WannaCry cost the NHS £92 million, report estimates

The Department of Health and Social Care has estimated that the WannaCry ransomware attack cost the NHS a total of 92 million, as part of an update into its ongoing investigation of the incident.

Until now the NHS has failed to provide an exact figure on the damage sustained during the ransomware attack in May 2017, and the DHSC admits that the figures presented on Thursday are a "broad estimate" covering the time during and immediately after the attack.

During the attack, in the period of 12 May to 18 May, it's estimated that around 19 million was lost in terms of patient care output, based on the findings that 1% of NHS services were disrupted over a one-week period. In addition to the lost services, it's believed a further 500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.

The biggest costs came in the June-July period immediately following WannaCry, which is estimated to have cost a further 72 million as the NHS worked to restore its services to full operation and to recover its data.

The WannaCry ransomware attack, which is thought to have affected over 200,000 computer systems across the world, disrupted the services of one-third of the UK's hospital trusts, and approximately 8% of GP clinics. It's believed that around 19,000 hospital appointments were cancelled as a result.

Afflicted systems locked out their users and held hospital data to ransom, demanding a payment in the form of the Bitcoin cryptocurrency. The ransomware also had self-propagating characteristics and was able to spread through a system automatically. The ease at which the ransomware spread has been blamed on an overreliance on outdated operating systems, including Microsoft's Windows XP.

The DHSC says this is the best estimate it can provide at this time, as there has yet to be a systematic collection of data on the costs of recovering IT systems. "At the time, the focus nationally was on responding to the incident and remediation rather than collecting data, which would make an accurate retrospective data collection challenging," the report states.

Unfortunately, this is unlikely to happen any time soon, as attempts to gather such data would place a "disproportionate financial burden on the system".

The estimated losses come as part of an update to an earlier report released in February. Since that time, the DHSC has signed a deal with Microsoft to ease its migration from legacy operating systems to the Windows 10 platform.

It's also pledged to invest an additional 150 million into the system over the next three years, which will be used to protect key services from the effects of cyber attacks. This also includes further investment into the NHS Digital's Cyber Security Operations Centre, founded in November last year, which works to monitor the security of health services at a national level and provide advice to individual NHS organisations.

This means that over 250 million will have been invested to improve the security of the NHS by 2021.

"When ransomware hits an organization, much is discussed about the cost in terms of rebuilding infrastructure, restoring digital records and getting systems back online," said Matt Lock, director of sales engineers at Varonis.

"In the case of the NHS, we may never truly know or be able to quantify the ultimate cost of the WannaCry attack because human lives may have been affected by a delayed ambulance or incorrect treatment."

As part of the report, the CIO for NHS health and care has put forward 22 recommendations, which have now been agreed upon and will be rolled out over the coming years. These include a provision that forces all NHS organisations to adhere to the Cyber Essentials Plus Standard, a framework established by the UK's National Cyber Security Centre (NCSC).

All NHS organisations have also been given until 31 March 2019 to submit a record of compliance to NHS Digital under the Data Security and Protection Toolkit, which acts as a national framework for the data security and protection in healthcare in the UK and incorporates the key legal requirements set out by the General Data Protection Regulations (GDPR).