The NHS is right to focus on cyber security

The Health and Social Care Information Centre’s decision to carry out a review of how well protected electronic health records are from cyber attack sparked a burst of criticism that its time would be better spent tackling the improper use of that information by staff and/or encouraging the move from paper based systems.

Addressing these concerns should be one of the service’s priorities over the next five years, but that does not mean the centre should not take hacking seriously.

‘No one wants to be accused of ignoring the lessons of history. The trouble is those lessons are often misleading’

A large scale hack of data held by the NHS is just the kind of “black swan” event described in the eponymous book by Nassim Nicholas Taleb. Mr Taleb argues rare and improbable events − which can have an impact many times greater than more predictable problems − take place much more often than we think. He claims banks and trading firms are particularly vulnerable.

Healthcare systems have similar layers of complexity and difficulty in tracing cause and effect. They are typically designed to cope with known threats. This is especially true in the case of national institutions like the NHS, with its intense political and media scrutiny. No one wants to be accused of ignoring the lessons of history. The trouble is those lessons are often misleading.

While black swan events are by nature almost impossible to predict, it is possible to improve the ability to cope with the negative ones. Well done to the information centre for realising that.