If you want a snapshot of the state of the management of our health system, look no further than the recent cyber-attack on the Waikato DHB. The attack, first reported on May 18, shut down all clinical services across all Waikato public hospitals, with all phones and computers down.
And it was entirely predictable.
Yes, hindsight is a wonderful thing, but let me take you back four years to May 2017 when Britain’s National Health Service was shut down for days by a WannaCry ransomware attack. That should have been a wake-up call to health management around the globe. It’s often claimed we need to pay big bucks in order to attract top management talent; the old “pay peanuts and you get monkeys” argument. In this case, it seems the people of Waikato have the worst of both worlds.
Harsh? Yep, but look at this Waikato DHB Resource Review from July 2019 and you’ll get a snapshot of the chaotic nature of its IT systems:
Waikato DHB currently has over 700 ICT applications that is managed on the network with over 50 of these applications being Access databases that perform critical process flow functions for various departments. These databases are unsupported by the ICT Department and are dependent on the users to maintain and back up (if not placed on the network).
Over 700 applications? 50 Access databases performing critical functions for various departments that are dependent on users to maintain and backup. Seriously? WTF?
This is a classic picture of staff under stress making do with whatever is to hand. “We need some way of recording patient details.” “Yeah, we asked for that five years ago. In the meantime, Bob’s built a database …”
The result? Multiple systems are used to do different bits of the one job:
…for example, theatre has over five IT systems independent of each other to perform various operational and HR functions, they are not integrated and so a significant amount of human intervention is required to link the outputs of each system together to drive an effective business/production solution.
I must stress, this is a management failure. Front-line staff just want to keep things going — attending to patients, getting surgeries done — and, in a management vacuum, they’ll cobble together whatever they need to do just that.
Here’s what I reckon will happen in the coming days / weeks. The attack will be blamed on Russian / Chinese / North Korean / East European hackers. The attack will be found to have occurred when some poor staff member failed to maintain one of those unsupported systems that are “dependent on the users to maintain”. Or they clicked a dodgy email attachment on an unprotected system. Or moved an infected USB stick from one machine to another because there’s no other way of transferring data between disparate systems. And that will be it. Management will blame underfunding then pat themselves on the backs and tell each other “Well done.” Possibly with bonuses.
Underfunding. It’s a great catch-all, isn’t it? “We’d do better if we have more dosh, honest.” Yet the July 2019 Waikato DHB Resource Review noted:
… the investigations conducted for the current review … do not support the health board’s perception of severe underfunding.