The WannaCry attack that hit the NHS in 2017 cost at least £92 million in lost service output and post-incident remediation costs.
The figure was contained within a report published yesterday by the Department of Health and Social Care (DHSC), ‘Securing cyber-resilience in health and care’, written as an update on post-WannaCry remediation.
The report estimates that £19 million worth of patient services were lost during the WannaCry attack in May 2017.
The attack disrupted services across a third of hospital trusts and eight percent of GP practices, the report said, resulting in 19,000 appointments cancelled at an average cost of £1,000 each. This represents approximately one percent of NHS care in the affected period.
Estimated costs to IT were much higher, amounting to £500,000 during the attack and a staggering £72 million during the two months following the attack as trusts worked to secure systems and recover lost data. However, the figures came with a health warning as the department said that the figures are estimates, based on assumptions about the level of resources required at each organisation based on their size and the severity of the disruption they suffered.
A more detailed assessment of costs incurred would cause further disruption and impose a disproportionate cost on affected organisations, the DHSC said.
The department published a report in February detailing its activities since the WannaCry attack. In this report, it detailed a number of steps it has taken in the six months since then to enhance security. It said it has:
Increased investment in securing local infrastructure in 2017/18 to over £60 million
Signed a Windows 10 licensing agreement with Microsoft
Agreed £150 million of investment over the next three years
Procured a new cyber security operations centre from IBM
Launched its Data Security and Protection Toolkit
Supported 25 local NHS organisations to improve their cyber-resilience via the NHS Digital "Blue Teams" pilot
It also said that it has "agreed our plans to implement the recommendations of the Chief Information Officer for Health and Care’s review of the May 2017 WannaCry attack".
However, it recently came to light that NHS Digital is ignoring the explicit recommendation of the NHS’s chief information officer Will Smart who called for "all NHS organisations [to] develop local action plans to move to compliance with the Cyber Essentials Plus standard by June 2021". According to internal documents obtained by the Health Service Journal, it was estimated that this requirement would cost between £800 million and £1 billion.
NHS Digital reportedly opposed this, saying that Cyber Essentials Plus was a useful "benchmark" but gaining accreditation "would not be value for money".
According to yesterday’s report, all 130 NHS Trusts and Foundation Trusts which have been assessed so far have been asked to provide their plans for achieving Cyber Essentials Plus. The remaining trusts will be assessed by March 2019 and will also be asked to present their plans, but the document makes no mention of funding to support this.