form of PFI. We are having discussions with the CCTA about being able to draw on government catalogues for systems. We are thinking of piloting a collaborative procurement from an agreed short-list of suppliers so that local organisations have some discretion but limited discretion. A lot of this is happening in the NHS Executive itself. A lot of it we are getting support on from something that has been set up in the Treasury called the Public Sector Productivity Panel. So we are drawing through that group expertise from the public and the private sector to smarten up our act.

33. That is good to know. Do you think there is a danger in terms of the in-built obsolescence of the PH/IT contracts insofar as you commit the public sector to ten or 20 years of payments for a service and then because of other shifts such as the behavioural changes in the community you end up with an obsolete service that could be provided at a quarter of the cost and bad value for an inappropriate service?
(Sir Alan Langlands) There may be if they are badly handled, but we have no evidence of that. I used the term PFI in the broadest sense. What we are really looking at here are different foims of public-private partnership.

34. Fine, PPP. What I am getting at is that there is in-built modernization into your contract specification for service delivery so these services will not become out-of-date.
(Sir Alan Langlands) The broad point I am trying to make is that we are operating on a different basis. I think we are discussing PFI here soon. We are operating on much shorter timescales to accommodate advancing technology.

35. I have two points to make. One is that IT is moving so fast that something you buy now will be out of date in ten years' time. The other is the nature of services to the customer. Because he/she may have different needs the demographic profile will be different. Have you put things in place so those adjustments can be made?
(Sir Alan Langlands) These are precisely the points that are being studied by our own group and by the productivity panel. The short-term issue is important both from a technological point of view and also in terms of keeping our own clinicians on board, the leading edge of whom are very up to speed on the technology. As the generations change the constant demand from GPs and the others working in the Health Service is to have the most up-to-date systems we can offer. So that point is a good one and is being taken on board.

Mr Davies: Thank you. I will leave it there.

Maria Eagle

36. Was the 1992 Strategy a success?
(Sir Alan Langlands) I think it was a success to the extent that it established some very important bits of infrastructure that have allowed us to build and move forward. I think there are, as I acknowledged right at the beginning, some shortcomings and some problems which are highlighted in the Report and which I acknowledge.

37. How do you know all that if you have not evaluated the outcome of the various projects? Is it just a general impression you get?
(Sir Alan Langlands) Because we know what works in practice. The point of evaluation is raised in the Report. I do not want to duck it. It is our intention to evaluate, but we can only evaluate at the point at which a system is working. The NHS Number, for example, in its early stages could not be evaluated.

38. Are you saying that you cannot evaluate the Number or are you saying that you cannot evaluate the project? There is a difference.
(Sir Alan Langlands) I am saying that we cannot evaluate the effect of the project in day to day use until we have-

39. That is because it is not in day to day use.
(Sir Alan Langlands) Well, it is in day to day use to the extent that 74 per cent of the activity now in the hospital sector is based on the latest figures of people using the NHS Number.

40. Is that administratively or clinically?
(Sir Alan Langlands) Both.

41. Both?
(Sir Alan Langlands) Yes.

42. So 74 per cent of all activity in the NHS relating to correspondence about individual patients is based on the NHS Number as a sole identifier of the patient?
(Sir Alan Langlands) In the hospital service.

43. In the hospital service?
(Sir Alan Langlands) In the hospital service, not in the NHS as a whole, not in general practice.

44. Certainly not in general practice because it is them that are not using it, is it not?
(Sir Alan Langlands) Some are using it. Those that are, if you like, the leaders in relation to the development of NHSnet are using it but they are not all using it yet. This is an ambitious project.

45. You have not evaluated the success or otherwise of NHS Number. That is accurate, is it not?
(Sir Alan Langlands) It is accurate but it is our intention to do so.

46. When?
(Sir Alan Langlands) At the point at which we think that we can evaluate it in use.

47. This seems to be circular. You will not evaluate it until it is being used and it is not being used so you will not evaluate it.
(Sir Alan Langlands) But it will be used.

48. How can we tell whether the project is a success or not?
(Sir Alan Langlands) If the traffic that I am talking about, and I am putting a figure of 74 per cent on it at today, started as traffic in April 1996 with a figure of 16 per cent, that seems to represent progress to me, that we are embedding this system and this way of doing things in the NHS over time and discarding the previous systems.

