This article is more than 1 year old

It is 2018 and the NHS is still counting the cost of WannaCry. Carry the 2, + aftermath... um... £92m

Bigwigs report lots of progress in the cash-flinging department

The UK's Department of Health and Social Care released a progress update this week on the hesitant efforts to deal with shonky NHS IT.

Woman in hospital (in hospital gown) covers face with hands

On the NHS tech team? Weep at ugly WannaCry post-mortem, smile as Health dept outlines plan


First the bad news. The WannaCry attack back in 2017 cost the NHS £92m (PDF). The figure includes £19m of lost output (based on 1 per cent of NHS care being disrupted) and an eye-watering estimate of £73m of IT cost in the immediate aftermath to actually fix stuff that got broken.

It must come as great comfort to the 19,000 patients that had their appointments cancelled to know that cash was being flung at consultants to hunt down backups and restore the things.

As is well-documented, the attack made the NHS finally bite the bullet and upgrade its antiquated IT systems. A three-year, £150m deal was signed with Microsoft to update systems to Windows 10 (although hopefully not too up to date) and the report states that Advanced Threat Protection (ATP) has now been deployed to more than 130 organisations. It has taken a while.

A "large NHS mental health trust" is reportedly "very impressed" with ATP, although with staff gleefully downloading malware and opening phishing emails, according to the report, it sounds as though some training would not go amiss either.

IBM has also been the recipient of NHS Digital's largesse, trousering £30m in a three-year strategic partnership to expand NHS Digital's Cyber Security Operations Centre (CSOC)

However, while chucking money at Microsoft and IBM is undoubtedly a super use of taxpayer funds, the report steps back from promising that the NHS will reach the Cyber Essentials Plus standard in June 2021, as recommended in February's lessons-learned report (PDF). While there are plenty of reassuring promises that trusts and foundation trusts will be providing their plans by 2019 for achieving the standard, only 10 sites will "aim" to hit the standard next March. The next progress report will make for interesting reading, as the clock ticks towards the June 2021 deadline.

The problem, reported in the Health Service Journal (HSJ) last week, is that meeting the standard would cost the NHS between £800m and £1bn, and NHS Digital believes this "would not be value for money" – according to documents presented to a cybersecurity committee meeting released under Freedom of Information laws.

This will also come as great comfort to those inconvenienced by the WannaCry attack, particularly as the NHS continues to come under sustained attack by miscreants (as, to be fair, do all public organisations).

Funding-wise, other than the £150m due to be pocketed by Microsoft, £21m was announced in October 2017 to shore up local IT infrastructure and another £25m was announced in February this year. An additional £15m has been scraped from the bottom of the underspends barrel, bringing the total investment in securing local NHS IT systems during 2017/2018 to £61m. By 2021, more than £250m is expected to be spent on top of the Windows cash. Quite a bit below the £800m figure quoted by the HSJ.

And the good news? Check back in 2019. ®

More about

More about

More about


Send us news

Other stories you might like