WannaCry cost the NHS £92 million, report estimates

An update to an earlier DHSC report estimates that £19 million was lost in patient care alone

The NHS fell victim to the WannaCry ransomware in 2017

The Department of Health and Social Care has estimated that the WannaCry ransomware attack cost the NHS a total of 92 million, as part of an update into its ongoing investigation of the incident.

Until now the NHS has failed to provide an exact figure on the damage sustained during the ransomware attack in May 2017, and the DHSC admits that the figures presented on Thursday are a "broad estimate" covering the time during and immediately after the attack.

During the attack, in the period of 12 May to 18 May, it's estimated that around 19 million was lost in terms of patient care output, based on the findings that 1% of NHS services were disrupted over a one-week period. In addition to the lost services, it's believed a further 500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.

The biggest costs came in the June-July period immediately following WannaCry, which is estimated to have cost a further 72 million as the NHS worked to restore its services to full operation and to recover its data.

The WannaCry ransomware attack, which is thought to have affected over 200,000 computer systems across the world, disrupted the services of one-third of the UK's hospital trusts, and approximately 8% of GP clinics. It's believed that around 19,000 hospital appointments were cancelled as a result.

Afflicted systems locked out their users and held hospital data to ransom, demanding a payment in the form of the Bitcoin cryptocurrency. The ransomware also had self-propagating characteristics and was able to spread through a system automatically. The ease at which the ransomware spread has been blamed on an overreliance on outdated operating systems, including Microsoft's Windows XP.

The DHSC says this is the best estimate it can provide at this time, as there has yet to be a systematic collection of data on the costs of recovering IT systems. "At the time, the focus nationally was on responding to the incident and remediation rather than collecting data, which would make an accurate retrospective data collection challenging," the report states.

Unfortunately, this is unlikely to happen any time soon, as attempts to gather such data would place a "disproportionate financial burden on the system".

The estimated losses come as part of an update to an earlier report released in February. Since that time, the DHSC has signed a deal with Microsoft to ease its migration from legacy operating systems to the Windows 10 platform.

It's also pledged to invest an additional 150 million into the system over the next three years, which will be used to protect key services from the effects of cyber attacks. This also includes further investment into the NHS Digital's Cyber Security Operations Centre, founded in November last year, which works to monitor the security of health services at a national level and provide advice to individual NHS organisations.

This means that over 250 million will have been invested to improve the security of the NHS by 2021.

"When ransomware hits an organization, much is discussed about the cost in terms of rebuilding infrastructure, restoring digital records and getting systems back online," said Matt Lock, director of sales engineers at Varonis.

"In the case of the NHS, we may never truly know or be able to quantify the ultimate cost of the WannaCry attack because human lives may have been affected by a delayed ambulance or incorrect treatment."

As part of the report, the CIO for NHS health and care has put forward 22 recommendations, which have now been agreed upon and will be rolled out over the coming years. These include a provision that forces all NHS organisations to adhere to the Cyber Essentials Plus Standard, a framework established by the UK's National Cyber Security Centre (NCSC).

All NHS organisations have also been given until 31 March 2019 to submit a record of compliance to NHS Digital under the Data Security and Protection Toolkit, which acts as a national framework for the data security and protection in healthcare in the UK and incorporates the key legal requirements set out by the General Data Protection Regulations (GDPR).

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Secretary of State retires NHS Digital and NHSX
public sector

Secretary of State retires NHS Digital and NHSX

23 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021