It is 2018 and the NHS is still counting the cost of WannaCry. Carry the 2, + aftermath... um... £92m

Bigwigs report lots of progress in the cash-flinging department

The UK's Department of Health and Social Care released a progress update this week on the hesitant efforts to deal with shonky NHS IT.

Woman in hospital (in hospital gown) covers face with hands

On the NHS tech team? Weep at ugly WannaCry post-mortem, smile as Health dept outlines plan


First the bad news. The WannaCry attack back in 2017 cost the NHS £92m (PDF). The figure includes £19m of lost output (based on 1 per cent of NHS care being disrupted) and an eye-watering estimate of £73m of IT cost in the immediate aftermath to actually fix stuff that got broken.

It must come as great comfort to the 19,000 patients that had their appointments cancelled to know that cash was being flung at consultants to hunt down backups and restore the things.

As is well-documented, the attack made the NHS finally bite the bullet and upgrade its antiquated IT systems. A three-year, £150m deal was signed with Microsoft to update systems to Windows 10 (although hopefully not too up to date) and the report states that Advanced Threat Protection (ATP) has now been deployed to more than 130 organisations. It has taken a while.

A "large NHS mental health trust" is reportedly "very impressed" with ATP, although with staff gleefully downloading malware and opening phishing emails, according to the report, it sounds as though some training would not go amiss either.

IBM has also been the recipient of NHS Digital's largesse, trousering £30m in a three-year strategic partnership to expand NHS Digital's Cyber Security Operations Centre (CSOC)

However, while chucking money at Microsoft and IBM is undoubtedly a super use of taxpayer funds, the report steps back from promising that the NHS will reach the Cyber Essentials Plus standard in June 2021, as recommended in February's lessons-learned report (PDF). While there are plenty of reassuring promises that trusts and foundation trusts will be providing their plans by 2019 for achieving the standard, only 10 sites will "aim" to hit the standard next March. The next progress report will make for interesting reading, as the clock ticks towards the June 2021 deadline.

The problem, reported in the Health Service Journal (HSJ) last week, is that meeting the standard would cost the NHS between £800m and £1bn, and NHS Digital believes this "would not be value for money" – according to documents presented to a cybersecurity committee meeting released under Freedom of Information laws.

This will also come as great comfort to those inconvenienced by the WannaCry attack, particularly as the NHS continues to come under sustained attack by miscreants (as, to be fair, do all public organisations).

Funding-wise, other than the £150m due to be pocketed by Microsoft, £21m was announced in October 2017 to shore up local IT infrastructure and another £25m was announced in February this year. An additional £15m has been scraped from the bottom of the underspends barrel, bringing the total investment in securing local NHS IT systems during 2017/2018 to £61m. By 2021, more than £250m is expected to be spent on top of the Windows cash. Quite a bit below the £800m figure quoted by the HSJ.

And the good news? Check back in 2019. ®

Tech Resources

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021