The WannaCry computer hacking scandal which crippled the NHS last year cost the health service £92 million, a report revealed today.
Around £72 million was spent on IT support in the wake of the virus, while a further £20 million was added to the bill from ‘lost output’.
In response, the Government says all health trusts should make plans to upgrade their cyber security, in a move which could cost up to £1 billion.
But leaked emails seen last week showed NHS chiefs are reluctant to pay for the higher protection, saying it ‘would not be value for money’.
WannaCry, which spread through email, ‘severely affected’ 81 hospital trusts and hundreds of GP surgeries, locking staff out of their computers.
Nearly 20,000 hospital appointments were cancelled as a result of May’s hacking, which demanded money from employees.
The WannaCry cyber attack crippled computers at 81 hospital trusts and hundreds of GP surgeries in May last year, demanding £230 from every employee who was locked out of their computer with this warning screen
A report released by the Department of Health and Social Care estimated the attack cost £20 million during the five days while it was happening.
The Government’s report, Securing cyber resilience in health and care, was published today containing a chapter named ‘Counting the cost of WannaCry’.
It said a third of hospital trusts and around eight per cent of GP practices were hit by the virus – known as ransomware because it demanded money to repair.
As well as cancel appointments, operations were postponed, doctors and nurses had to revert back to using paper and pen, and technology like MRI machines couldn’t be used.
The report said the care of ‘a significant number of patients’ was disrupted – it estimates one per cent of all work was disrupted.
Although experts claim it is not possible to know exactly how much money the NHS lost through interruptions to healthcare and paying for IT support, they have estimated the cost.
A cost of £20 million is thought to have piled up in the five days during the attack, from Friday, May 12, to Thursday, 18 May.
Of this, £19 million was lost because staff couldn’t work, and £500,000 had to be spent on emergency IT support.
The immediate aftermath of the attack is then estimated to have cost £72 million in IT support in June and July alone.
The Department of Health and Social Care’s report is now advising that the NHS makes all its trusts’ IT security meet a standard called Cyber Essentials Plus.
But last week the Health Service Journal revealed health bosses were reluctant to take this step when it was first recommended by a hired expert.
Letters acquired through a Freedom of Information request saw NHS Digital staff say the recommendations were ‘useful’ but wouldn’t be good value for the whole NHS.
For the whole of the health service to upgrade to the CE+ standard could cost around £800 million to £1 billion.
In comparison, the Government invested a total of £61 million in boosting the security systems of local NHS trusts during the whole of 2017/18.
Some 150 countries around the world were affected by the WannaCry attack and the US Government blamed it on North Korea, but this hasn’t been proved.
The effect of the devastating hacking has been revealed as fears of cyber attacks are high after Russian agents were found to have tried to access UK Foreign Office computers.
A unit of GRU agents – the same organisation which produced the novichok poisoning suspects – ran a four-year global ‘campaign of disinformation’.
FIFA, the World Anti-Doping Agency, the US presidential race, and the Dutch government were all targets of the unit named ‘Sandworm’.
HOW DID THE WANNACRY CYBER ATTACK CRIPPLE THE NHS?
More than a third of hospital trusts – 81 in total – had their computer systems crippled in the WannaCry ransomware attack last May.
Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers.
When the attack came on May 12 it ripped through the out-of-date defences used by the NHS.
The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account.
Doctors and nurses had to rely on pen and paper and crucial equipment such as MRI machines was also disabled by the attack.
Nearly 20,000 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals had to divert ambulances away at the peak of the crisis.
Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 – which had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.
Computer systems in 150 countries were caught up in the attack, which saw screens freeze with a warning they would not be unlocked unless a ransom was paid.