HTN was joined by a panel including Ciara Moore, EPR operations director at Bath, Salisbury and Great Western Group, Stuart Cooney, CTO at Royal Berkshire NHS Foundation Trust, and Julian Wiggins, healthcare solution director at Rackspace Technology, for a discussion focusing on cloud adoption, AI maturity, and cyber resilience.
Panellists explored how healthcare organisations are tackling delivery, legacy systems, and rising digital expectations, and what this means for future strategy and plans. We also looked at the fragmented cloud landscape, integration pressures, legacy infrastructure, AI, and the growing urgency around cyber resilience, finishing by asking where NHS leaders should prioritise investment and focus in 2026.
Offering a brief introduction to her role and remit, Ciara talked about her current focus implementing a first-in-type EPR across three trusts. “My role is preparing the organisation, and you can never start that too soon!” she told us. “We don’t go live until next year, but we’re already underway to ensure we’re ready for implementation.”
“My role is to focus on building the digital, data, and technology foundations at Royal Berkshire,” Stuart shared. “We’re working hard to balance the realities of legacy systems with the opportunities that cloud and AI adoption, interoperability, and having resilient infrastructure bring.”
Julian gave us an introduction to Rackspace Technology, an AI and hybrid cloud solution provider offering end-to-end solutions in the healthcare space. “We recently conducted a survey with trusts and healthcare professionals to understand their view on a number of key themes,” he said. “I’d like to share a bit about what we found out with you, and if you’d like to learn more, please feel free to download the report.”
Headline findings from the Rackspace Technology survey
The webinar started with an overview from a recent survey from Rackspace Technology, providing data from 75 healthcare leaders on cloud adoption, AI, infrastructure and cyber resilience.
40 percent of survey respondents reported having a formal cloud strategy, with 20 percent stating that cloud and IT strategies were “well aligned”, Julian told us. Talking about the top driver of cloud adoption being “reliability and availability”, he commented: “I think as data security gets more complicated and compliance becomes more arduous, it’s important that it’s dealt with proactively to ensure it doesn’t cause issues further down the line.” When asked about cost, 45 percent of respondents said that cloud costs aligned with their expectations, whilst 35 percent said these had exceeded their expectations, he highlighted.
“Moving on to another crucial domain of cloud adoption, legacy debt, 52 percent of people said their legacy systems significantly limit modernisation, and 70 percent described their technical debt as moderate to high,” Stuart explained. “As we start to pursue more exciting systems like the one Ciara’s putting in place, having the infrastructure that is able to respond to that is critical.” 85 percent of respondents currently use EPR systems, but only 20 percent are “very confident” in interoperability across systems, he added.
Cyber security is very much at the forefront of everyone’s minds at the moment, with things like the UK Cyber Security and Resilience Bill being published recently, Julian shared. “56 percent of respondents are actively preparing for this in the UK, and 16 percent believe they are already compliant. 72 percent are expecting cybersecurity investment to increase, and 81 percent plan to increase cyber resilience investment, so it’s good to hear that people are starting to move in the right direction and being properly funded for their endeavours in this space.” While the focus is still on protecting systems from attack, there’s also been a move recently to look more closely at having plans in place for recovery should something happen, he said.
On AI readiness, Julian took us through findings that only one percent of respondents felt AI was fully embedded into business strategy, and 33 percent described AI usage as “minimal” or “ad hoc”. “We do see that as consistent, given that there are some very specific use cases around things like imaging where AI has a real benefit, but we need to be sure that as that use develops, we’re able to respond in a way that presents value but also offers the protection we are all going to need,” he said. “If we have this same call in a year’s time, I see these figures being a lot higher.”
The move to cloud
Reflecting on the cloud journey to date at Royal Berkshire, Stuart told us how the trust is currently working on migrating its systems into hybrid cloud infrastructure. “We took the decision to use a hybrid model as a bit of a stepping stone – there are challenges with technical debt and systems not being cloud ready or cloud native, and I think having a hybrid model maintaining a local presence is a way around that,” he offered. “We’re moving out into a co-location centre, but we’re also building a platform where we’re going to have workloads that perhaps are cloud-ready, or that we can move safely and without disruption into public cloud.”
In his experience, it’s far easier to worry about moving everything over first, and then thinking about the modernisation once everything is shifted over, Stuart shared, adding: “I think the key driver for us is gaining that resiliency and redundancy. We’ve come across a lot of challenges, and the biggest ones tend to be the perception of what it means to put your infrastructure into the cloud – we need to challenge perceptions that it’s cost prohibitive and not as secure – things have changed quite considerably.” When NHS organisations are looking to align with the 10-Year Plan and deliver more care outside of hospitals and out in the community, it’s necessary to have the flexible infrastructure to support that, he went on.
