A review of the WannaCry cyber-attack by NHS England’s CIO has revealed £21m invested in improved cybersecurity last year was “reprioritised” from funds intended to support the paperless NHS.

Will Smart’s review, which is due to be discussed at an NHS England board meeting next week, looks into what the NHS has done since the WannaCry attack in May and lists 22 recommendations for the future.

Smart’s review reveals that immediately after the attack, the governing board for the Personalised Health and Care 2020 programme – which aims to have the NHS be paperless at the point of care – “reprioritised” £21 million of capital funds from the programme to cybersecurity.

The money was, as previously announced, spent on addressing “key vulnerabilities” in major trauma centres and ambulance trusts. In total, 32 organisations received a share of the cash.

Smart’s review also states that a further £25 million of capital funding has been identified in 2017/18 to support organisations deemed to need to bolster their resilience against cyber-attacks.

It is currently unclear where that funding will be coming from.

But the paper describes a “rigorous reprioritisation exercise” as being underway across the whole NHS IT portfolio. The aim is to identify additional cybersecurity investment between 2018/19 and 2020/21.

The review adds: “An initial £150m has been identified focussed on continuing investment in local infrastructure as well as national systems and services to improve monitoring, resilience and response.”

It continues that “further reprioritisation and additional investment for cybersecurity is being considered”.

The review makes clear that local NHS bodies will be expected to make their own investments in cybersecurity. Smart states they will need to “commit local capital and revenue funding to maintain and refresh their own IT estates”.

In February 2016, health secretary Jeremy Hunt announced a £4.2billion investment in NHS IT. It was intended to advance progress towards a paperless NHS – an aim Hunt first made public in 2013.

At the time, £1.8 billion was intended to be used solely for achieving paperfree at the point of care.