Information obtained via a Freedom of Information request has revealed that NHS trusts spent an additional £151,940,223 on IT security in the aftermath of the WannaCry ransomware attack that brutally exposed the vulnerability of the UK’s healthcare system to cyber attacks.
Information obtained by Parliament Street, a well-known think tank, has revealed that the average NHS trust spent a lot more on IT in the aftermath of the WannaCry attack than it did prior to the incident. According to a new report, 65 NHS Trusts spent over £612 million on IT in 2018/19 compared to £494.6 million in 2017/18 and £460 million in the 2016/17 financial year.
The enhanced spending on IT could have been in response to the WannaCry ransomware attack which, according to the Department of Health and Social Care (DHSC), cost the NHS a total of £92 million in lost output as well as IT costs.
A report from the National Audit Office also revealed that the WannaCry ransomware attack impacted 81 out of 236 trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices. As many as 19,000 appointments were also cancelled as a result of the attack.
In terms of IT spending by individual NHS trusts, Leeds Teaching Hospitals NHS Trust led by spending £18,597,000 in 2018/19 compared to £7,723,868 in FY 16/17, and the Royal Marsden trust spent £16,271,946 in FY 18/19 compared to just £5,476,357 in FY 16/17.
In FY 2018/19, a large number of other NHS trusts increased their IT spending compared to previous financial years. While University Hospitals of Leicester NHS Trust spent an additional £7,934,000, the Royal Free London NHS Foundation Trust spent an additional £7.5 million on IT compared to the previous year.
Is the continued vulnerability of NHS systems a culture issue?
However, despite the additional spending on IT by dozens of NHS trusts, will this extra money have the desired result if the failure to patch vulnerable systems is an organisational or cultural failure rather than a lack of monetary resource?
For instance, over two years after the WannaCry attack took place, Jackie Doyle-Price, Parliamentary Under Secretary of State at the Department of Health, admitted that as of July 2019, the NHS still had over 2,300 computers that ran Windows XP, an operating system that stopped receiving security updates in 2014.
This, despite Health Secretary Jeremy Hunt announcing in May 2017 that all outdated systems used by the NHS will be patched or replaced by March 2018.
Yet another issue NHS trusts are grappling with is the handling and storage of patients’ personal data by employees and third-party vendors. Time and again, employees at NHS trusts have been found accessing personal information of patients without authorisation or sharing them with unauthorised individuals.
In December last year, two doctors, a consultant, and two nurses at the Salford Royal Hospital in Greater Manchester faced investigations after being accused of accessing former Manchester United manager Sir Alex Ferguson’s medical records when he was undergoing surgery at the hospital after suffering a brain haemorrhage.
The Information Commissioner’s Office also fined a former trainee secretary at the Fakenham Medical Practice in Norfolk £350 and also asked her to pay costs of £643.75 and a victim surcharge of £35 after finding her guilty of reading medical records of 231 patients in two years. The list of victims included colleagues and their families, her own relatives, friends and acquaintances and also members of the public.