[BreachExchange] WannaCry cost the NHS £92 million, report estimates

Destry Winant destry at riskbasedsecurity.com
Thu Oct 11 21:43:30 EDT 2018


An update to an earlier DHSC report estimates that £19 million was
lost in patient care alone

The Department of Health and Social Care has estimated that the
WannaCry ransomware attack cost the NHS a total of £92 million, as
part of an update into its ongoing investigation of the incident.

Until now the NHS has failed to provide an exact figure on the damage
sustained during the ransomware attack in May 2017, and the DHSC
admits that the figures presented on Thursday are a "broad estimate"
covering the time during and immediately after the attack.

During the attack, in the period of 12 May to 18 May, it's estimated
that around £19 million was lost in terms of patient care output,
based on the findings that 1% of NHS services were disrupted over a
one-week period. In addition to the lost services, it's believed a
further £500,000 was spent on dealing with the immediate effects of
the IT failure, including the hiring of additional consultants.

The biggest costs came in the June-July period immediately following
WannaCry, which is estimated to have cost a further £72 million as the
NHS worked to restore its services to full operation and to recover
its data.

The WannaCry ransomware attack, which is thought to have affected over
200,000 computer systems across the world, disrupted the services of
one-third of the UK's hospital trusts, and approximately 8% of GP
clinics. It's believed that around 19,000 hospital appointments were
cancelled as a result.

Afflicted systems locked out their users and held hospital data to
ransom, demanding a payment in the form of the Bitcoin cryptocurrency.
The ransomware also had self-propagating characteristics and was able
to spread through a system automatically. The ease at which the
ransomware spread has been blamed on an overreliance on outdated
operating systems, including Microsoft's Windows XP.

The DHSC says this is the best estimate it can provide at this time,
as there has yet to be a systematic collection of data on the costs of
recovering IT systems. "At the time, the focus nationally was on
responding to the incident and remediation rather than collecting
data, which would make an accurate retrospective data collection
challenging," the report states.

Unfortunately, this is unlikely to happen any time soon, as attempts
to gather such data would place a "disproportionate financial burden
on the system".

The estimated losses come as part of an update to an earlier report
released in February. Since that time, the DHSC has signed a deal with
Microsoft to ease its migration from legacy operating systems to the
Windows 10 platform.

It's also pledged to invest an additional £150 million into the system
over the next three years, which will be used to protect key services
from the effects of cyber attacks. This also includes further
investment into the NHS Digital's Cyber Security Operations Centre,
founded in November last year, which works to monitor the security of
health services at a national level and provide advice to individual
NHS organisations.

This means that over £250 million will have been invested to improve
the security of the NHS by 2021.

"When ransomware hits an organization, much is discussed about the
cost in terms of rebuilding infrastructure, restoring digital records
and getting systems back online," said Matt Lock, director of sales
engineers at Varonis.

"In the case of the NHS, we may never truly know or be able to
quantify the ultimate cost of the WannaCry attack because human lives
may have been affected by a delayed ambulance or incorrect treatment."

As part of the report, the CIO for NHS health and care has put forward
22 recommendations, which have now been agreed upon and will be rolled
out over the coming years. These include a provision that forces all
NHS organisations to adhere to the Cyber Essentials Plus Standard, a
framework established by the UK's National Cyber Security Centre

All NHS organisations have also been given until 31 March 2019 to
submit a record of compliance to NHS Digital under the Data Security
and Protection Toolkit, which acts as a national framework for the
data security and protection in healthcare in the UK and incorporates
the key legal requirements set out by the General Data Protection
Regulations (GDPR).

More information about the BreachExchange mailing list