The Department of Health and Social Care (DHSC) has estimated that WannaCry cost the NHS £92m in direct costs and lost output.

The Department’s latest update on cyber resilience in health and care suggests last year’s cyber-attack cost the service £20m during the outbreak and an additional £72m in the aftermath.

This includes £19m worth of lost output as a result of disruption to services – such as cancelled appointments and operations – and the shutting down of computer systems to stem the spread of the malware.

It also includes £73m in direct IT costs, which incorporates expenditure on IT support needed to recover data and restore systems affected by the attack.

NHS England had made clear it would not compile a report detailing the costs of WannaCry on the health service.

But MPs put pressure on the DHSC to publish an estimate of the financial impact of the disruption, after raising concerns that recommendations for improving cyber security in the NHS were taking too long to materialise.

Ministers had asked DHSC to provide estimates for the cost of WannaCry by the end of June.

According to the latest update report: “No data was systematically collected on the costs of recovering IT systems or the extent to which patient care was disrupted. Accurately assessing the costs would require collecting data from all organisations which itself would impose a disproportionate financial burden on the system.

“At the time, the focus nationally was on responding to the incident and remediation rather than collecting data, which would make an accurate retrospective data collection challenging.”

Working on assumptions

The 2017 ransomware incident affected services at one-third of NHS trusts and approximately 8% of GP practices in England.

DHSC estimates that IT support at the time of the attack cost the NHS £500,000.

This figure is based on the assumption that each of the 80 trusts severely affected by WannaCry would have required the equivalent of five days of full-time support from an IT specialist.

The report estimates that 1% of all NHS care was disrupted by the attack over a one-week period, but adds that “demand for NHS services fluctuates, therefore this should only be considered an approximate estimate”.

In his “lessons learned” review of the attack, NHS England’s chief information officer set out a requirement for every English NHS organisation to comply with the Cyber Essentials Plus standard by June 2021.

Will Smart also said organisations would be required to adhere to 10 standards laid out in NHS Digital’s data security and protection toolkit.

NHS Digital has ramped up investment in cyber security in the 18 months following the attack, recently appointing a new security chief.

It was reported last month that one of the orchestrators of the attack had been charged by US officials.