The Department of Health and Social Care (DHSC) has estimated that the WannaCry ransomware attack, which took place between 12th and 18th May last year, cost the NHS a total of £92 million in lost output as well as IT costs.
According to a report released by the National Audit Office last year, the WannaCry ransomware attack impacted 81 out of 236 trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices. As many as 19,000 appointments were also cancelled as a result of the attack.
The report added that between 15 May and mid-September last year, NHS England identified a further 92 organisations, including 21 trusts, that were hit by the ransomware attack. 32 of the 37 NHS trusts that were effectively infected and locked out of devices were located in the North NHS Region and the Midlands & East NHS region.
Even though the National Audit Office stated that NHS England had no way of knowing the true impact of the WannaCry ransomware attack as they did not know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the fire accident and emergency departments that were unable to treat some patients, the Department of Health and Social Care (DHSC) has finally come up with an estimated cost of the ransomware attack with a disclaimer that the estimate only includes direct costs and cost incurred in providing additional IT support in the aftermath of the attack.
NHS lost £19m to WannaCry attack in one week
According to DHSC's estimate, while the NHS lost approximately £19 million worth lost output between 12th and 18th May last year, it had to spend £72 million in the aftermath of the WannaCry attack to restore data and systems.
"It is anticipated that 1% of care was disrupted over a one week period, based upon an estimate of the average level of care provided by the NHS in a one week period. It is estimated that there was approximately £19m of lost output. However demand for NHS services fluctuates, therefore this should only be considered an approximate estimate.
"Assuming each of the 80 severely affected Trusts would have required the equivalent of 5 days FTE additional resource of an IT specialist, the cost of IT support at the time of the attack would have been £0.5m. After the attack we have estimated an average level of resource required by organisations based upon their size and the severity of disruption," the department said.
"When ransomware hits an organization, much is discussed about the cost in terms of rebuilding infrastructure, restoring digital records and getting systems back online. In the case of the NHS, we may never truly know or be able to quantify the ultimate cost of the WannaCry attack because human lives may have been affected by a delayed ambulance or incorrect treatment," said Matt Lock, Director of Sales Engineers at Varonis.
"Ransomware, or any cyberattack that has the potential to bring down critical infrastructure, then transitions from being a business issue to a public safety issue. Attackers will strike again, whether for profit or to sow mistrust and confusion, and the organisations the public relies on must be prepared," he added.
Additional spending to enhance the NHS' cyber security
Aside from the cost incurred in the aftermath of the WannaCry ransomware attack, a spokesman for the DHSC recently stated that £60 million has been invested so far to address key cyber security weaknesses in NHS hospitals and GPs and that the department is planning to spend a further £150 million over the next two years.
Recently, NHS Digital entered into a three-year strategic partnership with IBM to provide a range of services to healthcare organisations and to enhance NHS Digital’s capability to monitor, detect and respond to a variety of security risks and threats across the NHS.
In September, NHS Digital issued a tender valued between £700,000 and £850,000 for the creation of a cyber design authority team to support expanded data security centre responsibilities. It also issued a tender worth between £1.5 million and £1.65 million for the supply of a Project Management Office (PMO) and a Security Demand & Supply Management (SDSM) Team that would suppport an expanded Data Security Centre.
According to NHS Digital, the Data Security Centre enables the safe and secure use of data and technology by healthcare organisations to manage cyber security risk and to deliver improved patient care.
The centre issues a range of cyber security threat notifications to health and care organisations, helps organisations to assess their data and cyber security practices, and undertakes a range of national and local monitoring services, designed to identify vulnerabilities, uncover suspicious behaviour and block malicious activity.