49. It sounds as if you are only going to be willing to evaluate it when you can come up with a positive evaluation. That is what it sounds like.
(Sir Alan Langlands) I think that the use of the Number, which has absolute support in the clinical community as a key to not only ensuring the transfer of infoi illation but the safe transfer of information in terms of protecting patient confidentiality, replacing 23 previous systems or previous formats, is something which will be successful and that will be successful in order to move this on. I have no doubt there will be points where we could learn about the implementation of that change, and I have no doubt we will be able to identify some faults that led to delay or some faults in communications or in the way we handled the training and development of staff that contributed to this taking longer than expected.

50. Sir Alan, you accept that you have not evaluated the success or otherwise of NHS Number, for example, that element of the 1992 Strategy?
(Sir Alan Langlands) That is what it says in the report and I accept that point.

51. You accept that. I am glad you accept that because that is what it says in the report. In Appendix D there are some examples of impacting problems that reduce the impact of the projects and the programmes examined. If you turn to page 65 this relates to NHSnet which is another project that you have not evaluated yet. Yes?
(Sir Alan Langlands) Yes.

52. If we look at paragraph 11 it says that there are 361 organisations connected to the Net but nearly all of them are health authorities and acute trusts. Less than ten per cent of GP practices are fully linked although there are some GPs who are. How can something like NHSnet possibly deliver what is expected of it in the 1998 Strategy if primary care and GPs are not linked to it?
(Sir Alan Langlands) It will not.

53. It will not?
(Sir Alan Langlands) It will not but GPs will be linked. One of the early commitments of the Government post-publication of the Strategy is to achieve GP linkage using NHSnet which will be a secure internal system that will allow information to be passed through different parts of the system. We are working on a very detailed project at the moment to draw GPs into that system.

54. You appear in giving some of the answers that you have given to me this afternoon to be in part evaluating the success or otherwise of these individual projects. If you can sit here and tell me that 74 per cent of transactions, as it were, in acute hospitals at the moment use NHS Number and the report can tell me how many organisations are connected to NHSnet, why are you not in a position to evaluate the overall impact of the project? It seems that some of the information you are giving and some of the information in here is doing just that.
(Sir Alan Langlands) I think we can to the extent that we know how much we have spent on it nationally. We can to the extent that we know how many people are hooked up. These are basic bits of information but for me that does not represent a proper evaluation of the project, of what went wrong, what went badly and what some of the costs and benefits might be, for example, in terms of doctors or nurses having to process fewer bits of information. The trouble is you cannot have just one of these things, you have to have NHSnet, you have to have messaging systems in order to use the Number to exchange information in a meaningful way between different parts of the system.

55. Of course, that is absolutely true. When one looks at the 1998 Strategy, I am not sure to what extent it is virtual reality, it represents a fantastic vision if it can be achieved.
(Sir Alan Langlands) Yes.

56. The point is that if one element of it falls down it will not be achieved. How are you to learn from the 1992 Strategy if you are not evaluating what has gone right and what has gone wrong? It rather gives the impression that you are feeling around in the dark and hoping that it will all be already by 2005.
(Sir Alan Langlands) We are absolutely committed to a process of evaluation. I think there are some imperatives, if you like, to making this whole system work. There are imperatives around language arid the use of clinical terms, a discussion we have had here before.

57. We have.
(Sir Alan Langlands) Which is subject to a very detailed three stage evaluation process. The NHS Number is an essential building block. The network and the ability of people to use the network is an essential building block. All of these things have to be put in place.

58. It is quite clear from previous experience, and I think that the NHS Executive has had a lot of experience in attempting to implement IT changes and systems, not all of it happy.
(Sir Alan Langlands) Some of it more than ten years ago.

59. Yes.
(Sir Alan Langlands) The notion that that is allowed to drag into 1999 is just ludicrous.

60. Not all of it happy. I am suggesting that one can learn from mistakes. I was not having a go at some of the previous reports that you have been in front of us about. You now have had a long experience in the NHS Executive of implementing IT schemes, systems, strategies, whatever.
(Sir Alan Langlands) Yes.

61. And actually trying to do it. You have had successes and you have failures and of course you end up here when you have failures. You know as well as anybody that one of the big problems with implementing IT is slippage, missed milestones. If you look at page 33, figure 6, relating to the 1992 Strategy you can see there a diagram which indicates some of the slippage that there has been against original milestones of the projects in 1992, some of it significant. If we then look at the back page of the Executive Summary of Information for Health, which is the vision thing that has been sent out to clinicians, etc., there are some pretty ambitious targets there I would say for implementing to a significant degree high levels of the 1998 Strategy. For example, in the medium term, by March 2002, everybody should be using NHSnet for appointment bookings, referrals, radiography, laboratory request results in all parts of the country. That requires all GPs to be signed up for a start off.
(Sir Alan Langlands) It certainly does.

