NHS England review says £1bn needed to stop cyberattacks

The system’s existing technology fund is likely to be cut to foot the bill.

The Department of Health and Social Care and the Treasury are in discussions about the funding boost needed for cybersecurity, according to minutes from an NHS Improvement technology and data assurance committee meeting last month.

However, the minutes said “there had been a suggestion” that the DH would have to meet the cost using its existing technology fund, which would “mean cancelling the balance of the Paperless 2020 programme”.

The £4.2bn paperless fund, sometimes called the Personalised Health and Care fund, was announced in February 2016 and included £1.3bn of new money specifically for making the NHS paperless at the point of care.

Diverting £1bn to improve cybersecurity could require cuts to funding from a wide range of programmes including rolling out Wi-Fi, apps for patients and new clinical IT for trusts.

However, a well placed NHS source told HSJ the £1bn figure did not take into account existing technology spending across the NHS and the actual sum being sought from Treasury was lower.

This would still lead to a revenue shortfall for improving cybersecurity in the hundreds of millions, which would need to be absorbed by local NHS organisations.

While talks with the Treasury about extra capital spending, also in the hundreds of millions, are ongoing, at least some capital for cybersecurity, about £250m, would need to be raised through cuts to existing NHS technology projects.

The capital spending would go towards upgrading local NHS organisations’ ageing IT infrastructure and improving the security of their connections with national IT systems.

An NHS England spokesperson said the sub-committee meeting last month was discussing an “early draft” of the cybersecurity review.

“The figure quoted, a snapshot in time…. and included both investment that should reasonably be made locally and investment that we should seek to support nationally. More work has since been done on that and the NHS CIO will give his considered view when his report is published.”

On Tuesday, HSJ revealed that national spending on NHS technology in 2016-17 was £256m less than planned and a substantial underspend appeared likely for this financial year.

NHS Improvement papers, which will go to be board on Wednesday, also said technology funding was “not sufficient” and the shortage was “exacerbated by the requirement to fund cybersecurity investment from the Paperless 2020 programme budget”.

The NHS England cybersecurity review was commissioned in response to May 2016 WannaCry ransomware attack, which infected at least 81 trusts, hundreds of GP practices and resulted in the cancellation of thousands of appointments and operations.

The review, led by NHS England chief information officer Will Smart, focuses on how local NHS organisations, including primary care, could improve their resilience in the event of another attack.

While the review has not yet been published, Mr Smart presented the draft recommendations to the technology and data assurance committee in December.

According to the minutes, implementing one of the review’s recommendations would cost £1bn.

“This was considered to be a core patient safety issue and funding for this investment would have to be found,” the minutes said.

In July, NHS England national director of operations and information Matthew Swindells told HSJ NHS organisations needed a “not insignificant amount” of additional funding to improve IT infrastructure in preparation for another attack.

At the time, NHS England was hoping to secure additional funding in the autumn budget.

Regardless of the outcome of talks with Treasury, cybersecurity spending in the NHS looks set to rise dramatically in the next few years.

In 2016-17, the year leading up to the WannaCry attack, the centre spent £5.1m on cybersecurity, £3.5m less than budgeted.

This financial year, the NHS expected to spend £31.5m, however HSJ understands this figure has already been revised upwards.

NHS Improvement, which does not have direct responsibility for NHS technology funding, referred all questions for this article to NHS England and the DH.

The story was updated on 24 January to include comment from NHS England.