Ciara noted how her organisation is in talks about moving to cloud at go-live or shortly thereafter. From an EPR perspective, it’s important to understand what will be decommissioned, to avoid taking things over that aren’t needed, she explained, “so having operational and clinical leads really work on their digital touchpoints and make sure that is all process mapped is integral”. Cloud makes sense when working across sites which are geographically separate, or with community partners, she went on. “It’s not just about thinking about what we do today – it’s about what it looks like for the future, which makes it quite exciting!”
“The stats are interesting, but hearing from Ciara and Stuart brings everything to life for me in terms of the complexity of this domain,” Julian stated. Planning out a safe and secure route to migration, in a way that meets the needs of business users and clinicians is essential, he went on, “and from our perspective, we’ve identified that the sovereignty of these systems and this data is absolutely crucial”. Rackspace Technology has been working to make sure it is not simply providing cloud services, but that it is offering vertically-aligned solutions that take into account the needs of users and organisations, he added.
“The challenging part isn’t the technology, it’s the processes,” Stuart summarised,” because if you’re going to take the same processes that you have in legacy architecture and put them into a new system that wasn’t designed to accommodate them, you’re trying to heavily customise these solutions to meet those old processes.” He recommended starting by taking a step back and looking at processes end-to-end, seeing whether they can be redesigned to align with the functionality from the platforms they are being moved to. “I understand there might not always be time to do that, but in the long term, that will be more beneficial as you make the move,” he noted.
“Patient safety must always be the priority,” Ciara considered, “and as Stuart said, you have got to look at your process, how you work now, and the way it will change in the future. Making sure data can flow across the organisations you are working with is key, but this is also all about people – how is a clinician managing a patient, what information are they capturing, and how can that be seen elsewhere?”
Technical debt can be “very tricky” to manage, according to Julian, and understanding your business processes, where the risk lies, and where systems are is critical to both their availability and stability. “Understanding that, and being able to progressively move from systems that have historically been quite under-invested in, to private cloud or hybrid cloud, is the way through that. The key thing is making sure you have access to the kind of tools you’re going to need on your journey, and we’ve been working to ensure we’ve got flexible modular solutions that we can play in when our customers need them most.”
Cybersecurity
Moving on to tackle the survey’s findings around cyber security, Ciara highlighted that from an operational point of view, it’s whether the organisation is prepared for an event which means key systems go offline. “We know our smart digital teams and CIOs will make sure they’ve got the right technical checks in place, but have we got all our processes ready, and do our staff understand what to do when something like that happens?” she asked. Getting operational and digital leaders to work collaboratively, ensuring information is correct and that there’s awareness about who uses systems if there’s a threat, is important, she continued. Cyber security events should also be included in emergency preparedness, and they are a great place to start to understand what’s missing, and who key points of contact are, she suggested.
Taking the more technical perspective, Stuart talked about aligning current work in cyber with the requirements of the new Bill, moving forward with the core principles of resiliency, transparency, and accountability. The trust is looking to strengthen its position through the onboarding of a new Security Operations Centre (SOC), strengthened partnerships with the NHS’s central SOC, hardening of infrastructure, systems migration, and promoting security by design. “A big piece of work we’re doing at the moment is strengthening our network segmentation, trying to prevent that lateral movement if we were compromised, and improving our identity and access management,” he said. “There’s a lot of work to do with external suppliers, as well, to make sure they’re meeting our cybersecurity baselines.”
Calling staff training around cyber “absolutely pivotal”, Stuart highlighted how cyber risk and patient safety risk are linked, and plans to ensure that understanding of the impact on safety is there. “I think we’ll be doing a lot more role-play across the trust, and we’re also working on setting out what is the minimum viable hospital, looking at what we need to bring back up quickly if we are hit, so we’re making progress there.”
“When we’re looking at staff training, it’s funny, because I know of trusts many years into their EPR journeys who are now looking to train staff on how to write on paper in case things go down,” Ciara observed. “People have been so used to doing things digitally, it’s whether they now understand how to fill out the piece of paper they may need to use to maintain patient safety or record information. We all need to be aware of what to do if anything happens.”
The importance of planning and running things through shouldn’t be underestimated, so people across the organisation are prepared and know what to do in case of a cyber event, Julian agreed. “You need to dig in to your supply chain as well, because that’s where the complexity can lie, and you can find yourselves heavily reliant on organisations who may for periods of days or weeks simply not be there. We also do a lot of work on the minimum viable hospital, helping customers understand how their organisation functions and how to keep things going while systems are restored.” Keeping up-to-date with prevention is a challenge, he went on, “but having a fortress somewhere that protects your data, and having an immutable backup to get back up and running, is key”.
