NHS breach - the true cost

Editorial Type: Research Date: 2018-11-01 Views: 1,244 Tags: Security, Health Sector , Risk Management, Data Breaches, Ransomware, Databarracks PDF Version:
The WannaCry attack that hit the NHS last year, is estimated to have cost the health service a massive £92million. Could such hard-nosed reckoning help in ensuring the NHS is more resilient in future?

The decision by the Department of Health and Social Care to assign real values to the 'lost outputs' experienced by the NHS during the 2017 WannaCry attack is indicative of how organisations are taking a much more holistic view of the financial impact of IT downtime. This is according to business continuity and disaster recovery firm Databarracks.

Recently, the Department of Health and Social Care (DHSC) revealed the WannaCry attack, which hit the NHS last year, cost the health service £92m. It estimates around £19 million was lost in terms of patient care output, based on the findings that 1% of NHS services was disrupted over a one-week period. In addition to the lost services, it's believed a further £500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.

The biggest costs came in the June-July period immediately following WannaCry, which is estimated to have cost a further £72 million as the NHS worked to restore its services to full operation and to recover its data. Peter Groucutt, managing director of Databarracks states contextualising these lost outputs as a cost is a positive action from the DHSC.

Increasingly, organisations are improving their understanding of the costs of IT downtime. Databarracks' 2017 Data Health Check survey revealed that 35% of participants did not know what downtime would cost their business. In 2018, that figure dropped to only 22%.

Groucutt comments: "There are several types of costs that need to be considered when estimating the financial impact of downtime on an organisation. The first are immediate tangible costs, such as lost revenue and the direct costs to fix the issue. In the NHS' case it did not 'lose revenue', so instead it quantified the impact through lost outputs, including cancelled appointments and operations.

"Assigning a value to those appointments allowed it to easily clarify the financial impact of cancelling 19,000 appointments during the attack. Additionally, it was also welcoming to see it recognise not just the IT costs experienced within the immediate attack, but also later costs, which included £72m on IT support in the months following."

Groucutt believes that the DHSC assigning real values to these lost outputs could prove critical in securing the necessary budgets needed to strengthen IT resilience across the service. "In the wake of the NHS WannaCry attack, the NHS England's chief information officer Will Smart outlined 22 recommendations for local NHS organisations to adopt to improve resilience. This included ensuring contracts with IT suppliers 'factor in and budget for' keeping software up-to-date, including security patches. While this should be fundamental to any good security practices, assigning real monetary values to these specific areas could prove the tipping point in helping the NHS to secure the funds needed to strengthen resilience."