This site is intended for health professionals only

NHS spent £92m dealing with the fallout of last year’s hack attack, Government reveals

The WannaCry attack on the NHS cost the health service £92m, the Government revealed yesterday.

In the latest progress report since the attack – which affected nearly 600 GP practices – the Government outlined new measures to improve cyber security across the health and care system.

It called for all NHS organisations to develop local action plans to meet new cyber security standards by June 2021, and told CCGs to take responsibility for ensuring that IT systems in GP practices meet all the new requirements.

The WannaCry attack occurred in May last year and disrupted services across one third of hospital trusts and around 8% of GP practices. It left GPs without access to patient records and unable to prescribe medications, causing over 19,000 appointments to be cancelled.

In the latest report published yesterday, the Government revealed that the attack cost the NHS an estimated £92m.

Of this, £19m was from ‘lost output’ such as cancelled appointments and operations, while £73m was the result of ‘IT support’.

The publication then went on to outline new measures that form part of the ongoing cyber security plan.

The report said that all NHS organisations must develop local action plans to achieve compliance with the Cyber Essentials Plus standard by June 2021.

They must ensure that cyber security risks are regularly reviewed by the board, and that appropriate counter-measures and response plans are in place in the event of a successful attack.

In addition, local health and care organisations must make sure that local contracts, processes and controls are in place to manage and monitor local IT systems.

But the report added that CCGs are responsible for these measures when it comes to GP practices.

BMA chair Dr Chaand Nagpaul said: ‘As the hack in May 2017 and this report highlights, any overhaul in NHS IT must prioritise security, safety and patient confidentiality.

‘While it is important to see a set of recommendations that establish clear standards and lines of accountability, the government must also take on its own share of responsibility and provide proper funding to support hospitals, commissioners and GP practices if they are to truly safeguard themselves against future attacks.’

Earlier this year, the Government announced that it would spend £150m on cyber security for the NHS over the next three years, including a new ‘multi-million’ security deal with Microsoft allowing NHS trusts to detect and kill software threats before they spread.