• DHSC estimates WannaCry cost £92m
  • Says all trusts will be expected to “develop a plan” to meet cyber standards
  • No additional funding announced

The WannaCry ransomware attack cost the NHS £92m in disruption to services and IT upgrades, the Department of Health and Social Care estimates.

In an “update” published today DHSC said that “lost output” associated with cancelled appointments and operations, ambulances diverted and clinicians reverting to paper cost an estimated £19m.

In addition, a further £73m has been spent upgrading IT systems to make them more secure in response to the attack, the report said.

The WannaCry attack on 12 May last year disrupted more than 80 trusts and hundreds of GP practices, leading to ambulance diversions and the cancellation of thousands of operations and appointments.

The report estimated that 1 per cent of all NHS care was disrupted in the attack.

It said: “While this may only be a small proportion of overall NHS activity, it represents a disruption to the care of a significant number of patients.”

HSJ has previously reported that Barts Health Trust, the trust worst hit by the attack, said it had cost them £9.5m in lost income alone.

The document was a response to the NHS chief information officer’s review of the attack, published in February, and the Parliamentary public accounts committee’s demand that the department move faster after the attack.

The response repeats several previous announcements that up to £250m in central funding through to 2020-21 has been diverted from other IT projects to improve cyber security across the system, including strengthening national monitoring.

At least £100m of this has already been spent, flowing directly to at least 63 trusts.

HSJ revealed last week that NHS Digital has advised the government that pursuing one of the major recommendations of the CIO’s WannaCry review – to bring all trusts up to the “cyber essentials plus” standard – would cost £1bn and was not value for money.

The DHSC response today said trusts were expected to “develop a plan” to meet this standard but “we recognise that CE plus was not designed specifically for NHS institutions.

“Medium to long term ambitions for the sector in relation to cyber standards will be identified.”

The announcement did not include any new funding to help the sector meet the standard.

DHSC officials will appear before the Commons public accounts committee on Wednesday, where they will face questions about cyber security as well as the broader performance of the department.

The story was amended on 12 October to reflect that health and social care secretary Matt Hancock will not be appearing before the public accounts committee.