Considering what might be considered the greatest need in terms of managing ongoing threats, Stuart mentioned telemetry and observability. “I don’t want to be kept awake at night because I don’t know what is hitting our firewalls or what’s coming into my network,” he said. “So for me, the key priority is gaining that telemetry and visibility on what is happening, then being able to deal with it proactively and effectively.”
“Visibility is absolutely crucial,” Julian nodded, “as we see a lot of cat-and-mouse type approaches to cyber security whereby people gain limited access to an enterprise, and then start seeing where they can go. We’re seeing now more of an understanding of how detection systems work, and ways to stay under those, so moving forward, being able to share information on what the signatures are and what those activities look like, will mean we initiate threat hunting in a more intelligent way.”
AI readiness
Stuart spoke about receiving AI workload requests almost daily, some of which have very strong value propositions. He shared four pillars of a safe and effective AI system: data, governance, infrastructure, and culture. “If you get those four foundational things right, you are on a very good footing,” he considered, “but we have a long way to go to get those things in place, and we have things like legacy systems to contend with, or systems that don’t talk to each other – the challenge right now is doing these things in parallel.”
Picking up on the culture part of that, Julian noted the need for people to understand AI’s capabilities and limitations, and the importance of finding people with the knowledge and ability to harness the technology within the context of an organisation. “A lot of times when you’re building AI solutions, you get to a situation where you’ve been able to achieve exactly what you wanted to achieve, but the people, the software, and the infrastructure you’ve consumed to deliver that make it prohibitive, so you’ve got a successful pilot that can’t go beyond being a pilot. Recognising the constraints you face early on will help you shape your solution in way that will avoid that.”
Ciara talked about her current role and having to work from a “very low baseline” in digital maturity. As well as the EPR, the organisation is building a digital academy, with one of the first modules focusing on teaching people about change. “We have to make sure our clinicians are working very closely with the digital team, so we’re building that digital academy and a clinical informatics faculty, bringing clinicians in,” she explained. “By doing that, we hope to keep pace with the EPR deployment.” Challenges also arise when trying to match up AI solutions that may have already been developed, but which do not fit with the new system, she noted.
At Royal Berkshire, work is being done on digital literacy and trying to make sure that staff are involved from day one when looking to deploy new systems or technologies, Stuart shared. “As technologists, I think we sometimes have a tendency to ram technology down people’s throats because we think it’s the best thing technically; but that might not be the best thing culturally or organisation-wide,” he highlighted. “We’re definitely trying to bring people on the journey, bringing in clinical leads and checking everything we’re doing is clinically aligned – ultimately, that then has better outcomes for our staff and our patients.”
“It may be that organisations with an appetite for AI do not have the infrastructure in place to realise the benefits they’re hoping for,” Julian told us, “so having access to cloud services that are able to deploy either AI pilots or live AI models is critical.” While there are some fantastic use cases out there, the data being used in them is extremely sensitive, he continued, “so finding a way for your data to stay secure, private, and sovereign, is essential”. Rackspace offers entirely sovereign private cloud services, as well as the ability to consume costly resources such as GPUs, to help customers take advantage of these in a way that doesn’t require the purchase of hardware. “You can slice it by capacity, which gives you a lot of flexibility with testing and scaling,” he pointed out.
Future outlook
Each of our panellists offered an overview of their thoughts on where NHS leaders should prioritise investment and focus moving forward, with Ciara sharing that she still doesn’t feel there is enough investment in digital. “If we really want to be the best health service in the world, we need to keep pace with the rest of the world, keep investing in digital, and bring our people along with us,” she summarised. “In practice, that comes down to understanding people, how they work, the processes they work with, and making sure digital becomes that enabler – alongside that has to be the education, the training, and the understanding of our staff so they make the best use of the tools.”
“The three areas for me would be data foundations and interoperability, because they unlock everything else; modern and resilient infrastructure to unlock power for some of these fantastic AI systems; and investment in people, skills, and digital literacy for the success of all of these things,” Stuart stated. “You’ve got to have a team that can meet these challenges and adopt your digital investments easily, as a place to start.”
“I’m very keen to make sure that a holistic approach is taken to understanding the enterprise architecture, the business logic, and then using that to shape the infrastructure,” Julian said. “On a more technical level, I think cyber resilience and recovery is a crucial area of focus, as the impact of loss of our systems is crushing, and we must make sure we take time to plan how we recover from that and minimise the impact.”
“What I’m getting from everybody is that we’re quite aligned in our thinking, and if that is spread across the whole of the NHS, I think we’re on really good footing – if we’re all singing from the same hymn sheet then hopefully we’ll get delivery right and make the right investments,” Stuart considered.
“We’re in the foothills of a very exciting time in digital,” said Ciara, “and I hope I get invited back in five years’ time to review where we are against this webinar!”
We’d like to thank our panellists for taking the time to share these insights with us.
