NHS WannaCry attack findings “demonstrate improving awareness” of costs of IT downtime

The decision by the Department of Health and Social Care to assign real values to the ‘lost outputs’ experienced by the NHS during the 2017 WannaCry cyber attack is indicative of how organisations are taking a much more holistic view of the financial impact of IT downtime. This is according to a detailed response from business continuity and disaster recovery firm Databarracks. 

Recently, the Department of Health and Social Care revealed that the WannaCry attack which hit the NHS last year cost the health service £92 million. It estimates that around £19 million was lost in terms of patient care output, based on the findings that 1% of NHS services were disrupted across a one-week period.

In addition to the lost services, it’s believed a further £500,000 was spent on dealing with the immediate effects of the IT failure, including the hiring of additional consultants.

The biggest costs came in the June to July period immediately following the WannaCry episode, which is estimated to have cost a further £72 million as the NHS worked to restore its services to full operation and recover its data.

Increasingly, organisations are improving their understanding of the costs of IT downtime. Databarracks’ 2017 Data Health Check survey revealed that 35% of participants did not know what downtime would cost their business. In 2018, that figure has dropped to only 22%.

Positive action taken

Peter Groucutt, managing director of Databarracks, believes that contextualising lost outputs as a cost is a positive action from the Department of Health and Social Care. “IT downtime, whether it be from a data breach or the result of an IT outage, impacts an organisation in several ways, but will always carry a cost. Calculating that cost is never easy, but it’s essential in order to understand the full impact to the organisation and to help decide what improvements must be made.”

Groucutt continued: “There are several types of costs that need to be considered when estimating the financial impact of downtime on an organisation. The first are immediate tangible costs, such as lost revenue and the direct costs to fix the issue. In the NHS’ case it didn’t ‘lose revenue’, so instead it quantified the impact through lost outputs, including cancelled appointments and operations. Assigning a value to those appointments allowed the NHS to easily clarify the financial impact of cancelling 19,000 appointments during the attack. Additionally, it was also welcoming to see the NHS recognise not just the IT costs experienced within the immediate attack, but also later costs which included £72 million spent on IT support in the months that followed.”

Strengthening IT resilience

Groucutt believes that the Department of Health and Social Care assigning real values to these lost outputs could prove critical in securing the necessary budgets needed to strengthen IT resilience across the NHS.

“In the wake of the NHS WannaCry attack, NHS England’s chief information officer Will Smart outlined 22 recommendations for local NHS organisations to adopt in order to improve resilience. This included ensuring contracts with IT suppliers “factor in and budget for” keeping software up-to-date, including security patches. While this should be fundamental to any good security practices, assigning real monetary values to these specific areas could prove to be the tipping point in helping the NHS to secure the funds needed to strengthen resilience.”

Groucutt went on to state: “In addition to tangible costs, there are often ‘hidden’ costs associated with IT downtime. For most organisations, these hidden costs might materialise through damage to reputation. A publicly-listed company will immediately see the impact of reputational damage in a drop in its share price. Private companies can calculate the impact of reputational damage by estimating the value of customers deferring to competitors. For the NHS, as a public service, this is much more difficult for the Department of Health and Social Care to determine. Although these hidden costs can be difficult to calculate, it’s important to at least include an estimate. With the NHS, it could have published the costs involved as £73 million plus ‘other costs relating to lost output’. By also making sensible estimates for other costs, and including the additional £19 million, this offers a much more complete picture of the attack’s impact.”

*For more information from the Data Health Check 2018 access http://info.databarracks.com/DataHealthCheck2018.html

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts