In their October 2018 publication on ‘Securing cyber resilience in health and care: a progress update’, the Department of Health and Social Care estimated the cost of WannaCry to the NHS as £92 million.
The DHSC used a variety of factors (average number of NHS trusts involved) and categories (direct and resource) to estimate the financial impact on the NHS but this does not include a consideration of other organisations outside of the health and care who were also impacted.
The DHSC report is available here.
David Lidington, Minister of State for Cabinet Office, said:
“Since the 2017 WannaCry cyber incident, a number of steps have been taken to sharpen incident response plans across the NHS, providing new and mandatory training on cyber security to all NHS personnel and increasing investment in local infrastructure to develop a more robust cyber security posture.”
The DHSC say in the report that they have:
• increased our investment in securing local infrastructure in 2017/18 to over £60 million;
• signed a Windows 10 licensing agreement with Microsoft which will allow local NHS organisations to save money, reduce potential vulnerabilities and increase cyber resilience;
• agreed £150 million of investment over the next three years;
• procured a new Cyber Security Operations Centre boosting the national capability to prevent, detect and respond to cyber attacks;
• launched the Data Security and Protection Toolkit;
• agreed our plans to implement the recommendations of the Chief Information Officer for Health and Care’s review of the May 2017 WannaCry attack;
• Supported 25 local NHS organisations to improve their cyber resilience via the NHS Digital “Blue Teams” pilot.