Government puts cost of WannaCry to NHS at £92m

  • 12 October 2018
Government puts cost of WannaCry to NHS at £92m

The Department of Health and Social Care (DHSC) has estimated that WannaCry cost the NHS £92m in direct costs and lost output.

The Department’s latest update on cyber resilience in health and care suggests last year’s cyber-attack cost the service £20m during the outbreak and an additional £72m in the aftermath.

This includes £19m worth of lost output as a result of disruption to services – such as cancelled appointments and operations – and the shutting down of computer systems to stem the spread of the malware.

It also includes £73m in direct IT costs, which incorporates expenditure on IT support needed to recover data and restore systems affected by the attack.

NHS England had made clear it would not compile a report detailing the costs of WannaCry on the health service.

But MPs put pressure on the DHSC to publish an estimate of the financial impact of the disruption, after raising concerns that recommendations for improving cyber security in the NHS were taking too long to materialise.

Ministers had asked DHSC to provide estimates for the cost of WannaCry by the end of June.

According to the latest update report: “No data was systematically collected on the costs of recovering IT systems or the extent to which patient care was disrupted. Accurately assessing the costs would require collecting data from all organisations which itself would impose a disproportionate financial burden on the system.

“At the time, the focus nationally was on responding to the incident and remediation rather than collecting data, which would make an accurate retrospective data collection challenging.”

Working on assumptions

The 2017 ransomware incident affected services at one-third of NHS trusts and approximately 8% of GP practices in England.

DHSC estimates that IT support at the time of the attack cost the NHS £500,000.

This figure is based on the assumption that each of the 80 trusts severely affected by WannaCry would have required the equivalent of five days of full-time support from an IT specialist.

The report estimates that 1% of all NHS care was disrupted by the attack over a one-week period, but adds that “demand for NHS services fluctuates, therefore this should only be considered an approximate estimate”.

In his “lessons learned” review of the attack, NHS England’s chief information officer set out a requirement for every English NHS organisation to comply with the Cyber Essentials Plus standard by June 2021.

Will Smart also said organisations would be required to adhere to 10 standards laid out in NHS Digital’s data security and protection toolkit.

NHS Digital has ramped up investment in cyber security in the 18 months following the attack, recently appointing a new security chief.

It was reported last month that one of the orchestrators of the attack had been charged by US officials.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

NHS Wales prepares for drone-based blood transfer service

NHS Wales prepares for drone-based blood transfer service

Aerospace innovators will showcase technology as part of a project to prepare NHS Wales for drone-based services for the transfer of blood products. 
Crisis communications: how to cope when the NHS is held to ransom

Crisis communications: how to cope when the NHS is held to ransom

Building a reputation in health tech can take decades, yet it can be undone by a single crisis, writes Silver Buck’s Sarah Bruce
Three things we must do now to prevent patient harm from digital tech

Three things we must do now to prevent patient harm from digital tech

In the wake of reports linking IT flaws to deaths of patients, and the recent cyber attack on pathology in south east London, Chris Fleming…