A new study carried out by researchers at Imperial College's Institute of Global Health Innovation has revealed that the WannaCry ransomware attacks in 2017 resulted in NHS hospitals and trusts losing up to £5.9 million in lost admissions, appointments, and lost inpatient admissions.
The new study was based on statistics available in the Hospital Episode Statistics database that included details of all admissions, A&E attendances and outpatient appointments at NHS hospitals in England. The researchers found that as a result of the WannaCry attacks, staff at more than 600 NHS hospitals were unable to access IT systems and medical devices such as MRI scanners and some disruptions lasted for around a week.
In October last year, the Department of Health and Social Care (DHSC) estimated that the WannaCry ransomware attack impacted 81 out of 236 trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices. As many as 19,000 appointments were also cancelled as a result of the attack.
DHS noted that while the NHS lost approximately £19 million worth lost output between 12th and 18th May 2017, it had to spend £72 million in the aftermath of the WannaCry attack to restore data and systems. DHS found that 32 of the 37 NHS trusts that were effectively infected and locked out of devices were located in the North NHS Region and the Midlands & East NHS region.
The financial cost of WannaCry attacks was less than £6 million
However, researchers at Imperial College's Institute of Global Health Innovation believe that the WannaCry attacks cost NHS organisations no more than £5.9 million in lost admissions and appointments, including £4 million in lost inpatient admissions.
Commenting on the discrepancies between the DHS' estimates and their own findings, the researchers said that DHS' findings were based on the assumption that the attack disrupted 1% of all NHS services including primary care but not on primary care data.
According to the researchers, NHS hospitals that were directly impacted by the WannaCry attack lost up to 6% in total admissions per infected hospital per day even though "there was no significant change in total activity".
"The NHS was very fortunate that WannaCry was stopped within a day, and yet this research shows that in that short period the virus was still able to leave a trail of destruction, only part of which we are able to comprehensively measure," said Professor Paul Aylin, patient safety lead at IGHI.
"Should such an attack infect all NHS trusts, then the consequences would be unfathomable, which is why we’re calling for greater investment in IT infrastructure and digital leadership to better equip our health systems and protect the safety of patients," he added.
Dr Saira Ghafur, digital health lead at IGHI, said that even though the WannaCry ransomware attack was not directly targeted at the NHS, the scale of disruptions suffered by NHS hospitals and GPs indicates how susceptible health care is to any cyber threat. "This raises serious concerns about the potential damage a targeted cyber-attack with a more robust virus could have on the NHS," she said.
"Our future work will now focus on understanding how we can better define the detrimental effects of cyber-attacks on patient safety, by learning from people on the frontline and the impact it had on patients and staff," she added.
NHS trusts upped IT spending in the aftermath of WannaCry
In August this year, information obtained by think tank Parliament Street vis a Freedom of Information request revealed that 65 NHS Trusts spent over £612 million on IT in 2018/19 compared to £494.6 million in 2017/18 and £460 million in the 2016/17 financial year.
The enhanced spending on IT could have been in response to the WannaCry ransomware attack which, according to the Department of Health and Social Care (DHSC), cost the NHS a total of £92 million in lost output as well as IT costs.
In FY 2018/19, a large number of other NHS trusts increased their IT spending compared to previous financial years. While University Hospitals of Leicester NHS Trust spent an additional £7,934,000, the Royal Free London NHS Foundation Trust spent an additional £7.5 million on IT compared to the previous year.
In terms of IT spending by individual NHS trusts, Leeds Teaching Hospitals NHS Trust led by spending £18,597,000 in 2018/19 compared to £7,723,868 in FY 16/17, and the Royal Marsden trust spent £16,271,946 in FY 18/19 compared to just £5,476,357 in FY 16/17.