62. Do you think that this implementation programme and the timetable set out there is ambitious or do you think that it is achievable?
(Sir Alan Langlands) I think that it is ambitious. I think it is achievable if it is funded and if there is focused and systematic management of these changes at both a national and local level. The point I think I would want to make in relation to figure 6 and the table of objectives you are looking at is that experience in the past suggests that some of these things may slip because of some sort of management failure or some misreading about how a new system or new approach would be handled in the Health Service but some of it "slips" for very good reasons.

63. Like the Read Codes not working, for example, that would cause some significant slippage, would it not?
(Sir Alan Langlands) I think that they are working. My confident prediction is that the Read Codes linked to the new arrangement with SNOMED, the new partnership, which is an equal 50-50 partnership, will result in a universal language for health care and health care information around the world. People all over the world are looking at the SNOMED Read work.

64. When is the SNOMED Read work to be completed'?
(Sir Alan Langlands) And are envious of it.

65. When is it to be completed?
(Sir Alan Langlands) The new work will be completed by the end of 2001.

66. So it will be Read SNOMED, the new whatever it ends up being called, I hesitate to think of an acronym.
(Sir Alan Langlands) It will be called SNOMED Clinical Terms.

67. SNOMED, the "Read" is being quietly dropped?
(Sir Alan Langlands) Not being quietly dropped, being deliberately dropped. Clinical Terms is the UK standard that we are using.

68. To what extent do you expect there to be slippage in this ambitious implementation programme which I have got in the Executive Summary but it will be in the full document?
(Sir Alan Langlands) I cannot predict to what extent there can be slippage. What I can do is ensre that there are effective programme management and project management systems in place. I cannot predict because I really cannot predict the extent to which funds will flow into these projects. I cannot necessarily predict complications down the track in terms of problems with suppliers, in terms of winning the commitment of health professionals to the changed process. That is not an excuse for not trying and not pursuing these things as vigorously and as systematically as we can.

69. Do you believe as a result of your experience on the 1992 Strategy that the correct lessons have been learned for the 1998 Strategy?
(Sir Alan Langlands) I think important lessons have been learned. I think the report we have before us acknowledges that.

70. Do you think that despite the fact that there are now some good trends in the sense that you now do not have the internal market and competition which means that everybody is keeping themselves to themselves and not necessarily wanting to co-operate, that there are some long-term trends that mean that this kind of thing may be operating in a more friendly environment? Do you believe that even with that friendlier environment and the promised funding of a billion pounds, although I noticed you said that it was probably an under-estimate and you appeared to say to the Chairman right at the beginning that it was basically a figure that was plucked out of the air, or that was how your comment came across to me,--
(Sir Alan Langlands) I can tell you the exact basis of the figure if that helps.

71. Yes.
(Sir Alan Langlands) The working assumption of Government at the moment is that there is an allocation of 70 million this year, an allocation of 175 million next year but that is yet to be confirmed with ministers who are taking a look at the overall Health Service budget and do not make allocations until probably later this month, and then in the following three years, which takes us up to 2005, the figure goes up to 275 million. So the end result, if you like, is an injection of 275 million per year made up of these three components.

Maria Eagle: Unfortunately I have run out of time so I cannot take you up on that.

Mr Williams

72. How will you achieve the long-term objectives in the context of the three year spending review?
(Sir Alan Langlands) The theory of the three year spending review is that that gives you greater certainty. We have found in developing this strategy that without working on a period of five to seven years we were in difficulties so we have had to make broad estimates. As I have said before, each of these components will be agreed and approved by the Treasury on a regular basis. There is a general point about the NHS and the comprehensive spending review and that is simply that whilst money is allocated on a three year cycle the biggest variable, given that we spend 80 per cent of our money on staffing, the biggest variable, which is pay, is still negotiated on an annual cycle. So when I say that ministers have yet to take a decision in relation to next year's expenditure on IT that is partly because they do not know what the pressures on the NHS might be next year in relation to pay and in relation to other things that are new. For example, we have just spent 153 million on a new meningitis vaccine which we could not have predicted would be available and ready for use this year. We are having to look at these things stage by stage in the real world.

