Quite possibly.
More importantly, effective risk management seems to be missing. One doesn't simply do the risk assessment at the outset but it needs to be visited on an ongoing basis. I suspect that the real problem is lack of money though and the risk, if it was ever graded such became an issue.
I would be interested to know exactly what Jeremy Hunt knew about the risks faced by the NHS IT systems before this happened.
It's a quite a few (~6) years since I left my NHS post which had Risk Management at its heart, but IT was - frankly - a mess in the Trust that I worked in.
The risk assessment processes associated with IT were crude, and at a basic level - possibly not helped by a very senior management approach to risk assessments in non-clinical (Ie non-patient facing) areas that 'encouraged' the assessments to be played down, possibly with an eye on the financial bottom line. Equally the IT management were somewhat insular when it came to engaging with the more holistic risk assessment systems used in the Trust - the attitude being along the lines of 'this is far too complicated for you to worry your little heads about it'.
The IT support was latterly staffed almost entirely with contract staff who always seemed to be working for our Trust 'in between jobs', leading to a lack of continuity. I got the impression that the few permanent senior staff were well-meaning, but powerless in the face of twin attacks from rapidly developing technology, and from an unsympathetic purely clinically focused board.
The staff -in this Trust, and probably most others - that managed risk, focused on learning from critical incidents, and took recommendations to the Top Table have (apparently) been cut back to almost nothing - so is it surprising that this event has, had the effects it has, and that the boards of the Trusts were so taken aback?
Tapatalk puts this signature here, not me!