A report into cyber security of the health and care sector has revealed that the WannaCry ransomware attack cost the NHS a total of £92m through services lost during the attack and IT costs in the aftermath.
In the Department of Health and Social Care’s (DHSC) report, it says that it estimates around £20m was lost during the attack mainly due to lost output, followed by a further £72m from the IT support to restore data and systems.
The May 2017 cyber-attack severely disrupted more than 80 hospital trusts and 8% of GP practices after a type of malware called ransomware was used to lock down hospitals in England.
According to the report, this led to 19,000 appointments being cancelled across the one-week period of the attack, with an estimated 1% of all NHS care disrupted.
The report said: “While this may only be a small proportion of overall NHS activity, it represents disruption to the care of a significant number of patients.”
The ransomware worked by causing 200,000 computers to lock out users with red-lettered error messages demanding Bitcoin, and has since been blamed on elite North Korean hackers.
The £92m cost is a rough estimate of the total cost of WannaCry as no data was collected on the costs of recovering IT systems or the extent of patience disruption.
The report acts as an update to the DHSC’s cyber resilience report from February, reviewing the actions taken by the department and its arm’s-length bodies to improve cyber security following the attack last year.
Since February, the DHSC say they have increased investment in local infrastructure in 2017-18 to over £60m and agreed £150m of investment over the next three years.
They have also procured a new Cyber Security Operations Centre and agreed on plans to implement the recommendations from the review of the WannaCry attack, as well as estimating the costs of the cyberattack.
Also back in February, NHS Digital revealed that none of the 200 trusts tested for cyber security vulnerabilities passed inspection, raising fears over the NHS’s vulnerability to another cyber-attack similar to WannaCry.
The DHSC were warned about the risks of cyber-attacks to the NHS a year before WannaCry, but was criticised for responding too slowly and not doing enough to prevent cyber-attacks.