Governance and hackers: the evils of Aria. Uncertain priorities, little strength, so much to do: “And planning goes to hell”

Milan – “We are an instrumental body that must do what the Lombardy Region asks. And we are in this game. But this game requires stability. It’s a bit like the markets with Trump: if there is no stability, planning goes to hell”. Clear words, words of a general manager who does not speak in public often or willingly: Lorenzo Gubian . To be precise, the general manager of Aria Spa. Yes, the Lombardy purchasing center, the same Aria that in recent weeks has been at the center of a bitter confrontation between Guido Bertolaso, Welfare Councilor, the great accuser who signed a decidedly critical dossier on the performance of the subsidiary, in particular with regard to the management of tenders for the health system, and Fratelli d’Italia, who instead defended its actions. Gubian spoke yesterday at the conference on cybersecurity organized by the Lombardy Democratic Party at the Pirellone. And even on the cybersecurity front, the picture given by the general manager is reassuring only up to a certain point. Indeed, cybersecurity, in Aria, faces a few more difficulties than other activities because it is a more “recent” priority than others.

As for the problems of Aria governance, Gubian dwelt on them for 4 minutes, dense. “We need more timely planning, especially for annual activities, between the regional offices and the Aria offices, because very often the planning we do at the beginning of the year is changed and this does not make things very simple to manage – he explained –. Changing the planning on the fly, especially with this volume of activity and limited human resources, is not easy”. “In the area of ​​purchasing – one of the areas highlighted by Bertolaso ​​– we need more coordination. If there is no strong coordination, there is a risk that the work of a part of the system will be nullified by the lack of coherent action by some actor who does not do what was agreed”. Example: “If I, with a competition, give you the opportunity to buy 100 prostheses and you buy 3, I have wasted my time. Strong coordination and clarity of roles are needed. The back and forth, saying “you do and don’t do this type of activity” is harmful. Today you do it, tomorrow you don’t, then you do it again. But if an activity is no longer needed, I put people to do something else, with the shortage I have”. A not secondary step, the one on trust: “It is essential to be able to re-establish a climate of trust with the regional offices, which exists in most of the General Directorates”. In “most”, not all. Gubian does not name names but the references seem evident.

How much to cybersecurity , in the first months of 2025 there have already been 595 cyber attacks on public hospitals in Lombardy, blocked by Aria's protection systems. Last year, there were 2,214 attacks on the Region and on entities and companies in the regional system, intercepted and repelled. In Aria, however, the employees assigned to cybersecurity are 3 out of 400. The use of external experts (about 50) hired as consultants is inevitable. But hiring them is not easy: the competition is fierce, whoever pays best wins. Then there is a generational issue: less than 5% of Aria's employees are under 35, less than 5% belong to generations particularly predisposed to working in the sector. “Cybersecurity is central today,” says Pietro Bussolati, regional councilor of the Democratic Party . “The fact that in Aria only three people out of over 400 employees deal with cybersecurity shows that there is a difficulty in making a structure adequate for the purpose stable.” Lastly, during the morning, the Single Booking Center (CUP) was discussed. “The general director of Aria explained the technical complexity for the creation of the single CUP even in public hospitals alone,” underlines Pierfrancesco Majorino, group leader of the Democratic Party. “Now we are even more worried, because we do not see the end of the issue of the single CUP, which is an essential element of governance of the healthcare offer. And the responsibility lies with politics, with Fontana and the various Welfare councilors, who in the name of laissez-faire to private healthcare have never insisted.” “It is clear that Aria is seen as a center of power by FdI and Lega,” concludes Bussolati. “This is a big problem, the interest of Lombardy must come first.”