WannaCry cost the NHS £92 million, report estimates

An update to an earlier DHSC report estimates that £19 million was lost in patient care alone

The NHS fell victim to the WannaCry ransomware in 2017

The Department of Health and Social Care has estimated that the WannaCry ransomware attack cost the NHS a total of 92 million, as part of an update into its ongoing investigation of the incident.

Until now the NHS has failed to provide an exact figure on the damage sustained during the ransomware attack in May 2017, and the DHSC admits that the figures presented on Thursday are a "broad estimate" covering the time during and immediately after the attack.

During the attack, in the period of 12 May to 18 May, it's estimated that around 19 million was lost in terms of patient care output, based on the findings that 1% of NHS services were disrupted over a one-week period. In addition to the lost services, it's believed a further 500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.

The biggest costs came in the June-July period immediately following WannaCry, which is estimated to have cost a further 72 million as the NHS worked to restore its services to full operation and to recover its data.

The WannaCry ransomware attack, which is thought to have affected over 200,000 computer systems across the world, disrupted the services of one-third of the UK's hospital trusts, and approximately 8% of GP clinics. It's believed that around 19,000 hospital appointments were cancelled as a result.

Advertisement
Advertisement - Article continues below

Afflicted systems locked out their users and held hospital data to ransom, demanding a payment in the form of the Bitcoin cryptocurrency. The ransomware also had self-propagating characteristics and was able to spread through a system automatically. The ease at which the ransomware spread has been blamed on an overreliance on outdated operating systems, including Microsoft's Windows XP.

The DHSC says this is the best estimate it can provide at this time, as there has yet to be a systematic collection of data on the costs of recovering IT systems. "At the time, the focus nationally was on responding to the incident and remediation rather than collecting data, which would make an accurate retrospective data collection challenging," the report states.

Unfortunately, this is unlikely to happen any time soon, as attempts to gather such data would place a "disproportionate financial burden on the system".

The estimated losses come as part of an update to an earlier report released in February. Since that time, the DHSC has signed a deal with Microsoft to ease its migration from legacy operating systems to the Windows 10 platform.

It's also pledged to invest an additional 150 million into the system over the next three years, which will be used to protect key services from the effects of cyber attacks. This also includes further investment into the NHS Digital's Cyber Security Operations Centre, founded in November last year, which works to monitor the security of health services at a national level and provide advice to individual NHS organisations.

This means that over 250 million will have been invested to improve the security of the NHS by 2021.

"When ransomware hits an organization, much is discussed about the cost in terms of rebuilding infrastructure, restoring digital records and getting systems back online," said Matt Lock, director of sales engineers at Varonis.

"In the case of the NHS, we may never truly know or be able to quantify the ultimate cost of the WannaCry attack because human lives may have been affected by a delayed ambulance or incorrect treatment."

As part of the report, the CIO for NHS health and care has put forward 22 recommendations, which have now been agreed upon and will be rolled out over the coming years. These include a provision that forces all NHS organisations to adhere to the Cyber Essentials Plus Standard, a framework established by the UK's National Cyber Security Centre (NCSC).

Advertisement
Advertisement - Article continues below

All NHS organisations have also been given until 31 March 2019 to submit a record of compliance to NHS Digital under the Data Security and Protection Toolkit, which acts as a national framework for the data security and protection in healthcare in the UK and incorporates the key legal requirements set out by the General Data Protection Regulations (GDPR).

Advertisement
Related Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now

Recommended

Visit/technology/33077/health-secretary-bans-pagers-from-nhs-hospitals
Technology

Health Secretary bans pagers from NHS hospitals

25 Feb 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019