73. As Geraint Davies said, quite rightly, and we understand the predicament, when you are dealing with rapidly changing technology you cannot envisage what is going to become available in a relatively short time in the future and this seems to make it very difficult for you to plan any more effectively in the next period than you did in the last.
(Sir Alan Langlands) I think certain things are happening that are important. Firstly, the people working in the Health Service as the generations change more and more come through a school and university system where the use of information technology is the norm. So, if you like, having had a problem in 1992 that said one of our difficulties was training people to use these systems effectively, we now can find ourselves in a position where staff arriving straight out of medical school or nursing school or university are saying "we want the most up to date system as quickly as possible, please" or "we worked in X hospital which seems to have very good systems and we are now in Y hospital and we have been driven back to paper based systems". There is a huge pressure to change from the NHS staff and 1 think a realisation that the use of this technology helps people. It saves on doctors' time, it saves on nurses' time. There is a motivation there that was not always there. Equally, I think it is ludicrous to suggest that the NHS can remain the only organisation where you have to tell the organisation every time you have contact with it what your name, address, postcode and everything else is. This should be once in a lifetime information. The system needs to be made simpler from the public's point of view. The other point that I think is really crucial at the moment is the speed with which other forms of science and technology are developing means that we have to have very good systems for keeping our staff up to date so that the latest advances in medicine, drugs, guidelines and standards are available to them in a digestible form. It is a huge sea change that we are dealing with here.

74. That I well understand. I am not saying this critically but that makes me increasingly dubious as to the idea that there can be any sort of long-term certainties, objectives, that themselves do not need to be varied in the light of technological change, not just IT change.
(Sir Alan Langlands) I think there can be a direction of travel for the long-term and the relatively short-term, five or six years, which is what the Strategy is, but I think we have got to be shrewd enough to adjust that and improve it and develop it in the light of changing circumstances. This process of strategy development in business planning and investment decisions requires a constant iteration to make sure that we are always making, if you like, up to date decisions and that does add to the difficulty and some of the uncertainties.

75. If I ask you just straightforwardly, did you get a billion pounds worth of value out of the expenditure since 1992, could you tell me?
(Sir Alan Langlands) The figure of a billion pounds does not relate to 1992. The figure I think quoted in the NAO report is something like £152 million. I could tell you in terms of some of the points that Ms Eagle was raising with me. I could tell you in terms of some crude numbers but I do not think I could tell you in terms of how it has changed the life of the average nurse. I can think of practical examples where nurses say to me that they are spending a lot less of their time transcribing information from one document to another. just in Warrington Hospital last week I saw a nurse in the orthopaedic ward taking down detailed patient notes on her little lap top as she went round the ward, feeding that information into her nurse record system, communicating with the social care department on discharge, communicating with the orthopaedic consultants about the timing of surgery. She can say it has transformed her life. At one level I can give you anecdotal examples, at another level I can give you broad national figures, but getting to the heart of the real value of these things can only be done on a whole Health Service basis at a local level. That is one of the reasons why we are putting such a premium on these local implementation plans which have to link to education, evaluation, proper project management.

76. We looked previously at HISS and RISP and in the case of HISS you were saying it was successful but what emerged was that after an expenditure of 106 million, if I remember correctly, we were getting a three per cent rate of return on it which was very low at that time, How can you tell this Committee with any certainty that we have had value for money out of what has been spent since 1992?
(Sir Alan Langlands) I do not think I can tell you with any certainty but I think I can tell you that the infrastructure projects that we have pursued have real value in relation to allowing us to build for the future. I think I can tell you that national expenditure on these things was pretty tightly controlled and they were subject to some rigour. In figures 5 or 6 of the paper we score something like 80 per cent against the Treasury's criteria. I think I can tell you with some confidence, supported by the NAO, that the 1998 Strategy has learned some lessons from the past and that in itself has a value.

77. But, as Maria Eagle pointed out, we are told by the NAO that the NHS Executive did not monitor the costs incurred by NHS bodies in implementing the projects and overall NHS expenditure on it is not known. That does not seem consistent with any sense of control and certainly with any meaningful pretence at value for money. (Sir Alan Langlands) I can tell you about the national projects, the 152 million mentioned in the NAO report, but it was not the way from 1992-97-- we have had this discussion many times here—of the then Government to want to monitor the detailed actions of every health trust in the country. In fact, monitoring was confined to very few financial parameters which did not include capital expenditure on IT and did not include a set of accounts that broke down the expenditure on infoimation and IT services. What we are left with are the broad sample NAO and Audit Commission estimates of the percentage figures that appear at the front end of this report.

