NHS cyber-attacks could delay life-saving care and cost millions

A new analysis has revealed the true cost of the 2017 WannaCry cyber-attack on NHS hospitals in England to be almost £6 million.

Hospitals directly affected by the computer virus had to cancel 13,500 outpatient appointments, including 139 for patients with suspected cancer, amounting to millions lost through reduced activity and potentially delaying critical care. This is despite the virus being thwarted within just 12 hours, finds the research from Imperial College London.

"This analysis demonstrates the devastation to health systems that cyber-attacks can cause, and yet these figures still do not paint the full picture of the impact on care delivered." Professor Ara Darzi IGHI co-director

While previous reports have only been able to offer estimates of the financial cost to the health service, the work is the first robust, comprehensive analysis of the impact of the cyber-attack on the NHS. Published today [Wednesday] in Nature Digital Medicine and led by researchers from the College’s Institute of Global Health Innovation, the study concluded that WannaCry caused hospitals in England to lose £5.9 million.

While the research did not find any increase in deaths as a result of the attack, currently there is no way to measure how such events could cause harm to patients and affect their safety.

Professor the Lord Ara Darzi, study author and co-director of IGHI, said: “This analysis demonstrates the devastation to health systems that cyber-attacks can cause, and yet these figures still do not paint the full picture of the impact on care delivered.

“As health systems are becoming increasingly dependent on digital, we need a greater understanding of the full impact that cyber-attacks, or indeed any IT failure, can have on patient safety to better prepare us for the inevitability of future attacks.”

Calculating costs

WannaCry was a global ransomware attack that took hold across multiple continents and organisations on Friday 12^th May 2017, locking users out of infected computers and holding their data for ransom. The NHS was among those hit by the attack, with more than 600 NHS organisations affected, including 34 directly affected hospitals. Staff were unable to access IT systems and medical devices such as MRI scanners, causing disruption that continued for a week after the virus was brought to a halt. This forced hospitals to close their doors to patients, ambulances to be diverted from A&E, and thousands of appointments to be cancelled.

Using data from the Hospital Episode Statistics database – which contains details of all admissions, A&E attendances and outpatient appointments at NHS hospitals in England – the researchers looked at activity before, during and after the WannaCry attack, covering the two weeks either side of the event.

Their analysis showed that hospitals directly infected with the ransomware had significantly fewer emergency and elective admissions, with a decrease of 6% in total admissions per infected hospital per day. According to the researchers, this was likely due to a combination of closures and fear among the public deterring people from going to hospital.

However, when all hospitals were considered, there was no significant change in total activity, meaning that the NHS was able to spread the load to counter disruptions. But for hospitals that were infected, the decrease in admissions and appointments cost them £5.9 million, including £4 million in lost inpatient admissions.

Professor Paul Aylin, study author and patient safety lead from IGHI, said: “The NHS was very fortunate that WannaCry was stopped within a day, and yet this research shows that in that short period the virus was still able to leave a trail of destruction, only part of which we are able to comprehensively measure.”

“Should such an attack infect all NHS trusts, then the consequences would be unfathomable,” added Professor Aylin, “which is why we’re calling for greater investment in IT infrastructure and digital leadership to better equip our health systems and protect the safety of patients.”

Threats to patient safety

Previous work suggested that the WannaCry attack cost the NHS £92 million, which was based on the assumption that the attack disrupted 1% of all NHS services including primary care (including GP surgeries). However, primary care data was not collected at the time. This latest research therefore only looked at secondary (hospital) care, but used actual observed changes in activity.

Dr Saira Ghafur, study author and digital health lead at IGHI, said: “We’re aware of the fact that primary and social care data weren’t collected, which limits the scope of impact that could be measured. This is a lesson for the future as we still have incomplete knowledge on the breadth of WannaCry’s impact.

“The attack was not directly targeted at the NHS; other major organisations were affected including Telefonica, FedEx, Nissan, Russian Railways and the Bank of China. It has become apparent how susceptible health care is to any cyber threat. This raises serious concerns about the potential damage a targeted cyber-attack with a more robust virus could have on the NHS.

“Our future work will now focus on understanding how we can better define the detrimental effects of cyber-attacks on patient safety, by learning from people on the frontline and the impact it had on patients and staff.”

-

‘A Retrospective Impact Analysis of the WannaCry Cyber-attack on the NHS’ by Saira Ghafur et al. is published in the journal Nature Digital Medicine.