weerapat1003 - Fotolia

Cost of WannaCry attack to NHS set at £92m

Department for Health and Social Care estimates the immediate cost of the May 2017 WannaCry attack on the NHS was £92m, and says it will have spent about £275m on improvements to its cyber security infrastructure by the end of 2021

The cost of the May 2017 WannaCry attack, which disrupted services at one-third of NHS trusts and resulted in more than 19,000 GP appointments being cancelled, is estimated at £92m – £19m in lost output and £73m to restore affected data and systems.

The Department for Health and Social Care (DHSC) will also spend about £275m on additional security measures by the end of 2021, according to a new report.

In the latest update to its report Securing cyber resilience in health and care, the DHSC disclosed a rough estimate of the total cost of the attack – something the Public Accounts Committee (PAC) had asked to be done by June 2018 – and said that to assess the true cost accurately and fully, it would have to collect data from all organisations, which would be a “disproportionate financial burden” on the system.

The estimate breaks down the cost across the period of the attack, from 12-17 May 2017, and the recovery period over the following two months.

The £19m figure was arrived at by anticipating that 1% of care was disrupted over one week, based on an estimate of the average level of care provided across the entire NHS during a one-week period.

Assuming that all the trusts that were severely affected would have needed the equivalent of five days’ full-time equivalent (FTE) resource of a single IT consultant, the cost of IT support during the attack hit £500,000.

In the following two months, the DHSC estimated an average level of resource required by affected trusts, based on size and severity of disruption, added a further £72m to the total.

In its previous update in February 2018, the department said it had agreed £150m of investment in security over the next three years, and £44m in 2017/18. It has now spent £61m in 2017/18 – £15m more than planned in February – after it was able to utilise underspends from elsewhere.

Added to similar levels of spending in 2019/20 and 2020/21, it has now estimated that it will spend £275m on security – a figure that excludes investment by local organisations and wider national IT funding in support of better security, such as the move to migrate all its computer systems to Microsoft Windows 10.

Read more about NHS IT

Initial phases of investment were targeted at major trauma centres and ambulance trusts. The report detailed two relevant case studies, one with an unnamed ambulance trust that was awarded £260,000 to replace legacy firewalls and servers on a mobile data system, and invested in more disk space to create detailed data logs to assist in service recovery should it be attacked again; and the other was an undisclosed university hospital trust that received £1.5m to spend on enhanced antivirus and patching services, a security event information management (SIEM) system to give it better control over its network, and a new generation of smart firewalls to handle external data flows as it migrates more services into the cloud.

The report said that overall, the NHS was making good progress in implementing improved cyber security programmes, with all trusts and foundation trusts now having recruited a board-level member with responsibility for cyber security (with one undisclosed exception).

Elsewhere, NHS Digital and NHS England continue to trial a number of intervention programmes and are currently piloting the delivery of GCHQ-accredited board-level training; facilitating system-hardening capabilities; triaging risks and vulnerabilities to prioritise investment; and reviewing and remediating identity and access management issues.

The report also noted progress on implementing a three-year deal with IBM, signed in June 2018, to deliver a new cyber security operations centre for NHS Digital.

Read more on Hackers and cybercrime prevention

Data Center
Data Management