The WannaCry cyber attack that swept through dozens of hospitals across the country last year cost the NHS a total of £92m, new research has revealed.
A report published by the government estimates the ransomware virus caused approximately £19m of lost output and £73m in IT costs. Some £72m was spent on restoring systems and data in the weeks after the attack.
Doctors and nurses were forced to cancel around 19,000 appointments after the virus locked down computers in 80 “severely affected” trusts in May 2017.
The UK and US have since attributed the virus to North Korea, but the EternalBlue exploit that the hackers leveraged had originally been built by the NSA.
The surveillance agency chose not to tell Microsoft about the vulnerability until it was stolen by hackers, raising questions about the ethics of nation states stockpiling zero-day exploits.
While Microsoft had issued a patch to fix the vulnerability before WannaCry was released, many trusts had failed to deploy it, leaving their computers exposed when the virus started spreading. Thousands of computers around the world were affected.
“It is not possible to estimate with certainty the financial impact of the WannaCry attack,” the report stated. “The estimate considers the financial costs in relation to two broad categories covering two time periods: during the attack between 12 and 18 May 2017, and the recovery period in the immediate aftermath to June-July 2017.”
The report, “Securing cyber resilience in health and care”, provides an update on the government’s response to the attack. In light of the incident, NHS Digital’s chief information officer outlined 22 recommendations for making the health service more secure.
Backed by the National Cyber Security Centre, one of the key findings was that all NHS organisations should meet the Cyber Essentials Plus standard. But there was confusion over whether the recommendation would be followed after the Health Service Journal reported that the government did not consider it to be value for money.
“All Trusts and Foundation Trusts will be required to develop plans to meet the Cyber Essentials Plus Standard,” the report confirms. “Plans have been requested from all Trusts and Foundation Trusts who have undergone a full on-site assessment. All Trusts and Foundation Trusts will be required to provide a plan once they have undergone an on-site assessment.”
Matt Lock, director of sales engineers at Varonis, said it may never be possibly to be able to “quantify the ultimate cost of the WannaCry attack because human lives may have been affected by a delayed ambulance or incorrect treatment”.
“Ransomware, or any cyberattack that has the potential to bring down critical infrastructure, then transitions from being a business issue to a public safety issue,” he added. “Attackers will strike again, whether for profit or to sow mistrust and confusion, and the organisations the public relies on must be prepared.”