According to Digital Health, last year’s ransomware attack, WannaCry, cost the NHS £92m altogether
It has now been estimated by the Department of Health and Social Care that last year’s major cyber attack – known as WannaCry – cost the NHS £92m.
The ransomware incident affected services at a third of NHS trusts and approximately eight per cent of GP practices in England.
This loss a combination of direct costs and lost output. The initial cost was £20m, with £72m lost in the aftermath.
The £92m includes £73m in direct IT costs, including the expense of the IT support needed to recover data and repair damage.
NHS England had initially said that it would not be compiling a report detailing the costs of WannaCry, but MPs put pressure on the Department to publish an estimate, based on the concern that recommendations for improving digital security in the NHS were too slow to materialise.
Ministers had asked the Department to provide estimates for the cost of WannaCry by the end of June.
According to the latest update report: ‘No data was systematically collected on the costs of recovering IT systems or the extent to which patient care was disrupted. Accurately assessing the costs would require collecting data from all organisations which itself would impose a disproportionate financial burden on the system.
‘At the time, the focus nationally was on responding to the incident and remediation rather than collecting data, which would make an accurate retrospective data collection challenging.’
In his “lessons learned” review of the attack, NHS England’s CIO set out a requirement for every English NHS organisation to comply with the Cyber Essentials Plus standard by June 2021.
NHS Digital has increased investment in cyber security in the 18 months following the attack, having recently appointed a new security chief.