78. Is there any logic in the fact that if you are not having monitoring there is a greater justification for going to earmarking so that at least you have some control over where the money goes?
(Sir Alan Langlands) That is the logic that has been taken up in the post internal market world. The logic since May 1997 has been to earmark monies, labelled generally in the Health Service "The Modernisation Fund", but in particular to earmark a slice of money to allow this new 1998 Strategy to be pursued. Alongside that, we have in place a mechanism asking people in local health economies, if you like groupings of the health authority, the relevant trusts, the primary care people and a working relationship with social services people, to produce their costing plan for how they will implement the 1998 Strategy. So top down Modernisation Fund earmarked funding to hit precise objectives; bottom up a disciplined process of planning locally that shows how these things can be moved forward. That is the approach that is now being adopted but that approach was not involved between 1992 and 1997.

79. Why was it not a natural corollary? As I say, if you are not monitoring there is a greater temptation to impose a discipline through the earmarking process.
(Sir Alan Langlands) These were not the decisions that were made. The emphasis was on limited monitoring of NHS trusts and the vast majority of the money that was allocated to the Health Service being allocated to health authorities in the headline growth figures. So, if you like, it was not siphoned off or set aside at the centre as a central budget apart from the 152 million that was mentioned in this report. There was a little bit of that sort of earmarking going on to support these points of national infrastructure but it was not a wide scale approach.

80. With the absence really of the two, and the NHS Executive allocated additional funds but the funds were not earmarked we are told by the NAO and you have agreed that it was not the policy to monitor, I still do not quite see how these two situations are in any way compatible with you being able to sit there as the Accounting Officer and give us assurances about value for money when you do not even know what the money was spent on.
(Sir Alan Langlands) I can give you assurances about value for money in relation to the 152 million that was the central budget. Assurances about value for money at a local level would have to come, and did come, in the form of audited accounts and annual reports from the chief executives of boards and trusts. That was the way the Health Service was run. I was behaving perfectly reasonably within the policy set by the Government of the day.

81. A final question, and my apologies if the Chairman asked this earlier on while I was outside. The NHS bodies criticised the lack of practical support given by the Information Management Group, why did that happen?
(Sir Alan Langlands) I certainly do not think it happened deliberately. I think the Information Management Group did produce a whole number of very useful publications that if every single one of them had been read and acted upon by people working in the Health Service, this could have moved things on. Bluntly I think people do not learn that way any more. People who are learning about the use of these systems like to learn on line, they like to work together, they like to learn from places where good practice is in place. Again, I think that is something that through evolution has developed in the way that we are now thinking about education and training. It was not the case in 1992 that we had agreed with all the bodies concerned with clinical education that we should have a managed approach to learning about information technology but it is now the case, so things have moved on as indeed I think things have moved on in this world generally.

Mr Williams: My time is up, thank you.


82. Thank you, Sir Alan. I think you have got one note to do for us from my request earlier. Can you include in that note the progress expected to be made in the implementation milestones of the IT system and, as I said before, delivering benefits of those two systems.
(Sir Alan Langlands) Sorry, Chairman?

83. I asked you before if you could let me have a note on the assessment of benefits, the measuring of benefits and so on, to be achieved with this one billion pound plus programme. Can you incorporate in that note some timetable with respect to the implementation of the IT systems listed within the billion, as much as you know'.
(Sir Alan Langlands) Something about the way in which we are taking the 1998 Strategy forward?

Chairman: Milestones of the IT systems and what you expect the benefits to be. Something that we can measure against later on. That is helpful, thank you. Thank you very much. Mr Burns, you have had a very enjoyable cheap spectator role today. Cheap for you, not for everybody else. Thank you both for coming.

Monday, January 17, 2011

Reducing systemic cybersecurity risk

The OECD has today published a study by myself and Prof. Peter Sommer on Reducing Systemic Cybersecurity Risk:
The authors have concluded that very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters.

Coverage in the Guardian, Metro, World Service, BBC News, Daily Telegraph, Computer Weekly, FT, Register, New Scientist, Wall Street Journal, Radio 4 Today and (my favourite so far), the New York Times:

Prophets of Internet-borne Götterdämmerung have gotten even more breathless since the publication of “Cyber War” last year. They describe China’s alleged hacking campaign against Google and the campaign by “hacktivists” against foes of the anti-secrecy Web site WikiLeaks, as the opening acts…

Nonsense, say two academics in a study commissioned by the Organization for Economic Cooperation and Development. The report, to be released Monday, argues that doomsayers have greatly exaggerated the power of belligerents to wreak havoc in cyberspace. It is extremely unlikely that their attacks could create problems like those caused by a global pandemic or the recent financial crisis, let alone an actual shooting war, the study concludes.