In their October 2018 publication on ‘Securing cyber resilience in health and care: a progress update’, the Department of Health and Social Care estimated the cost of WannaCry to the NHS as £92 million.

The DHSC used a variety of factors (average number of NHS trusts involved) and categories (direct and resource) to estimate the financial impact on the NHS but this does not include a consideration of other organisations outside of the health and care who were also impacted.

The DHSC report is available here.

David Lidington, Minister of State for Cabinet Office, said:

“Since the 2017 WannaCry cyber incident, a number of steps have been taken to sharpen incident response plans across the NHS, providing new and mandatory training on cyber security to all NHS personnel and increasing investment in local infrastructure to develop a more robust cyber security posture.”

The DHSC say in the report that they have:

• increased our investment in securing local infrastructure in 2017/18 to over £60 million;
• signed a Windows 10 licensing agreement with Microsoft which will allow local NHS organisations to save money, reduce potential vulnerabilities and increase cyber resilience;
• agreed £150 million of investment over the next three years;
• procured a new Cyber Security Operations Centre boosting the national capability to prevent, detect and respond to cyber attacks;
• launched the Data Security and Protection Toolkit;
• agreed our plans to implement the recommendations of the Chief Information Officer for Health and Care’s review of the May 2017 WannaCry attack;
• Supported 25 local NHS organisations to improve their cyber resilience via the NHS Digital “Blue Teams” pilot.


  1. I remember this and as somebody who takes computer security very seriously. I am surprised this little snippet wasn’t mentioned in the above article:
    NHS ‘could have prevented’ WannaCry ransomware attack
    NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said…..The report said NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.

    The British penchant of pound foolish, penny shy strikes again.

    • Yes but they got away with it for about 4 years and when you are talking the scale of the NHS I suspect the cost of the full implementation of all measures suggested in 2014 probably cost way more than 94million. Look the shopping list of increases security cyber security in the article and your talking over a 100million a year extra. To put it in context thats 25 thousand knee and hip replacements. The nhs always has to look at any none healthcare spend very carefully as we don’t actually pay for the demand out there so any money not spent on interventions is people suffering. It makes budget setting more a game of ethical balance than any other setting. If I get a new work PC I know I’m costing a new hip… makes you think very hard about maybe getting away with an older less secure bit of kit, not an excuse simple reality of nhs budgets.

  2. If you want to kill innocent people without firing a shot, here is a good example. In plain language, this is a new weapon and someone is using it very intelligently? We must now place these attacks under the military umbrella and treat such actions as hostile. If this activity goes unchecked these devices could have a dramatic effect on all our lives.

    • The NHS one isn’t a good example because it wasn’t a targeted attack against the NHS. The last I heard the conclusion of the investigation was that it it was criminal elements trying to scam anyone they could and the scam spread far more widely than they had expected, ironically to their detriment because the huge media profile and government interest meant that things got so hot that they didn’t dare access the accounts set up to receive ransom payments. Renault, DeutcheBahn, Telefonica, FedEx US & the Russian Ministry of the Interior were other high profile victims of the same attack.

      In general though I agree with you, potent weapons that could not only be used for life-threatening attacks but also general civil disruption e.g. disrupting power grids or even hacking a national tax authority to trigger a load of unauthorised tax refunds direct to tax payer accounts which would give whatever government was targeted an absolute nightmare getting the money back and balancing the books.

      By the way, the NHS “weapon” was so effective and spread so quickly because of CIA-developed code (or maybe NSA developed & shared with them). Wikileaks published it and criminals can now use it. Thanks a bunch Wikileaks.

  3. this incident was significantly different, as the infection spread using CIA tools.

    typically just turn it off, wait for IT. Or if home turn off and boot into safe mode, get a antivirus recovery disk, and hope that you backed up all your valued items.


Please enter your comment!
Please enter your name here