NHS Trusts have spent a combined additional £151,940,223 on IT since being hit by the WannaCry attack in May 2017 according to official figures obtained via the Freedom of Information (FOI) by the Parliament Street think tank.
The global WannaCry ransomware attack particularly hit unpatched Windows XP machines, infecting and encrypting computers of around 200,000 known victims, including NHS trusts across England who faced a £73 million IT bill, and some £19 million of lost patient services.
65 NHS Trusts have spent £612,128,793 on IT in the 2018/19 financial year compared to £494,607,408 in the 2017/18 financial year, and £460,188,570 in the 2016/17 financial year directly preceding the WannaCry Attack.
While some would criticise the NHS spending priorities prior to the attack, it can be argued that the NHS simply did not have the money to upgrade its systems and ensure they are patched with all the latest security updates, and instead chose to spend it on frontline staff and healthcare. Particularly given that it was reported that in the year prior to the attack a billion pounds of infrastructure spend - part of which is spent on the NHS' IT infrastructure - had been removed from its budget to plug wider funding gaps in the NHS. Figures reported by HSJ in May 2017 also found that at that time a further £3 billion was set to be moved to help fill funding gaps elsewhere in the NHS.
Others blamed the vendor industry with one Linked in comment quoted by HSJ saying: "Had the software vendors not charged over the odds for their software, had the IT consultants not tried to rip them off. Would the NHS have been able to move off their legacy IT solutions and therefore into a patchable environment and kept themselves in a safer IT environment? I think some blame has to lie with the IT vendors who see government services such as education and healthcare as a cash cow and charge over-the-odds for services."
In the wake of the attack the October 2018 Department of Health and Social Care (DHSC) report on post-WannaCry remediation ‘Securing cyber-resilience in health and care ’ detailed steps taken in the subsequent six months to enhance security. At that time it said it had:
- Increased investment in securing local infrastructure in 2017/18 to over £60 million
- Signed a Windows 10 licensing agreement with Microsoft
- Agreed £150 million of investment over the next three years
- Procured a new cybersecurity operations center from IBM
- Launched its Data Security and Protection Toolkit
- Supported 25 local NHS organizations to improve their cyber-resilience via the NHS Digital "Blue Teams" pilot
However, NHS Digital was also criticised for ignoring the explicit recommendation of the NHS’s chief information officer Will Smart who called for "all NHS organizations [to] develop local action plans to move to compliance with the Cyber Essentials Plus standard by June 2021". According to internal documents obtained by the Health Service Journal, it was estimated that this requirement would cost between £800 million and £1 billion.
The scale of this requirement puts into context the recent announcement by Prime Minister Boris Johnson of a one-off £1.8 billion cash boost for NHS hospitals, which Sheila Flavell, COO, FDM Group suggests can be expected to be partly used to further bolster IT security, training and equipment.
Flavell adds: "Building an NHS fit for the future means training and equipping doctors, nurses and medical professionals with the very latest digital skills. Key to this effort is ensuring existing staff have the opportunity to reskill in critical areas like big data and cyber security, as well as recruiting staff from more diverse backgrounds. This approach will simultaneously drive efficiencies in the health service, whilst having real impact on patient experiences."
The highest reported spending increase came from Leeds Teaching Hospitals NHS Trust, up £11 million (£10,873,132) from £7,723,868 in FY 16/17 to £18,597,000 in FY 18/19. The Royal Marsden reported an IT spending increase of more than £10million (£10,795,589) rising from £5,476,357 in FY 16/17 to £16,271,946 in FY 18/19.
University Hospitals of Leicester NHS Trust boosted IT spending by £7,934,000, rising from 11,577,000 in FY 16/17 rising to £19,511,000 FY18/19. The Royal Free London NHS Foundation Trust saw an increase of £7.5 million, up from £16,729,000 in FY 16/17 to £24,249,691 in FY 18/19.
Of course cyber-security is not the only area of IT spend in the NHS, even within its digitisation programme Earlier this month the Health Secretary Matt Hancock announced £250 million of investment in an artificial intelligence lab within NHSX, the new organisation that will oversee the digitisation of the health and care system, in partnership with the Accelerated Access Collaborative.