The Department of Health and Social Care (DHSC) has estimated that the WannaCry attack cost the NHS £92m in "lost output of patient care" and additional IT support provided to organisations affected during and in the aftermath of the incident.

The May 2017 cyber attack disrupted operations at approximately one-third of hospital trusts and around eight percent of GP practices, with 19,000 appointments cancelled as a result, despite not directly targeting the NHS.

In an update on measures taken to strengthen the cyber resilience of the system, released this week, the government says it is “not possible to estimate with certainty the financial impact of the cyber attack”. 

However, based on the average level of care provided by the NHS during a one-week period, with approximately one percent of services disrupted from 12 to 18 May, the DHSC says WannaCry cost the NHS £19m in lost output – but warns that “demand for NHS services fluctuates” and therefore this should only be seen as an “approximate estimate”. 

Meanwhile, additional IT support provided during the attack was estimated at £500,000, while the cost of resources needed in the immediate aftermath of the attack, looking at a "recovery period" up to June-July 2017, based on the size of the organisations affected and the extent of the disruption, is thought to have been around £72m. 

The DHSC previously told the Commons Public Accounts Committee that a “retrospective collection of data to assess the financial impact would be too burdensome on local organisations” and that both the department and its arm’s-length bodies “saw little benefit in doing so since the national case for change, and for investment” in cybersecurity measures had already been made.

Ministers, however, warned that a “better understanding" of the financial impact of the WannaCry attack would help national and local organisations target their investment in cybersecurity, asking the department to provide an update by the end of June 2018 with a national estimate. 

Last month, US prosecutors brought charges against a North Korean citizen alleged to have been involved in a string of cyber attacks, including WannaCry, after the UK’s National Crime Agency discovered “critical evidence” linking the intrusion to other cases that were already being investigated by the FBI – but North Korea later claimed the man does not exist.

Dr Saif Abed, founder of health IT and cybersecurity firm AbedGraham, said it was “a tremendously positive step to see cost metrics being assessed in relation to the impact of WannaCry”. 

“This is not only critical for local and central level planning but also to provide the general public with greater transparency about the dangers of cyber-attacks for the NHS. 

“One area that is difficult, and requires time to gauge though, is the impact on long term morbidity caused by WannaCry. For example, how does a cancelled appointment delaying treatment effect a patient outcome? Was a discharge delayed that led to a patient being exposed to more clinical risks (e.g. hospital based infections)?

“We need to continue to formalise our risk assessments for healthcare cybersecurity, especially as it becomes more targeted and sophisticated. We have to also remember that every granular cost identified also becomes the basis for the business case for further cybersecurity investment. For this to be successful it’s only right that there is engagement at ministerial levels,” Dr Abed added.

Twitter: @1Leontina
Contact the author: lpostelnicu@himss.org