The decision by the Department of Health and Social Care to assign real values to the ‘lost outputs’ experienced by the NHS during the 2017 WannaCry cyber attack is indicative of how organisations are taking a much more holistic view of the financial impact of IT downtime. This is according to a detailed response from business continuity and disaster recovery firm Databarracks.
Recently, the Department of Health and Social Care revealed that the WannaCry attack which hit the NHS last year cost the health service £92 million. It estimates that around £19 million was lost in terms of patient care output, based on the findings that 1% of NHS services were disrupted across a one-week period.
In addition to the lost services, it’s believed a further £500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.
The biggest costs came in the June to July period immediately following the WannaCry episode, which is estimated to have cost a further £72 million as the NHS worked to restore its services to full operation and recover its data.
Increasingly, organisations are improving their understanding of the costs of IT downtime. Databarracks’ 2017 Data Health Check survey revealed that 35% of participants did not know what downtime would cost their business. In 2018, that figure has dropped to only 22%.
Positive action taken
Peter Groucutt, managing director of Databarracks, believes that contextualising lost outputs as a cost is a positive action from the Department of Health and Social Care. “IT downtime, whether it be from a data breach or the result of an IT outage, impacts an organisation in several ways, but will always carry a cost. Calculating that cost is never easy, but it’s essential in order to understand the full impact to the organisation and to help decide what improvements must be made.”
Groucutt continued: “There are several types of costs that need to be considered when estimating the financial impact of downtime on an organisation. The first are immediate tangible costs, such as lost revenue and the direct costs to fix the issue. In the NHS’ case it didn’t ‘lose revenue’, so instead it quantified the impact through lost outputs, including cancelled appointments and operations. Assigning a value to those appointments allowed the NHS to easily clarify the financial impact of cancelling 19,000 appointments during the attack. Additionally, it was also welcoming to see the NHS recognise not just the IT costs experienced within the immediate attack, but also later costs which included £72 million spent on IT support in the months that followed.”
Strengthening IT resilience
Groucutt believes that the Department of Health and Social Care assigning real values to these lost outputs could prove critical in securing the necessary budgets needed to strengthen IT resilience across the NHS.
“In the wake of the NHS WannaCry attack, NHS England’s chief information officer Will Smart outlined 22 recommendations for local NHS organisations to adopt in order to improve resilience. This included ensuring contracts with IT suppliers “factor in and budget for” keeping software up-to-date, including security patches. While this should be fundamental to any good security practices, assigning real monetary values to these specific areas could prove to be the tipping point in helping the NHS to secure the funds needed to strengthen resilience.”
Groucutt went on to state: “In addition to tangible costs, there are often ‘hidden’ costs associated with IT downtime. For most organisations, these hidden costs might materialise through damage to reputation. A publicly-listed company will immediately see the impact of reputational damage in a drop in its share price. Private companies can calculate the impact of reputational damage by estimating the value of customers deferring to competitors. For the NHS, as a public service, this is much more difficult for the Department of Health and Social Care to determine. Although these hidden costs can be difficult to calculate, it’s important to at least include an estimate. With the NHS, it could have published the costs involved as £73 million plus ‘other costs relating to lost output’. By also making sensible estimates for other costs, and including the additional £19 million, this offers a much more complete picture of the attack’s impact.”
*For more information from the Data Health Check 2018 access http://info.databarracks.com/DataHealthCheck2018.html